Skip to main content

Why cyber-security is never ‘done’ - Dr John Chapman

16 November 2022

Dr John Chapman

Over the last couple of years, a long line of industry experts have been quoted in the media explaining why the UK education sector is a target for cyber-attackers, and ready with guidance on how schools, colleges and universities should protect themselves.

While the advice is usually sound, it’s wrong to imply education is any more a target than other sectors. I also take issue with some of the more alarmist language: for example, just this month, one US cyber-security solutions provider chief information security officer unhelpfully described academic institutions as “sitting ducks”.

It’s irresponsible to pick out particular organisations or sectors as easy targets. The statement is also sweeping and inaccurate because it does not represent reality in the UK. I know this because, as the UK tertiary education sector’s expert digital body, Jisc has access to excellent information sources on the topic of cyber-security at colleges and universities.

Together with various security professionals, particularly at the UK’s National Cyber Security Centre, we gather and share knowledge and experience of cyber threats and attacks with our members; our experts talk daily to IT and security staff at colleges, universities and research centres; and we also conduct an annual cyber-security posture survey among those member organisations.

The real picture is far from rosy, though. It is a certainty that across sectors not all organisations are as well protected as they should be, and the same applies to tertiary education providers. Indeed, our 2022 survey suggests that creating a strong cyber-security posture remains challenging.

For example, when the survey asked “how well do you feel your organisation is protected?”, higher education (HE) respondents were cautious. Only 16 per cent scored themselves eight or more out of 10, suggesting strong awareness of the threat landscape. Further education replies were more positive, with 39 per cent scoring eight or above.

Comments around this question suggest that organisations rating themselves five to seven have controls in place, but feel they could do more to keep abreast of threats. For those scoring eight to 10, robust systems and processes were important themes, along with audits, certification and external support.

What is heartening is that survey results over the past six years indicate the general picture is improving. The 2022 survey report, which received responses from 123 organisations, indicates that cyber-security remains a high priority among senior leaders at UK colleges, universities and research centres.

Almost all responders – 97 per cent of HE and 94 per cent of FE providers – have cyber-security on their risk register, a rise of two and five percentage points respectively compared to 2021. High numbers also regularly report on cyber risks and resilience to their executive board (79 per cent of FE organisations).

This is important because senior leaders should take responsibility for cyber-security governance and risk management. In our experience, organisations where senior teams don’t rate cyber-security as a strategic priority are less likely to have the kind of on-going investment, processes and technical measures in place to defend well.

Over the last couple of years, ransomware has become – and remains - a well-documented danger to all kinds of organisations across the globe, educators included. In 2020, there were 15 serious ransomware attacks on HE and FE providers in the UK, with 18 in 2021 and at least 11 so far this year.

So, ransomware is rightly named in the 2022 survey as the top threat for HE organisations, with phishing /social engineering second. These places are switched for FE, with unpatched vulnerabilities taking third place for both HE and FE. This is a similar picture to 2021.

Accidental data breaches rank fourth on the list of threats this year, so I’m pleased to see an upward trend in security awareness training, although ideally, mandatory training for students would be more widespread.

Compulsory security awareness training is more common for staff than students, with 84% of HE and 77% of FE organisations implementing this. As in previous years, FE organisations (21%), are more likely to run compulsory student training than HE (5%).

More and more providers are recognising that in-house expertise is a critical piece of the cyber-security jigsaw. A total of 90 per cent of HE respondents report they had specialist staff in place this year.

The figure remains lower in FE, at 33 per cent, probably reflecting the fact that colleges find it more difficult to compete with the large salaries offered in the private sector. On the plus side, this represents a ten-fold increase since we first ran the survey in 2017.

Taking the survey stats and other information available to us, my conclusion is that, while there is a growing understanding of cyber risks within our sector, threats are still a huge problem. And it’s not going away anytime soon; just like the laundry, cyber-security is never “done”.

The views expressed in Think Further publications do not necessarily reflect those of AoC or NCFE.