Is your university prepared for a cyber-attack?

Every organisation is vulnerable, so planning accordingly and reacting promptly will mitigate the impact in the event you are targeted

The higher education (HE) sector could be at risk of future cyber-attacks, but if you put the correct measures in place now, then you can help mitigate the risks of attacks from criminals.

The HE sector is particularly vulnerable to cyber-attacks because they hold significant amounts of sensitive data from student data to valuable intellectual property that could cause significant financial and reputational damage to the university. The threats are constantly evolving, and it’s important to consider how your university will meet cybersecurity challenges in the future.

I was part of wider discussion recently with leaders in the HE sector, advising on this important topic, which is increasingly critical for all those who process large volumes of personal data.

Here are my top tips for staying safe:

  1. Be aware of the increased risks of cyber-attacks. Factors such as increased hyper-connectivity, disruptive technologies, automation, digitalisation and big data can add to the risk level. Doing anything new with data or implementing new systems can introduce weaknesses, and careful consideration should be given to how using data in a new way could lead to exposure.
  2. Have a company policy in place for when a cyber-attack occurs. Think about what you’ll do in the first hour, the first day and over the next few days. Determine who is responsible for what and who your key internal stakeholders will be.
  3. Make sure your IT department is aware this is a criminal activity. A cyber-attack is different from a normal data breach incident and can attract criminal sanctions. There will always be a bit of ‘cat and mouse’ with IT updating systems, giving criminals the opportunity to exploit new loopholes, so make sure you work as quickly as possible to close down any further threats. Unsuccessful hackers may well try again so identifying weaknesses in your systems and shutting them down is vital.
  4. Consider your insurance policy. If you have cyber insurance then your provider should be your first port of call upon identification of a breach. Insurers will want to be informed as early as possible so review the wording on notification in your policy carefully. However, there is a huge variation in the scope of insurance cover and you will need to consider carefully what level of cover you will need.
  5. Consider your data protection requirements, in particular your notification requirements to the Information Commissioner’s Office and/or data subjects. Also ensure that your communications team is aware of the potential for reputational damage as result of the cyber-attack. Managing communications is vital to potentially mitigate the risk of claims being brought on the back of any breach.
  6. You should ensure you have in place suitable security and technical measures. By way of an example, the Information Commissioner’s Office previously fined British Airways and Ticketmaster for their failure to put in place appropriate and technical measures, particularly in relation to security (i.e. a failure to comply with Articles 5(1)(f) and 32 under the UK GDPR.)  The UK GDPR requires all data controllers to consider the state of the art in the measures you have in place and to consider privacy by design. Your systems should be interrogated on a regular basis to try to identify any weaknesses. It’s also important to make sure that where you have been subject to data breaches and cyber-attacks in the past, that you can evidence you have learned lessons and taken appropriate steps.

Following these vital steps will help keep you protected should a cyber-attack take place. Every organisation is vulnerable and at risk, so planning accordingly and reacting promptly will mitigate the impact in the event you are targeted.


You might also like: The role of education in driving the future of work


 

Leave a Reply

UPCOMING WEBINAR

Why education must take IT security more seriously

Tuesday, November 30, 11AM (GMT)