UK universities will find it sobering that over 4,000 Chinese universities and research institutions were also affected by the same piece of ransomware that crippled NHS IT systems last month. Universities are ripe targets for cybercriminals, and potentially even foreign governments, due to the wide range of information they hold, from personal and financial data to commercially sensitive and potentially highly sensitive research data. Therefore, to safeguard this and avoid a potential PR bombshell, they will be keen to learn the lessons in case the next big attack has UK higher education in its sight.
Aside from ensuring the basics are up to scratch, universities face particular challenges, particularly the growing trend for staff and students to bring their own devices onto campus (BYOD) or to access systems and services remotely.
The cat and mouse nature of cyber security means that even the most diligent of universities can fall victim to a major cyber attack, even if events of the scale that hit the NHS recently are relatively rare. Research carried out last year by the cloud and virtualisation provider VMware found that 87% of UK universities surveyed (among 75 ICT decision makers at over 50 UK universities) had suffered some form of cyber attack.
Shockingly, one in three said they faced attack on average once or more every hour. What is even more worrying is that 25% said critical intellectual property had been infiltrated, while 43% reported student data being attacked. It is, therefore, no surprise that 85% of those surveyed argued more funding is needed for IT security. As cyber attacks increase in frequency and sophistication, universities will need to focus more resources on ensuring they are ready.
Getting the basics right
The most effective cyber security strategy is built on getting the basics right. Universities not only have to consider their staff, but also the many thousands of students who log into and use IT systems and services daily. It is crucial all are up to speed with the basics of cyber security since even the ablest defences can be circumvented by basic human error. Firstly, they should put in place a cyber security policy that is reviewed and updated regularly.
Secondly, they must ensure everyone connecting to the network is aware of this policy and up to scratch with the basics of cyber security, for instance, not clicking on links in suspicious emails from unknown parties.
The most effective cyber security strategy is built on getting the basics right
Thirdly, universities should regularly drill in preparation for an attack. Regular penetration testing will help discover weaknesses which can then be plugged while testing your data recovery procedures will make dealing with any attack far easier to manage.
Fourthly, universities should audit what data they possess, where it is held and how long for. This will help in terms of planning backups and in making sure that they do not hold any sensitive or personal data unnecessarily, reducing the potential risk of a security breach. Finally, and most important of all, universities must ensure they keep their security systems up-to-date by implementing the latest security patches as soon as possible after they are available.
Arguably the greatest cyber security challenge universities face is the growing tendency for students and staff to access IT systems and services through their own devices. Whether or not this is on campus or via remote access, universities need to mitigate the risks posed by devices outside of their control accessing their networks. The initial temptation might be to put the brakes on such measures in order to re-centralise control over hardware. However, this would be a major misstep: students have come to expect to be able to use their own devices to access university systems and service at their convenience.
Academic staff too will be unhappy about losing access to systems on the go, especially considering that most spend significant time away from campus for research. Instead of turning back the clock, universities need to be proactive and put in place procedures that allow them to maintain as much oversight as possible. From the outset they need to consider the potential risks that BYOD brings: what data devices hold and how it is transferred; the potential for data leakage; the implications of those not associated with the university accessing devices; devices’ security capacities; how to deal with the loss of devices; and the procedure in case someone leaves their studies or employment.
All this considered, universities need to make sure devices connecting to their network meet the requirements laid out in their cyber security policy, for instance, ensuring they run up-to-date operating systems and security software. This should be supplemented with a BYOD acceptable use policy outlining what data can and cannot be accessed or stored on personal devices. Furthermore, larger institutions may want to consider enterprise-level remote access solutions which allow greater administrative control over what users can access on the network, all whilst offering a more seamless user experience.
High stakes for negligence
If the high-profile attack on NHS IT services fails to prompt universities to improve their cyber security, the potential financial penalties certainly will. Brexit will not be enough to prevent UK universities from falling under the remit of the EU’s General Data Protection Regulation (GDPR), coming into force from May 2018. This brings with it the sobering prospect of substantial fines for the most serious negligence, way in excess of the current maximum fine of £500,000.
GDPR will mean that, for the most severe data protection violations or negligence, universities could be liable for a maximum fine of €40m or 4% of global annual turnover, whatever is higher. Even less serious violations could see fines of up to €20m or 2% of global annual turnover. Although it is very unlikely a tidal wave of major fines will emerge from May onwards, as many institutions are still putting in place measures to become compliant, it is clear the financial equivalent of a ‘slap on the wrist’ will no longer cut the mustard.