Universities ignore cyber-threat at their peril

Professor Kamal Bechkoum, head of business and technology at the University of Gloucestershire

Universities are bombarded on a daily basis with information about cybercrime and security, almost to the point where it feels there is little else that needs to be done, other than trust in the IT department’s skills and get on with life.

But does this mean students and academic staff are safe, that their research and partner companies’ data is secure, that payments can be made in a secure way and the university’s computers, libraries and facilities will continue to function without hiccup?

In a word, ‘no.’ Universities will never be 100% secure because no one is completely when it comes to cybersecurity.

Speaking to a higher education audience recently, Jisc deputy chief information security officer, Henry Hughes, pointed out that “half of you are not doing any student training in cybersecurity.”

Supporting this statement he added that a Jisc survey of 22,000 students’ satisfaction at the end of their courses found 82% felt digital skills were essential to their future careers, but less than half of the group felt they were well prepared for the digital workplace.

This matters because we can all be victims (or at least targets) and cybersecurity cannot, and should not, be delegated. While you are busy thinking ‘it’s not going to be me, I’m not important,’ that’s when you leave yourself vulnerable.

IT security isn’t a new challenge for universities, but with GDPR coming in it is expected that universities will become more liable for data breaches, with fines of up to 2% of overall revenue or 10 million Euros, whichever is higher.

In 2016 the UK Government set out plans to commit £1.8bn to the National Cyber Security Strategy, working with organisations from the private sector, public agencies and academia to create a national Cyber Security Centre, a Cyber Innovation Centre, and an Institute of Coding.

I was privileged to meet the then Chancellor of the Exchequer, George Osborne, and be part of discussions which have now led to the opportunity of creating a National Cyber Park in Cheltenham with the National Cyber Innovation Centre at the heart of it.

The University of Gloucestershire is leading discussions with a select group of universities and businesses to discuss the shape and form of this national park. The University is also now one of 17 universities helping its graduates develop skills in writing safe and secure software, as part of the newly set up Institute of Coding.

The way we all work, play and socialise has changed because of this new phenomenon known as the ‘internet of things.’ This shorthand describes the online interconnection of computing devices embedded in everyday objects, ranging from phones and fridges through to home thermostats and power stations. Within two years it is estimated that around 26 billion devices will be connected to the internet.

On average we create 2.5 quintillion bytes of data (that’s one billion billion bytes) every day. Add to this the fact that 46% of UK businesses have identified a cybersecurity threat and it is clear this increasing connectivity is challenging our cybersecurity in new and unexpected ways.

Top tips to keeping secure from cybercrime

1. Keep the kettle updated

In the past a secured computer with good antivirus software meant everything should be ok. Today, it’s easy to forget to change the default password on a networked CCTV camera, smart kettle, fridge or even TV. However, if these devices haven’t been updated then an entire organisation could be open to cyber-attack.

2. Clean the printer

Have you ever thought about what happens to your old printer? At one time you may have scanned or copied a passport or any range of confidential documents on it. When it reaches the end of its life all of that data is still stored in its memory.

3. Password with a phrase

How many of us still use a single word for a password, and then use this on multiple applications? It takes about two minutes to break this using a brute-force approach. Now, if you use a phrase it can take more than a century of processing power to find the code. Small changes like this can easily move an organisation’s vulnerability from orange to green.

4. Double check contacts

Hackers are getting very smart. Before you respond to the text from a hotel you’ve booked, double check and call them to ask if they recognise the agent who’s been in touch. Criminals use spear fishing as a favourite technique, meaning they might send an email that looks very genuine, but once you click on that link in the email it downloads malware that can then control your systems.

5. Make cyber-hygiene a habit

Many staff and students need to get into good ‘cyber-hygiene’ habits. Campus visitors bring laptops and mobile phones with them, while academics frequently connect with organisations from around the world. We need to limit the number of people with administrator privileges and be wary of disgruntled insiders.

Organisations such as GCHQ are very good at keeping things closed, while universities are by nature open. The trick is to remain an ‘open and accessible space for learning’ while at the same time keeping safe.

This is important because, while hackers may not be primarily interested in student or staff data, they definitely want access to partners’ sensitive information and the high processing computing power possessed by universities, which criminals can use to mine crypto currency.

The ultimate answer to keeping our universities and businesses safe is to take the best precautions possible when it comes to infrastructure and people, and then be prepared to act if things go wrong.

It’s worth keeping in mind that 95% of internal breaches are caused by human error. Training and education must be continuous as cybersecurity is a process, not an event. It has to be part of a university’s ongoing risk assessment.

The individual is our first line of defence and we all should think of ourselves as human firewalls within our organisations. It is vital to make sure systems are updated regularly and understand that security is a continuous process. Share good practice – your neighbour could be the weak link so help them – and have a plan for when it all goes wrong.

* A version of this article first appeared in Times Higher Education