25 June 2024 - Strengthening defence against cyberattacks

Simon Furber is the Education Sector Lead at ITGL, a leading digital specialist with a wide range of clients in the Higher Education sector. This article forms the second entry in a three-part series authored by Simon, providing valuable insight to the sector from his experience on both sides of the client/specialist divide. Simon has also recently hosted a webinar to overlap these articles, if you would like to view the recording, please click here or get in touch with Simon directly at simonf@itgl.com.

Strengthening defence against cyberattacks

It’s likely that if you compiled a list of the top issues facing higher education five years ago, or five years from now, the number one spot would be some variation on the same theme: cybersecurity. In many ways, it’s the ur-issue for IT professionals, being so wide-ranging and interconnected that it tends to dominate conversations and fill whatever space you provide it. Of course, as anyone reading this will know, its ubiquity is well earned. Cybersecurity unavoidably informs and is informed by every decision and action taken not only within your digital infrastructure, but the cloud services you employ, the applications you run, and the staff tasked with maintaining it.

Matters aren’t helped by universities becoming an increasingly common target of cyberattacks, tasked with weathering ever-more complex, automated, AI-powered attacks from both financially-motivated individuals/groups and – as recently briefed to the Russell Group by MI5 – state-sponsored actors. Universities hold a tremendous amount of data relative to their typical security posture, often including cutting-edge research alongside the sensitive personal data of staff and students. As the continuing skills gap makes it difficult for institutions to organically grow their teams’ experience and expertise, institutions are frequently left with limited resources to safeguard this valuable data from attack by foreign states.

So, how does a modern university look to strengthen their defences, provide information assurance, and tackle these challenges – alongside all of the individual financial and structural pressures they’re inevitably facing? This will have been drummed into everyone’s heads over the years, but its continued relevance speaks to its fundamental nature: by working to the principles of the CIA triad (confidentiality, integrity, and availability), organisations will naturally build towards an approach that is secure by design. Done correctly, this will form what the late, great Mick Jenkins – my CISO during my time at Brunel University, and previous UCISA contributor – would call ‘Information Safe Havens’.

To achieve this, however, it’s critical that this approach is applied with a critical eye across the entirety of an organisation’s systems – not just to new and future solutions. It’ll come as no surprise to those who read my previous blog but in practical terms, implementing the correct network architecture at a foundational level remains the single most effective action an institution can take to improve defences against cyberattack. Hearing that might start financial alarm bells ringing, but remember that cybersecurity’s broad nature cuts both ways; improvements made here will also mean tangible benefits are felt throughout the organisation.

The alternatives – such as attempting to patch over vulnerabilities in existing architecture – may initially sound like less intrusive, less disruptive options, but in reality the issue is simply being kicked a little further down the road. Digital transformation is not, after all, solely the domain of the ‘good guys’ – threat actors are themselves just as energetically engaged in these processes as we are, and with significantly fewer restrictions placed on their methods. Cyberattacks have never before enjoyed such an established, commercialised existence as they do today. Cybercrime-as-a-service and ransomware-as-a-service have provided simple turnkey solutions to those without the technical knowhow to mount an attack themselves – adding market competition to the list of incentives to continually develop new tactics, techniques and procedures to defeat our defences.

As this threat landscape evolves – and as standards and accreditations like ISO 27001 and Cyber Essentials evolve to reflect it – the remediations required to provide effective defence become more and more complex – and more costly – to reconcile with underlying hardware and networks that were not designed for such purposes.

By making the decision to invest in advanced security measures, institutions will be taking the long view on what is ultimately a marathon, not a sprint – building resilience and positioning themselves as leaders in the cybersecurity space for their sector. A resilient network naturally helps to minimise potential financial losses – both from loss of operations due to disruption, and – with the average cost of a data breach topping £3.4m in 2023 – from cyberattack.

These benefits in turn spread out to all who interact with the university. By implementing resilient network infrastructure, universities can look to ensure uninterrupted access to digital resources, thereby enhancing the overall reliability of campus technology, and the user experience of students and staff. Academic and administrative staff will be empowered by this availability to fulfil their roles effectively, removing frustrations and bottlenecks in their day-to-day duties. Building upon modern, scalable architecture opens up innovative teaching methodologies, enabling the integration of advanced technologies for flexible, uninterrupted, immersive learning experiences that can catch the imagination of prospective students in a crowded field, and help existing students in their studies.

It's natural that every university wants to promote data privacy and security across their organisation, and a real culture of trust and transparency is only possible when an institution can provide peace of mind and confidence in the safety of personal and academic data. This can seem out of reach for institutions that are already feeling the squeeze of financial pressures and workforce shortages, but there are meaningful first steps that any institution can take towards achieving security and resilience.

This can be as simple as working with an outside partner to consult on achieving Cyber Essentials, or providing skills on demand to integrate into your internal teams and safely deliver on projects that would otherwise be beyond your capacity. It can also be as involved as collaborating on a roadmap for your institution’s digital journey, providing clarity on where you stand, mapping out well-defined steps towards your goals, and working alongside you to achieve them. The worst possible situation is one where you’re not. Wherever your institution stands on its transformation journey, there is support and guidance available to help you effectively protect your staff, students, and infrastructure now and into the future.