During Cyber Security Month 2020 CONNECT met Henry Hughes, Security Director for Jisc to talk about opportunities and challenges faced by Research & Education (R&E) in the current cyber security landscape dominated by the COVID pandemic.
Words: Interview by Rosanna Norman, GÉANT
The cyber security landscape is evolving all the time, what are today’s major challenges and opportunities for R&E?
Because of the events that have been affecting our world in 2020 we have all become more digitally dependent (and will be so for the foreseeable future).
A major challenge faced by R&E is the extremely lucrative nature of cyber-crime, which contrasts with budget pressures across the sector. This is exacerbated by the rapidly changing threat landscape and the perception that cyber security is purely an IT issue, rather than one of many significant business risks.
One of the challenges lies around encouraging greater ownership of digital resilience amongst senior leaders and recognition that cyber security is a business risk just like health and safety. Cyber security needs to be viewed as an enabler and not a barrier to the business and has an important role to play in protecting the business. The cost of cleaning up after a successful cyber attack, far outweighs prudent defensive measures.
This is being reflected in the development of British and international standards, such as BS 31111 – a UK standard which focuses on cyber risk and resilience within organisations. In addition, in the last couple of years, the National Cyber Security Centre (NCSC) in the UK, has delivered a toolkit to make the boards of organisations more cognisant of cyber risks. The toolkit looks at the challenges represented by limited budgets and limited skills and the requirement to measure the return on investment, which is not a straightforward task in security.
One opportunity is the adoption by R&E organisations of standardised managed services as these can drive costs down whilst offering greater levels of automation, integration and visibility.
How has cyber-crime been affected by the pandemic?
There has never been a more challenging time for security professionals than during the Covid-19 pandemic. Overnight, staff and students have had to adapt to working remotely, creating a range of additional security challenges that we continue to face.
Cyber criminals have been capitalising on increased homeworking and the extensive use of remote access services (for example VPNs and RDP) by targeting new and existing vulnerabilities in such services. Recent ransomware campaigns have focused on exploiting weaknesses and vulnerabilities in RDP services. Publicity surrounding the payment of ransoms by high profile organisations has fuelled an increase in ransomware campaigns.
In 2020, for reasons beyond our control online meetings and conferences became the norm. Whilst we all recognise that face-to-face interaction is irreplaceable, could you talk to us about some of the benefits of hosting Jisc Security Conference online?
Our fifth annual Security Conference will take place online on 3-5 November 2020 with the theme: Building a cyber aware culture together. This year the conference’s programme has been extended to three days with the addition of more interactive and practical sessions covering open source security. Our objective is to attract at least one representative from every Jisc member organisation, 600 approximately.
The new online format will make the conference more accessible to professionals who either have cyber security as part of their remit but might not be a full-time responsibility. We have already registered a higher number of delegates where cyber security may only be part of their responsibility.
The online format will also enable us to reach a wider international audience because cyber security has no borders and is not country specific; most cyber security challenges are shared globally. This will also enable R&E representatives to share their experience, find common grounds with their international counterparts and create collaboration opportunities.
Cyber security is everybody’s problem. What more can R&E security professionals do to empower and educate users to prevent security breaches for their organisations?
Members of staff are an organisation’s first line of defence. Cyber security training should be mandated for all staff and students, it doesn’t need to be regarded as a dark art. It’s everyone’s responsibility.
The broader challenge for cyber security professionals is to ensure that organisations recognise the business risk and individuals understand that they are an integral part of the cyber security landscape.
Cyber security awareness best practice should be part of the curriculum: students should be made aware of how the various areas of social engineering operate, the process behind it and how to get help and support. Users need to be given the tools to deal with cyber threats and understand how and why they become targets. Cyber security is about education and understanding and also about removing the stigma of being cyber-crime victims, it’s about sharing when things go wrong and mistakes are made to prevent them from happening to others.
What has Jisc been doing to support the 2020 Cyber Security Month campaign?
We are pleased to support raising awareness of cyber security challenges through this exciting programme and have been given the opportunity to contribute with some great content on social engineering and password security. Our thanks go to Laura Pooley, Information Security Officer for her articles ‘Don’t let hackers manipulate you!’ and ‘Managing Passwords’ and Jon Hunt, Cyber Services Delivery Manager for his article ‘Why having a strong password isn’t enough to secure your account’.
We look forward to collaborating closely with the GÉANT community in the field of cyber security in the coming months.
Jisc runs a number of webinars and courses with a security theme. Some of these are free to attend and for others Jisc is offering a 10% discount to Security Conference participants.