by Dr John Chapman, Head of Janet policy and strategy
A new UK government report highlights that senior leadership teams don’t always take cyber security seriously until their organisation suffers a serious attack.
Building on the UK 2021 cyber security breaches survey, researchers carried out in-depth interviews with staff at 10 organisations that had suffered a variety of serious attacks, including phishing and ransomware.
In the resulting report, Exploring organisational experiences of cyber security breaches, interviewees shared examples of how their security posture strengthened following an attack, once senior managers realised the importance of investing.
One IT director who was able to secure quick sign-off for a new supplier and a raft of preventive measures, said: “I feel a lot happier now.”
A head of digital reported that their organisation had subsequently made a “significant investment” to maintain better services, and a further contributor said the attack had “helped accelerate the delivery” of a cyber security programme.
Unfortunately, the frustrations described above are familiar to some IT and security directors in the education sector, who have shared similar anecdotes with us.
Having supported many colleges and universities to recover and rebuild from ransomware attacks over the past couple of years, we know that financial costs can easily top £2m.
Indeed, all 10 organisations quoted in the new government report said they lost money as a result of their attack. Seven also noted customer dissatisfaction and four said the experience had been stressful for employees, all of which chimes with our own 2022 cyber impact report (pdf).
Some ransomware attacks on education providers have wiped out data, disabled business-critical systems and forced campuses to temporarily close, which of course disrupts teaching, learning and other daily operations. That kind of upset is never going to land well with staff or students and can attract media attention, which carries a further reputational risk.
Ransomware is not the only threat that education providers need to protect against: we agree with the report’s sentiment that “cyber crime is a significant and growing business risk, with cyber attacks increasing in both volume and technical sophistication”.
And the report is also right to acknowledge “the need for ever greater levels of vigilance and investment in cyber security”.
As I’ve described above, leaders must take responsibility. The impact of a cyber attack will likely be more severe at any university or college where vice-chancellors, principals and their boards do not take strategic responsibility for cyber security.
- For the latest cyber security thinking and to network and share experience with peers, register for the 2022 Jisc security conference, which takes place on 7-8 November at the ICC Wales, and on 9 November online
- Jisc has put together a list of 16 questions that leadership teams should be asking to check their cyber security posture
About the author
Dr. John Chapman is responsible for leading Jisc’s policy position for the Janet network, including defensive solutions and member posture maturity. He works with members and customers, national and international partners and stakeholders to ensure the UK’s National Education & Research Network evolves within the UK regulatory environment and internationally. He has worked closely with schools, colleges, universities, suppliers, local and central government departments in a number of cyber security and policy roles. He has an MBA in Cyber Security and is CISSP, CISM and CGEIT certified.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022