Words by Rosanna Norman, Communications Officer at GÉANT
Defend as one: sharing intelligence capabilities, tools and services
The Jisc Security Conference took place in person in Newport, UK on 7-8 November with an online only day, on 9 November after a three year break caused by the pandemic. I was there to continue my quest to learn more about the challenges posed by cybercrime to the R&E sector and absorb new knowledge and insight to apply in the security communications content I produce.
Heidi Fraser-Krauss, Jisc CEO, opened the conference: “Since the start of 2022, 11 universities and colleges have been seriously affected by ransomware in the UK. The impact and cost, although estimated around £2 million per institution, are difficult to calculate, but the stress and pressure caused by cybersecurity breaches don’t really fit into a number!”
In the packed plenary the audience of 400+ IT and security professionals from UK Higher and Further Education agreed with the premise that mindset and behaviour changes are badly needed in the fight against cybercrime and these can only happen if driven by senior management. Henry Hughes, Security CTO from Jisc focused his state of the nation address on four areas: governance, assurance, technology and culture.
“People are not the weakest link, they are our largest asset and must be supported appropriately. We need to prevent and put an end to blame culture by encouraging a security mindset from the top.” And his closing remarks resonated with us all: “Community intelligence is very powerful in our sector. We need to leverage collaboration and defend as one by sharing intelligence, tools and services.”
Collaborations, e-sports and awareness
The opening keynote continued with a presentation on the collaboration between Airbus and Cardiff University on Artificial Intelligence (AI) detection and blocking of cyber-attacks, and the introduction of a £15 million programme to boost cyber start-ups in South East Wales. The key drivers of innovation for industry, and the consideration that it can take up to 5-6 years for technologies to trickle down from academia, gave life to the collaboration between the educational institution and the industry partner, which identified a considerable commercial opportunity in the machine learning aspect of cyber defence.
The keynote sponsored by KHIPU Networks highlighted how the lack of out-of-hours coverage, the prominence of a new hybrid workforce and the technical debit caused by the pandemic (general expenditure gravitating towards cloud infrastructure to the detriment of the physical infrastructure) have created new challenges for the HE and FE sector in the last 12 months. The talk closed with a view of the Security Operation Centre (SOC) of the future as a 24×7 service based on building blocks of people, technology and processes.
A roundtable on e-sports hacking was quite an eye-opener for me. Bearing in mind I have a 16yo son obsessed with online gaming and who, on a few occasions, unexplainedly racked up charges for the odd ‘skin’ or a sudden enrolment in yet another surprise tournament, inevitably causing a degree of parental wrath. The e-sport and gaming industry is growing rapidly and estimated that its value reaches over 100 billion worldwide. Some of the most popular games host huge tournaments with tens of millions of prize money, making it a very lucrative industry for criminals. The lack of cybersecurity awareness presents a challenge and institutions need to address this concern in order to be able to run successfully local and global competitions while maintaining firewalls and the security of the wider institutional networks while the games are live. The panel’s final thoughts and advice can be summarised in the following recommendations: protect user data, work with existing cyber goods to educate staff members, engage students early, engage stakeholders before purchasing e-sports set ups and segregate e-sports systems whenever possible.
The session that spoke my language focussed on the lessons learned from the cybersecurity awareness activities run at the University of Derby and how they were received by students and personnel alike. The engaging presentation on this very popular topic gave plenty of opportunities for interaction.
Oliver Betts-Richards from Derby University: “It is not strictly a user issue if breaches are being constantly detected, it’s because we are probably all far too busy and prone to errors. We need to work closely with educators and comms teams for the delivery of targeted campaigns and evaluate the impact that these have on our organisations. We need to ensure buy-in from senior management, produce impactful and accessible content, create consistent messaging and always get feedback.”
Prevention, impact and the future
Day 2 of the conference started with a panel discussion with cybersecurity specialists from HE and FE who looked into the implications of cyber-attacks on institutions. They talked about preventive measures such as the deployment of Multi Factor Authentication (MFA), recognised the institutional responsibility of data, recommended investing in people (training, awareness and education), stressed that cyber incidents should always be at the top of any organisational risk register and clarified that mandatory training is never optional.
I was very taken by the openness, clarity and honesty of the talks about the ransomware attacks experienced by two major colleges in the UK and how professionally and competently both institutions dealt with a series of very stressful circumstances and events.
But the session that brought a breath of fresh air to the conference was the student panel: Educating the next generation of security talent is the key to the sector success. I enjoyed listening to the young panellists from Coleg Gwent in Wales, sharing with clarity and conviction their hopes, dreams and aspirations for their career in cyber. The session chair, Mark Tysom, Cybersecurity Product Manager from Jisc, introduced the panel:
“We need to create a pipeline of talented individuals, educate and upskill the next generation of cybersecurity experts to protect us all, and recognise the importance of the role that students play in everybody’s future”.
All panellists shared a great passion for technology and problem-solving and found very valuable the visit to the Supercomputing Centre in Barcelona. They agreed that opportunities to occasionally deviate from the structured curriculum, with more learning by doing, practical exercises and competitions can help to make cybersecurity learning more appealing to new students.
The online day featured great content also from international speakers including the talk by Alf Moens, Security lead for GÉANT, on the successful deployment of MFA at GÉANT and the steps that our organisation took to implement it: ‘Start small, take your time, prepare and be ready to provide individual support’.
Knowledge sharing and the gender gap
In my view, in the spirit of knowledge sharing, this already excellent conference could be further enriched with the experience and expertise of speakers from the international R&E community and its online platform, if more widely promoted, could offer a much broader reach for its exceptional content. Wider female participation is needed too, but this is symptomatic of the state of affairs in STEM disciplines at a global level and although the absence of female cybersecurity professionals and students is no longer the elephant in the room, it will take some years to bridge the gender gap in this field. Something that is hopefully high on the agenda of government bodies, educators and cybersecurity experts.
In summary, a very insightful and seamless event bringing skilfully together cybersecurity knowledge, experience, expertise, solutions. products and services. Security is a global problem and the solutions cannot be developed in isolation, but shared across the community in a spirit of cooperation and openness.