There is nothing fundamentally technical about cybersecurity.
It may seem counterintuitive, but effective cybersecurity is more about people.
After all, it doesn’t matter how much technology you have in place if all it takes for a breach to happen is for one person to click on a phishing email – and phishing emails account for 90 per cent of initial compromises globally. Firewalls and multi-factor authentication have an essential role to play, but they can’t defend against an individual’s lack of understanding of the consequences of their actions – which can be disastrous and long-lasting.
- Everything you need to know about cyberattacks (but were afraid to ask)
- How to prepare and protect your institution against a future cybersecurity attack
- Supporting cybersecurity literacy for workforce-ready graduates
Getting to the stage where cybersecurity awareness is built into every level of an institution requires a major shift in organisational culture.
In a connected community such as the UK higher education sector, everyone has a part to play in combating the growing threat. A failing at one establishment can have implications for many others, so it’s imperative that individual organisations account for the risks they face and the criticality of the functions for which they are responsible. The same applies to individuals: one mistake can massively affect the wider community.
What’s needed is a willingness on the part of everyone – not just the IT department – to work together to do the right thing and make the sector safer.
Institutions can put in place a few basic people-level habits that will help boost sector-level security.
Avoiding acronyms is a good start
Cybersecurity starts at the top; securing commitment at the highest levels is key. Not only does it ensure that the risks and proposed solutions are clearly understood from the outset, but it also gives the right signals to the whole organisation, making it easier to convince others to collaborate in a concerted effort to defend as one.
The best way to raise the issue of cybersecurity with senior management and staff is by speaking in terms of business rather than technology. No one on the leadership team wants to hear about RPZ feeds or port 3389, so avoid jargon and acronyms. It’s not other people’s job to understand them.
What’s more important is understanding the institution’s needs, the business processes that need protecting, how they work and what their correct outcomes should be. It’s about taking a holistic view of the environment, knowing what data there is to protect and where it is.
Clarify the risks
The whole point of universities and research institutions is openness, and that’s not always conducive to effective cybersecurity. Any approach to cybersecurity therefore needs to balance the (often conflicting) demands of confidentiality, integrity and availability.
Senior management should therefore clarify the organisation’s goals to ensure cybersecurity is supporting them. Cybersecurity exists to enable an institution to conduct its learning, teaching and research activities in a secure, safe manner based on an acceptable risk appetite – which, in this sector, is usually low.
To really bring home the potential risks and the importance of being prepared, cyber exercises are a useful tool. These simulate the problems that occur during a real-life incident in a safe environment and can be delivered at different levels for management and IT staff. Afterwards, everyone in the organisation should be aware of exactly what they need to do in the event of an attack.
Understanding the costs of a cyberattack
Once the risks and vision are clearly understood, the discussion inevitably moves to finance. Preventing cyberattacks costs money. It requires investment in cyber professional staff, in training, in technical solutions. And, while senior management might be worried about cyber risk, they may not fully appreciate the situation and will – understandably – be reluctant to throw money at a problem that might never happen.
Prevention, however, is always better than cure – and usually less costly.
Remember that a serious cyber incident has other impacts that go beyond the financial, such as the human cost incurred not only during an attack but during the recovery period as well. It’s important to factor these into any cost analysis.
As part of their Joint Information Systems Committee (Jisc) membership, any UK research or education institution connected to the Janet Network can avail themselves of the accredited expertise of Jisc’s cyber-protection teams, along with essential core services to help maintain a safe digital environment.
Demystifying cybersecurity
Building a culture of cyber awareness throughout an entire institution and its staff and learners is an enormous task. But we are definitely seeing a change as cyber is demystified and integrated into the everyday use of technology in teaching and learning. Increasingly, cyber awareness is being included in student inductions and taught as part of non-IT-related courses.
A valuable resource for awareness building is the Jisc cybersecurity community group. With 1,700 members, this fast-growing community provides an open forum where peers can exchange knowledge and best practice.
By discussing and demystifying cybersecurity we can shift it from being a technology issue to being all about people. And that’s key to building a culture of collaboration and common purpose, which will make the sector safer for everyone.
David Batho is the director of security at Jisc.
If you would like advice and insight from academics and university staff delivered direct to your inbox each week, sign up for the Campus newsletter.
comment