According to a recent survey by JISC, the top three cyber security challenges for universities, colleges and other academic institutions are phishing and other social engineering attacks, malware (including ransomware) and simple human error.
The common weak point across all three is that difficult to identify, diagnose and address human factor in cyber security. Social engineering – essentially con-artistry for the 21st century – depends entirely on the ability to trick individuals into revealing confidential information or granting access to privileged resources. Malware and other ransomware typically rely on some form of social engineering attack in order to infect targeted systems. And of course, human error is always down to, well, human error.
With cyber security budgets falling in both Higher Education (HE) and Further Education (FE) organisations it is essential for academic institutions to target their limited resources effectively to protect themselves, their employees, students and other and customers, and the wider public.
Awareness Training is Patchy
Security awareness training, though, is something of a mixed bag. A little over half of HE and FE organisations do provide compulsory training for their staff. A substantial minority of organisations, though – 14% of HE and almost a quarter (24%) of FE – provide no employee security training at all.
For students, the picture is bleaker. Less than a third of FE bodies provide compulsory training for students, while for HE bodies the figure drops to just 3%. Around half of HE and FE bodies provide no training at all – compulsory or voluntary – for students.
The good news is that there is much that both HE and FE bodies can do to improve awareness, understanding and behaviours among employees and students, without consuming huge amounts of budget, and without disrupting day-to-day operations.
At A Glance – Ten Steps To Cyber Security
An excellent starting point is the National Cyber Security Centre’s Ten Steps to Cyber Security. Launched in 2012, the ten steps, which have been adopted by most FTSE350 firms, provides a clear, practical, easy to work to framework for cyber security improvement. In brief, the ten steps are as follows:
1. Risk Management Regime
Clear definition and communication of the organisation’s information risk management regime is key.
2. Secure Configuration
Establish an approach to identify baseline technology builds and processes for ensuring configuration management. Create a strategy to remove or disable unnecessary functionality and quickly fix known vulnerabilities.
3. Home and Mobile Working
Remote working opens up new risks: develop risk-based policies and procedures for remote working which are applicable to users and service providers.
4. Incident Management
Establish effective incident management policies and processes to improve resilience, support business continuity, improve customer and stakeholder confidence and mitigate incident impact.
5. Malware Prevention
Reduced the risks posed by malware with appropriate security controls as part of an overall ‘defence in depth’ approach.
6. Managing User Privileges
Granting users unnecessary privileges increases risk: if their account is misused or compromised the impact will be more severe than it needs to be.
Effective monitoring helps detect attempted or actual attacks. It also helps ensure that systems are being used in accordance with policies and is often necessary for legal or regulatory compliance.
8. Network Security
Simple policies and appropriate architectural and technical measures can reduce the risk of successful attacks via network connections with the outside world. In a Hybrid IT environment, it is important to focus not only on physical connections, but also on where data is stored and processed, and how attackers could interfere with it.
9. Removable Media Controls
Removable media poses significant security risks: clearly identify the business need for its use and apply appropriate security controls.
10. User Education and Awareness
It is critically important that the security technology and rules in use support users in their work, as well as helping maintain and improve security. Awareness programs and training imparting security expertise, along with a strong, organisation-wide security-conscious culture can help here.
Download Our Related Content
To learn more, read our recent blog article, “Insider Threats: Seven Key Issues ” and download our guide, “Enterprise Cyber Security – Addressing the Human Factor ”.
Get in touch if you would like to learn how our Cyber Security Maturity Assessment (CSMA) can help you identify and address the weak points in your security posture.