Blog by Lawrie Abercrombie, Arcanum’s Technical Director, and Chris Gausden, Arcanum Principal Consultant
One of the many dichotomies in the Cyber Security world is around the security of universities and their IT assets. Information technology and cyber security are relatively new professions, one of the consequences of which is a widely acknowledged shortage of good, competent, and qualified cyber security professionals, with some estimates quoting a worldwide shortage of millions of people. According to non-profit IT security organisation ISC², there are 2.93 million cybersecurity positions open and unfilled around the world.
The UK’s 164 universities have responded by creating increasing numbers of under-graduate and post-graduate degrees with a cyber security focus. Admittedly, some of these are of varying quality, since one of the other consequences of our relatively youthful profession is that there is no single accepted standard for what a good all-round cyber security professional looks like. The UK’s technical authority, the National Cyber Security Centre (NCSC), has itself risen to this challenge and certified some cyber related degree courses at both levels, with six universities having under-grad degrees and 24 with post-grad degrees. Of course, achieving a degree level academic qualification is a good foundation but the one thing missing is experience in its effective application.
The question is, given that the UK universities have become the greenhouse for growing our cyber security talent, why are so many of them so poor at securing their own IT systems?
In the last 6 months there have been a plethora of cyber security incidents at universities. Perhaps one of the highest profile events, for obvious reasons, was the theft in July of Covid-19 vaccine research from Oxford University and Imperial College by a Russian group known as “Cozy Bear.” Incidentally, both universities concerned teach Cyber Security MSc courses certified by the NCSC.
Another incident saw student data from six UK universities stolen in a supply chain attack on Blackbaud, one of their software suppliers. Perhaps not entirely the universities fault, except… Protecting against supply chain attacks is now a fundamental of cyber risk management for any business. It certainly should be on the syllabus of the NCSC certified MSc courses at the Universities of Birmingham; Exeter; York and Oxford Brooks, all of which were caught in the Blackbaud attack.
Last year, JISC; the organisation which provides shared digital infrastructure and services such as the superfast Janet Network to UK universities and colleges; ran its own cyber security tests of 64 higher education institutions. All of them were found to be vulnerable to being hacked within 2 hours of commencing testing. It would be interesting to know how the rest of the 164 would have fared.
Yet another report, this time from an FOI request, revealed that at least seven universities had reported five or more data breaches to the Information Commissioner’s Office over the past 12 months. As an old proverb says, “Fool me once, shame on thee; fool me twice, shame on me.” What does that imply for five data breaches in a year?
The reasons for this dire situation are relatively easy to see. Cyber security theory is taught but its practice it is just not a big priority for most UK universities. Less than 35 UK universities have a dedicated Chief Information Security Officer, the universities have an average of 3 ‘qualified’ cyber security staff each and less than half of their total staff receive any cyber security training. Yet universities, as we’ve said before, are one of the very, very few industry sectors that really do get attacked by every type of threat actor from script kiddies looking for infamy all the way up to the nation state backed ‘Cozy Bear’ type groups stealing intellectual property.
Key members of the cyber industry have been saying for years that universities are vulnerable and now we have a suggestion for how they can make it better.
We said earlier that the universities are turning out bright and theoretically qualified cyber graduates by the score, but they all lack experience of applying the theory in practice. So, how about using some of this ever-growing quantity of talent to help secure the universities own IT systems? Perhaps a 6-month placement for undergrads with HMG and commercial IT and cyber security teams as part of their final year? Or some practical experience for the MSc students in securing their own university IT networks working with their professional IT support teams. This could include identifying assets and risks; running vulnerability analysis; specifying and setting up agreed cyber security controls; monitoring threat intelligence feeds and conducting audits / reviews of the security policies and procedures. All are sound cyber principles that they will have heard so much about in their studies. And they all seem to be things that some universities own systems are sadly lacking.
Lawrie Abercrombie and Chris Gausden and are both Principal Consultants at Arcanum Information Security, an NCSC Certified Cyber Security Consultancy. If what they have written about in this piece or our other papers on universities and cyber security strikes a chord, and you’d like to develop what they’ve said to protect your systems, get in touch today by calling: 01558 669140 or alternatively email: firstname.lastname@example.org.
Arcanum Information Security is a leading National Cyber Security Centre (NCSC) accredited provider, certified in both Risk Assessment and Risk Management to provide specialist Cyber Security consultancy services. Arcanum consultants are NCSC Certified Professionals, with extensive knowledge and experience. In addition, we provide Digital Forensics through our ISO 17025 accredited laboratory.