Calling for better education for cyber security

James Kelly, chief executive of the British Security Industry Association, discusses the cyber threats that the education sector is facing and the best ways to counteract them.

The Cyber Security Breaches Survey, recently published by the Department for Culture, Media and Sport found that two thirds of large UK businesses have been hit by a cyber breach or attack in the last year, further highlighting the importance of cyber security in the modern era.

The increasing threat of cyber attacks is not just recognised by the business and education sectors, but by the government as well. In 2015, George Osborne highlighted the importance of cyber security in his Autumn Statement: “Earlier this year the Prime Minister asked me to chair the government’s committee on cyber, and through that I see the huge collective effort required to keep our country safe from cyber attack, the range of threats we face and how this will be one of the great challenges of our lifetimes.”

He continued: “As Chancellor I know about the enormous potential for the internet to drive economic growth, but I am also acutely aware of the risk of cyber attack harming our economy and undermining the confidence on which it rests.”

The Chancellor went on to discuss the details of his national cyber plan which meant investing ‘in defending Britain in a cyber age’ and recognised that the amount of reported cyber breaches have been increasing in frequency and severity. As a result, Osborne announced that he had made provisions to almost double the investment of cyber security in order to ‘protect Britain from cyber attack and develop our sovereign capabilities in cyberspace, totalling £1.9 billion over five years’.

While this kind of investment is hugely important in protecting our nation, it is not enough, as it is also extremely imperative that everyone takes the necessary steps to ensure effective cyber security. In saying that, the Chancellor also announced plans to establish a National Cyber Security Centre, which is set to open in October.

He explained: “The centre will be a unified source of advice and support for the economy, replacing the current array of bodies with a single point of contact. The Centre will make it easier for industry to get the support it needs from government and make it easier for government and industry to share information on the cyber threat to protect the UK.”

Worrying statistics
While cyber security is clearly at the forefront of the political agenda, the Cyber Security Breaches Survey highlighted the need for a better national education on cyber threats. The results were based on a representative telephone survey of 1,008 UK businesses from 30 November 2015 to 5 February 2016, along with 30 in-depth follow up interviews in January and February 2016.

While the report did find that cyber security was an important issue, with seven in ten businesses saying it was either a very high or fairly high priority, it did show that worryingly only 51 per cent of the businesses had actually attempted to identify the cyber security risks faced by their organisation. Furthermore, only three in ten had written cyber security policies and only one in ten had formal incident management processes in place. These statistics prove worrying, as the cost of a cyber attack can be extremely high, with the estimated average cost of all breaches over the last 12 months being £3,480 and £36,500 for large firms.

While UK businesses were the focus of this research, separate research conducted by Vanson Bourne for cloud security developer VMware and discussed by Times Higher Education, found that more than a third of universities are hit by a successful cyber attack every hour. The research surveyed IT professionals at 50 universities across the UK, with a staggering 87 per cent confirming that they had experienced at least one successful cyber attack at their establishment.

Moreover, 36 per cent of respondents also stated that they were having to contend with a successful cyber attack per hour. In terms of the kind of information being targeted, the results found that student data, such as exam results or even dissertation material, was at the forefront of the list, while intellectual property theft and the infiltration of research data were also issues.

This kind of attack can have hugely detrimental effects for an educational establishment, both in terms of reputation and finance. It can even stump the education process, with 74 per cent of respondents saying they had to halt a research project due to the infiltration. Research projects can also contain highly confidential information, and this is highlighted by the fact that 77 per cent of those surveyed thought that a cyber ‘security breach had the potential to impact national security’.

Worryingly, two-thirds of respondents said that they did not believe that their university’s existing IT infrastructure would protect it against cyber attacks over the next 12 to 18 months, with a further 85 per cent believing that ‘more funding must be given to IT security to protect intellectual property’.

Recognising the Risks
Schools and universities store a wealth of important information on their networks, anything from personal information to medical records or financial data. Similar to businesses, educational establishments incorporate IT and internet access into its day to day activities. Broadband networks are becoming increasingly used in schools, and especially at universities, meaning that these networks must be as robust as possible in order to mitigate cyber threats.

One particular threat can be that of malicious insiders with the intention of attacking a network, however, in schools, these insiders can actually be attacking unknowingly. With the younger generations being a key part of the cyber era, new digital platforms can actually be introduced to schools networks without staff realising and can make networks more vulnerable to cyber threats. The same can be said for teachers as well, technology bought from outside the classroom – such as a USB stick – could actually contain corrupt files that could attack a network, or a link in a personal email clicked on by a student or teacher could actually result in a phishing virus.

In terms of removable media, such as USB sticks or hard-drives, it is important to produce policies that will control access to removable devices, limiting the types that are able to be used. It is also paramount that such media is scanned for malware before importing any information on to school computers.

Small steps to prevention
The Cyber Security Breaches Survey also found that the most common attacks detected involved viruses, spyware or malware and these are all attacks that could affect any sector. Just small steps can be taken in order to prevent against these threats, including regularly updating software and malware protection, ensuring firewalls are robust and up to date and ensuring that access to certain areas of the network are restricted to specific users – this is particularly important in schools, as students and staff alike should only be able to access a certain proportion of the network.

With the variety of cyber threats out there, it is extremely important that cyber security is taken seriously by those key decision makers responsible for the procurement of security solutions within the education sector. It is paramount that educational establishments have specifically appointed someone to take care of cyber security, with their job role covering information security and governance.

Specialist IT and cyber security staff should be regularly updated with information about cyber security by attending some form of cyber security training, helping them to be fully aware of the risks and then able to effectively communicate these risks and procedures with staff members and the student body. Transparency is key, and all faculty members and students should be doing their part in order to keep the networks safe.

Regular testing of defence systems should also be carried out in order to ensure that the protection in place is adequate enough to challenge ever-advancing cyber threats.

It can also be beneficial to enlist the advice of a security consultant, who can provide independent professional support to identify the risks that an establishment is facing and advise on the measures required to mitigate any existing or emerging threats.

The Importance of Quality
Interestingly, the Cyber Security Breaches Survey also found that ‘while most businesses set rules and controls within their organisations, just 13 per cent set minimum cyber security standards for their suppliers’.

It is not enough to have cyber security solutions in place, but these solutions must be provided by a trustworthy supplier that meet with the relevant British and European standards for their products and services.

Members of the British Security Industry Association’s Specialist Services Section have a wealth of knowledge and experience in cyber security and can provide a reputable service.

Further Information