Cyber in practice - an insider's view on tackling cybercrime in HE

The Higher Education sector has found itself the focus of some very unwanted attention. With a unique combination of critical personal information and highly valuable research data, more and more cyber criminals are focusing their efforts on compromising university infrastructure. In fact, in the UK, only financial institutions are seeing anything like the acceleration of attacks being suffered annually by HE. 

The statistics make for sobering reading. 

Of course, it isn’t just the richness of data - and its associated value - that is the challenge, it is the very environment of a university. University campuses support retailers, banks, researchers, major entertainment and event destinations, cutting-edge research facilities, thousands of domestic residents, and, of course, learning facilities on a huge scale. In addition, very few organisations need to cope with the vast scale of user turnover, with thousands of student users joining and leaving every year, meaning that thousands of account provisions and revocations need to happen very quickly, introducing a specific, time-bound risk of increased cyber identity attacks which is rarely found elsewhere.

When you then consider the monetary, scientific, competitive, politically and socially significant intellectual property which may exist in parallel or on shared IT infrastructure, for example that used and shared by internal research departments, think tanks, private sector partners and others from around the world, it’s clear that securing HE is a complex challenge.

On paper, the challenge looks both daunting and immense, but universities are meeting this challenge every day. So, what does the reality look like in practice – and what are the real barriers and opportunities that IT teams are facing?

In October 2024, Roc Technologies brought together IT and cyber security leads from universities across the UK along with leading global networking and cyber security company, Juniper Networks, to explore what cyber security means in practice for a university campus.

AI – challenge or opportunity?

It seems almost impossible to have a conversation about IT without immediately jumping to GenAI. It may have been on the horizon for years, but the speed and scale of disruption since the launch of ChatGPT in November 2022 is unprecedented. Yet for all the talk, the opportunity beyond simple content generation is not clear. To a certain extent, this is because the use cases are so broad, so extensive, that it can be difficult to know where to focus.

Time is, however, of the essence. Students and academics alike are already using AI for content creation, enrichment and assessment, so it’s important for governance and supporting technical controls to be developed and implemented quickly.  

Like many sectors, universities have looked to government policies for both inspiration and alignment, with a mindset to provide guardrails rather than barriers. Indeed, within HE there is a real desire to explore, to support experimentation and to provide an environment where AI adoption and integration is native. But there are some key challenges:

• The technology has jumped ahead of the traditional IT skillset – meaning there is an urgent need to upskill staff. This needs to cover not just technical skills, but areas which are still subject to wide debate, such as digital ethics, bias not to mention trust. Whilst some of this expertise will be found within the existing academic community, there is much competition for these skillsets and universities will need to compete alongside every other sector to attract them.

• With any discussion of GenAI comes the intrinsic cyber security challenge of protecting critical data. Ironically, security may become the first use case because the tools required to apply controls to AI in our environments are themselves powered by the same technology. Indeed it’s the cyber security industry who are leading the way, pioneering the integration of AI with analysis and threat detection tools.

Universities, like all sectors, will need to become comfortable with the inherent risks posed by AI; these risks will be best met and mitigated through well-considered governance and guardrails that support users.

Cyber Security for the AI generation – HE leading the way

The Higher Education sector was one of the first to truly recognise the risk of data loss, reputational damage or restricted access to services that could occur as the result of a cyber attack. As a result, analysts suggest that universities are far ahead of most other sectors in terms of investment, long term planning and mitigation, resourcing and executive support.

But perception isn’t always reality, and – in a theme common with other sectors - one of the key issues is that cyber security can still be perceived as an ‘IT risk’ - not a strategic risk.

The challenges are two-fold.

Firstly, as discussed, the cyber threat landscape is ever evolving, with new threats emerging daily if not hourly. But, in the face of overwhelming and potentially existential financial crises, universities are choosing to invest in solving problems which are there, not those which might happen. With many universities having already invested in cyber security strategies, further cyber investment to mitigate new potential threats is deprioritised in favour of other, immediate issues. This means money only gets freed up when there is a problem that has to be solved.

This ‘spend to solve’ mindset means critical investment decisions are being made at a point of crisis, when urgent resolutions are needed, with no time to assess whether solutions offered are the best, most comprehensive available, or just those which will get the lights back on.

The other challenge is one of resourcing. We’ve already noted the scale of the ecosystem in which universities operate. Add to this the control of corporate and academic network access; protection of data; the provision of ISP services as a domestic operator; the support of retailers and other entities; the development of controls for GenAI; as well as routine daily tasks like patching and monitoring, and there can be no doubt that the singular nature of managing cyber security in HE calls for more cyber specialists than a traditional corporate environment.

Yet many HE cyber teams have no more than 4 - 5 team members with some kind of cyber responsibility and many of these are not specialists. With most universities supporting more than 20,000 students and staff, and with cyber incidents happening every day, the work is both thankless and unrelenting. Even the best cyber security strategy is weakened when its implementation is compromised.

So how are IT and security teams trying to mitigate these issues?

User education is the top priority. A recent survey from the Education Forum found that although 84% of UK universities enforce information security training for staff, only 5% make it mandatory for students. This is all the more concerning as malicious actors are directly targeting students – especially foreign students whose grasp of syntax may not pick up on spelling or grammatical errors that often give phishing emails away.

A particularly successful phishing attack recently targeted international students with a message supposedly from the University finance team sharing details of how to pay their fees. It was successful not because it was a particularly elegant or convincing email, but because it was sent at the start of term, just when students were expecting to receive something similar.

This tells us that hackers are becoming more and more well prepared, that they are researching their targets and understand key times and events in the university calendar. It means they have what you might call ‘Target Intelligence’, just as we have Threat Intelligence.

But it’s not just about the users: helping senior leadership understand the mechanics and realities of a cyber attack is critical to helping move the conversation towards preventative strategies – especially when the impact on users is considered. Having just a single champion on the VCG isn’t enough – a broad understanding across all leadership is essential to help prioritise additional resource and investment.

One effective approach has been to combine cyber resilience with overall business continuity planning - a process which already involves all the senior leadership up to and including the Vice Chancellor. It is also a process which, by definition, addresses risk – and more importantly - defines an organisations’ risk appetite; for IT teams, it creates an opportunity to position cyber for what it is: a risk that belongs not just to IT but to the entire organisation.