Tim Hearn, Director, UK Government and Public Services, VMware
Last week saw the publication of a new study from VMware in the UK – University Challenge: Cyber Attacks in Higher Education – and as you might imagine we were shocked with a number of the findings.
One stand out statistic for me was that “36% of universities having a successful cyber attack every hour” and I took the opportunity while attending the UCISA conference in Manchester last week to discuss this and other stats with delegates from the university community.
Here are a few observations that I wanted to share which came from the informal chats over tea and a couple of glasses of wine over dinner during the event:
- None of the university IT professionals I spoke with were surprised by the findings. In fact one Head of IT stated that their security platforms register on average 16 attempts per minute, most from overseas
- If these are the cyber attacks that we know about, there are significant numbers that we don’t. Attacks on physical infrastructure like the DDOS attack on JISC are visible and can be tackled, attacks that are focused on a specific application or dataset is often invisible and not discovered until much later on
- Most security measures in university IT environments are still traditional physical infrastructure products such as firewalls, Intrusion Detection, Antivirus. Although we are seeing strong adoption of NSX, focus on securing Apps and software instead of the physical network is still immature
- A Head of HR of a leading university told us that they had a big issue with Trojans being embedded in CVs being sent as attachments and these were targeted at exposing personal information of students and employees
- Only one of the universities we spoke to had people with specific cyber responsibilities at board level with the ear of Vice Chancellor or Chancellor
- Many IT functions still report into Finance so investment in security is often seen as an insurance policy and difficult to quantify in terms of ROI, rather than a core IT imperative
Universities with overseas campus’ seem to have a more acute issue than those who do not.
- As universities expand globally, they need to build better cyber security into their investment plans
The problem that universities have to address quite quickly are:
- Although around 80% of spend on IT security is targeted at protecting physical infrastructure, 80% of the threat is aimed at specific software and applications. Many universities are spending precious IT Capex on the wrong things
- There needs to be more ownership of cyber policy and practice at board level, with a specific representative who can act across the organisation
- Cyber threat is an ongoing battle so a cyber strategy, policy and counter measures need to be agile and dynamic allowing them to evolve with the threat
It has been very positive to see the impact of this study amongst the university community as well as in the national press. Now we need to ensure that our 6 Step Process for fighting cyber attacks is understood and adopted to ensure an ongoing vibrant, innovative and safe university experience.