Survey revealed at UCISA conference discusses cyber strategies, threats and readiness perceptions
A survey of cyber security strategy and readiness in higher and further education has offered clues as to how prepared organisations are to counter security threats.
The survey, carried out by Jisc, the not-for-profit organisation for digital services and solutions in the UK higher, further education and skills sectors’, gained 95 responses from 80 organisations. Limited details were revealed by Jisc deputy chief information security officer (CISO) Henry Hughes at last week’s Universities and Colleges Information Systems Association (UCISA) conference in Bournemouth.
The survey, carried out to provide more accurate, contextual data around UK education and research, considered areas such as cyber security budgets, threats, skills and certifications.
The snapshot of survey results revealed at the conference showed that 55% of higher education organisations said they could identity someone in the organisation who had a strategic responsibility for cyber security, such as a chief information security officer (CISO) or chief information officer (CIO). Hughes described the 55% figure as positive.
The survey also asked whether organisations had dedicated cyber security posts, with 72% of higher education organisations affirming they had someone with that responsibility.
Hughes said there were was a need to be cautious about the information on budgets from the size of the survey. But he pointed to a sizeable increase in cyber security budgets within higher education from a “reasonable stable budget” in 2015/16 and 2016/17 to a projected budget which signalled a 132% increase.
Hughes said, “So we are seeing government invest more and you’re telling us we’re investing more. That seems to be what’s going on in the area.”
On organisations’ perceptions of their security readiness, Jisc asked organisations to score themselves 1- 4 if they felt there were no security accreditations in place or if they felt cyber security was low on senior management’s agenda, or if the organisation felt it was only “at the start of the journey.”
For a rationale of a score between 5 and 7, an organisation may have been starting from a low position, but had at least started and might have some legacy tools in place. There was perhaps some reluctance from senior management and organisations were potentially struggling to keep up with the change cycle and the risks. The rationale for a 8-10 rating would be that cyber security is taken much more seriously, with a proactive, not reactive approach, with comprehensive controls and processes in place that have been well-rehearsed.
Hughes said only 14% of responses put their organisation in the 8 to 10, with a mean score of 5.8.
“So clearly quite a lot more to do is what you’re telling us. Almost everyone agreed that they’d like to understand how you set in terms of ranking. Not publishing it – but in terms of anonymisation, which quartile you’re in in terms of how your preparations are going and how your security programmes look,” he said.
In terms of cyber security certifications, such as Cyber Essentials, Cyber Essentials Plus and ISO 27001, Hughes said 20% of organisations said they had achieved Cyber Essentials last year, 38% are working towards it, and 11% had no plans to achieve it.
In terms of threats, the biggest concern, Hughes said was phishing and the associated areas of spear fishing and whaling. The insider threat was ranked third in terms of attacks.
One area highlighted by Hughes was staff and student training in cyber security. In staff training, 46% of respondents in HE organisation said cyber security training was compulsory, with 37% saying it was optional. The figures were similar in FE organisations, Hughes said.
But in terms of training of students, only 8% of respondents for HE organisations said student training was compulsory, with 32% optional.
Hughes told the audience, “Half of you are not doing any student training in cyber security. What was really striking to me about this result was that we recently did in Jisc a survey of student satisfaction at the end of their courses. 22,000 students. Over 82% said that they felt that digital skills were essential to their career in the future. When they were asked how well prepared they felt after their courses, in the digital workplace, less than half of them felt they were well prepared.”