A lack of funding and resources means further education colleges are not as well defended against cyber attacks as they should be. Our most recent data shows that colleges are an increasing target for cyber criminals and I am concerned that funding cuts due in 2019 could make an already risky security situation worse.
At present, the Department for Education fully funds the cost of Jisc for English colleges. This gives colleges access to a wide range of digital resources and advice, and connection to the national research and education network, Janet, which includes in-built cyber security protection.
Over a five-year period (2014-19), DfE funding for Jisc services has reduced by more than £10 million and, as a result, our funding model will be changing to include a subscription for English colleges from August 2019.
Education minister Anne Milton says this mixed-funding model will “increase Jisc’s accountability to colleges and will encourage subscribing colleges to make use of the full range of services that Jisc provides”. At present, this change does not apply to Northern Irish, Welsh or Scottish colleges, where our services remain fully funded by their governments.
Fourth emergency service
Arguably, our security team ensures that tertiary education is one of the best protected of any UK business or industrial sector, and we believe that no other body can provide a better protection service to the sector. To our members, we are the fourth emergency service.
As head of a not-for-profit organisation, dedicated to its members, I believe that no commercial provider will deliver a comparable service, with our unique offer and above-and-beyond approach.
However, it’s possible that, after August 2019, some English colleges may choose to leave Jisc and seek lower-grade network services and less-comprehensive cyber protection from alternative providers. I think that’s a bad move. In my opinion, individual colleges and the English FE sector as a whole will be much safer sticking together.
Uniquely, the 348 colleges – and more than 160 higher education organisations – in the Jisc community all benefit from shared intelligence on security threats. We collate and pass on relevant information gathered from within the education sector, and in the wider security field, through our close relationships with external agencies, including the National Crime Agency and the National Cyber Security Centre.
For colleges, particularly small organisations that can’t justify employing an expert security team, this kind of timely, free advice on security threats is immensely valuable. Commercial security providers do not have easy access to this knowledge pool and I worry that, unless it’s available to all, the risk of a serious breach to the FE sector will increase. This is why investing in the best possible cyber protection is so important.
What are the risks?
There are a growing number of threats to consider, particularly distributed denial of service (DDoS) attacks, when a network is flooded with data in an attempt to bring it down. Colleges are increasingly being targeted by this type of cyber crime, but are facing a host of other threats, too. Ransomware, for example, which encrypts data until the owner agrees to pay to release it, and malware, which is often used to steal data.
For the price of a cup of coffee, a DDoS attack package can be easily bought on the internet and, if successful, the results could be catastrophic for students, staff, and the college. These attacks can bring an organisation practically to a standstill; imagine the disruption to your staff and students, let alone the financial and reputational damage. Some research puts the cost of a network outage at more than £3,700 per minute.
Let’s put the threat level into context: in the UK, there are 348 colleges and, in 2017, one in four suffered a DDoS attack. Altogether, security incidents or queries generated by FE colleges in England accounted for 808 interactions with our security operations centre in 2017, including 396 DDoS attacks.
We are noticing an upwards trend in cyber criminals homing in on colleges. Just in the first 12 weeks of this year, we saw 148 DDoS attacks against 46 English FE colleges. This is an increase from the same period in 2017, when 23 English colleges were targeted 117 times.
Fortunately, our DDoS mitigation service, which is provided to all colleges as part of Jisc membership, greatly reduces the impact of this type of cyber attack and most colleges don’t even know they’ve suffered such an attack until we tell them.
Cost versus risk
The FE sector is under constant financial pressure and colleges tell us underinvestment in cyber security infrastructure and expertise is down to a lack of resource and funds. Research we conducted last year among a small number of FE members indicated that they are far less likely to have dedicated cyber security staff than universities. Just 3 per cent of responding colleges employed such experts, versus 72 per cent of higher education members.
The survey also seems to show that few colleges (only 7 per cent of respondents) had achieved the government’s cyber standard, Cyber Essentials, with a further 3 per cent working towards it. This compared with 20 per cent of universities that had gained the standard and 38 per cent working towards it.
Collectively, our data paints a picture of an FE sector that is underinvesting in cyber security in an increasingly dangerous cyber world. Constant financial pressure means colleges are forced to balance the question “what can we afford?” against “what are the risks of not investing in cyber security?”
But despite budget constraints, colleges rightly consider cyber safety to be a priority and seem keen to benchmark their current standards. In fact, we have been surprised that our new penetration testing service, where ethical hackers try to spot flaws that criminal hackers could exploit, has been in greatest demand from colleges, even though it incurs a charge.
Yes, the subscription that DfE has asked us to introduce next year is painful and many colleges struggling to afford it will feel under pressure to take cheaper options. Our question to colleges is not whether they can afford to be a member of Jisc, but whether they can afford to take the risk of leaving?