As a college leader, there are many concerning issues to consider, including the pressure on funds, doing the best I can for my staff and students and keeping up with the ever-changing shift in government policy. But right up there on my list of priorities is cybersecurity, particularly protection of the college network and the countless online systems that depend upon it.
The national research and education network, Janet, is central to everything we do, so losing that connection would be a disaster: pretty much everything would grind to a halt. Just imagine – no email, no admin or finance systems, no wi-fi or internet, no virtual learning environment and no access to learning resources. There’s also a risk that students could lose their work and we’d have to revert to a style of teaching we’ve taken years to modernise. Last, but by no means least, it could be a PR nightmare.
Students don’t hang about when something like this happens. There’d be no hope of keeping such a huge problem quiet, since students used to smartphones and 24/7 internet access will be quick to vent on social media, just as soon as they can get connected. Their comments are bound to be picked up by the media, and your comms team will be doing their best to limit the reputational damage.
Clean-up and repair
Then there’s the obvious disruption and loss of productivity for the duration of the outage, not to mention the cost of extra personnel hours to deal with the clean-up and repair. There is some research which puts the cost of a network outage at around £3,300 per minute, but I’d rather not think too much about that. Instead, we recognise something like this is avoidable and my advice is to concentrate on preventative measures, which are expensive, but still cheaper in the long run.
However, I know cybersecurity isn’t always a priority for college leaders, and that must be a frustration and a worry for staff in many colleges who realise that it doesn’t pay to skimp on this issue.
For colleges like Forth Valley, which are thinking about upgrades to digital systems or infrastructure, it’s important to consider cybersecurity as an integral and interdependent part of all college systems. A college-wide strategy sets clear goals and outlines how you’re going to achieve them, but for this to work effectively, buy-in from senior decision-makers is essential.
At Forth Valley College, we have recently launched a creative learning and technologies strategy, with six “ambitions”. One of these is that our IT infrastructure is safe, secure, robust and agile enough to embrace changing needs and practices. This places cybersecurity at the heart of both our strategy and our thinking.
Reinvest in infrastructure
As part of this strategy, and as we move into a new headquarter campus, we are planning to re-invest in our infrastructure, ensuring that we take advantage of advances in technology.
During this process, many companies are keen to talk to us and tell us how good their products are. Getting good and, crucially, impartial advice can be tricky, and potentially costly if you go down the private consultancy route. This significant role is performed for us by the sector’s not-for-profit technology solutions organisation, Jisc, which acts as both an impartial and critical friend.
As a result, we know what we must do to keep our staff, students, network and systems safe. If you’re not sure what a good cybersecurity strategy looks like, contact Jisc, check out the National Cyber Security Centre website, or go through the following checklist:
Risk assessment: What are you trying to protect against? Criminal gangs, disgruntled students and staff, 'hacktivists'? Does your institution have relationships with organisations or industrial partners that might make you an attractive target? And where are your biggest vulnerabilities?
- Network security: Put measures in place to defend the network perimeter, and to filter out unauthorised access and malicious content. Monitor and test these security controls. Segment your network so if one machine gets infected with malware you limit the ability for it to spread across the whole institution.
- User education: Produce security policies for all users clearly setting out the acceptable and secure use of your systems. Maintain awareness of online security risks by providing ongoing training for staff and students, covering on-campus and remote access.
- Malware: Put in place anti-malware defences such as anti-virus software, end-point protection solutions. Make sure they are turned on and kept up to date.
- Patchwork: Make sure you know what software and hardware you have in place, so you can easily and quickly update as soon as new security patches are released.
- Managing user privileges: Not everyone needs full admin access, so only provide privileged access to those who need it.
- Incident management: Accept that bad things will happen, and encourage a culture where people know how to report things that seem suspicious. Set up protocols so everyone knows what to do in the event of a security incident and practice it. Know who to call if you need help when you are attacked.
- Monitoring: Establish a monitoring strategy and produce supporting policies. Continuously monitor all systems and networks. Analyse incident logs for unusual activity that could indicate an attack.
- Share intelligence: Join CiSP (Cyber Security Information Sharing Partnership) and encourage your staff with responsibility for cybersecurity to network with peers. Make use of existing capabilities. For example, if you teach cybersecurity courses, encourage those students to become security champions/ambassadors for others. Jisc members will be automatically plugged into its sector-specific intel sharing system.
- Set the standard: Once the basics are in place, aim to reach the government’s Cyber Essentials or Cyber Essentials Plus standards. These provide assurance that you are on right track and can demonstrate to stakeholders that you are cybersecurity aware.
Finally, remember that the threat landscape is ever-changing, so it’s important to regularly review and evolve your cybersecurity strategy and to adopt a digital infrastructure that can evolve to accommodate the latest technology. At the end of the day, the principal and/or chief executive must understand the risks and responsibilities of cybersecurity; ultimately, it’s their job to ensure the cybersafety of their college, their data and their people.
Ken Thomson is principal and chief executive of Forth Valley College