Cyber security remains a high priority for UK colleges, universities and research centres, according to the findings of Jisc’s sixth annual survey of the issue.
But Dr John Chapman, director of information security policy and governance at the technology organisation for the sector, warned there is no room for complacency in the face of serious threats.
The survey – carried out in June and receiving 123 responses – revealed that almost 97% of higher education (HE) and 94% of further education (FE) providers have cyber security on their risk register, up by 2% and 5% respectively compared with last year.
In addition, 87% of HE and 79% of FE institutions regularly report on cyber risks and resilience to their executive boards.
But when asked how well they felt their organisations were protected, only 16% of HE and 39% of FE bodies rated themselves at eight or more out of 10. Comments suggested that those rating themselves five to seven have controls in place but understand there is always more to be done to keep up with threats.
For those scoring themselves eight to 10 the key themes were the importance of robust systems and processes, audits, certification and external support.
Leadership crucial
Chapman said: “A robust cyber security posture is only possible with strong leadership and we cannot emphasise that enough. board members must be accountable and responsible for cyber security governance and risk management.
“Organisations where senior teams don’t understand that cyber security is a strategic priority are less likely to have the kind of investment, robust processes and technical measures in place to defend well against the growing number of threats.”
Ransomware/malware was identified as the top threat for HE and phishing/social engineering for FE, while both placed unpatched vulnerabilities in third place and accidental data breaches fourth.
The survey also showed that compulsory security training is more common for staff than students: 84% of HE and 77% of FE bodies ran it for staff, while the figures for students were 5% and 21% respectively.
“Top threats identified by colleges and universities are similar to 2021, which is unsurprising given the persistence of ransomware attackers targeting the sector over the past two years,” Chapman said. “In 2020 there were 15 serious ransomware attacks on HE and FE providers in the UK, with 18 in 2021 and at least 11 so far this year.”
He added: “I’m pleased to see an upwards trend in security awareness training, although ideally, mandatory training for students would be more widespread.”