30 May 2025 - Talion Cyber Security UCISA Article
Why Universities Struggle to Share Cyber Threat Intelligence — And What We Can Do About It
By Keven Knight, Co-Founder, Talion Cybersecurity | Contributor, UCISA
Universities are guardians of cutting-edge research, sensitive data, and sensitive intellectual capital — but they're also among the most frequently targeted institutions by cybercriminals. According to the National Cyber Security Centre (NCSC), higher education institutions (HEIs) face escalating cyber threats, yet continue to battle underinvestment, decentralisation, and internal constraints that hinder their ability to respond effectively. Despite being custodians of critical research, intellectual property, and sensitive student data, universities face systemic obstacles when it comes to cybersecurity resilience. Chief among these is a persistent challenge: sharing threat intelligence across institutions.
At Talion Cybersecurity, we wanted to better understand how cybersecurity professionals within higher education are coping — and more importantly, why threat intelligence isn’t shared more widely across institutions, even when collaboration is known to reduce risk.
That’s why we partnered with UCISA and a research team from University College London (UCL) on a collaborative research project to uncover the reality behind cyber threat intelligence sharing across the UK’s university sector.
Insights from the Field: Original Commentary from the UCL-UCISA-Talion Research Project
For anyone who works in one, it is clear that universities are a particularly challenging space to protect from cyberattacks. Indeed, in 2021, the NCSC reported that universities and higher education institutions (HEIs) had been exponentially targeted by cybercriminals. There are myriad reasons for this ranging from traditional under-investment in the digital estate, the volume of high-value data held in university systems, and a diverse, complex digital footprint and workforce. We wanted to understand this context better and to do so, we needed to speak directly with those who work to secure universities every day.
Over two years, during the midst of the pandemic, we collaborated on a research project with UCISA that was headed up by researchers from University College London. Together, we interviewed and surveyed 130 cybersecurity practitioners working at universities across the UK. The findings were fascinating and we wanted to share them with you all – and thank those of you who engaged with us on this project.
The first paper to be published from this project is specifically about how university CISOs (or equivalent) share threat intelligence – and what prevents them from doing it more. In research into other sector-specific cybersecurity, the extent to which collaboration and information sharing has been effectively implemented within the ecosystem has been identified as an important factor in mitigating against cyber risk. For anyone who would like to read the full article, you can access it for free here: Oxford University Press Cybersecurity Journal.
Key Research Findings at a Glance
First, the good news: A significant majority of respondents agreed or strongly agreed that collaboration was important to them.
- 94% said that it encourages mutual learning,
- 91% felt that sharing threat intelligence encourages the development of sector-wide solutions,
- 81% said it enables organisations to take collective action, and
- 95% said that it encourages a sense of community and more integrated responses to threats.
Although university CISOs are overwhelmingly in favour of sharing threat intelligence, there are real impediments to doing so. These include:
1. Management Uncertainty and Legal Inertia
“I think a lot of the time people are not sure if they should [share threat intelligence], so they ask… No one wants to say ‘yes’ because they’re not sure.” Eventually, we were told, these requests will land with someone who will say ‘no’ because they don’t really understand the benefits of sector-wide intelligence sharing.
2. Insurance and Legal Risk
Many people told us that they would potentially be in breach of the university’s insurance policy if they shared threat intelligence with colleagues in a timely manner following an incident.
3. Fear of Reputational Damage
People spoke extensively about this and from many different perspectives. The reputation of the institution did come up frequently, either as a concern of the respondent or as a factor that they expected would lead to a managerial ‘no’ on requests to share threat intel (see above). But it also came up on a personal level that expressed some of the pressures that go along with this job; “When there is an attack, you feel you have failed in some way.”
4. Lack of Trust-Based Relationships
People stressed this repeatedly. Personal relationships and trust make sharing threat intelligence in this context much, much easier and more likely. This is not all that surprising or unusual but it does raise the question of how to build stronger relationships across the sector – something that UCISA has been so active in pursuing and the benefits of which would very clearly translate to this point.
Recommendations for a More Secure Higher Education Sector
To break down these barriers, the following steps are critical:
Update University Funding Models
Currently, a proportion of research funding goes towards university ‘estates’ but this refers to the university’s physical estate. The pandemic years of enforced remote teaching will have lasting repercussions and the big lesson to come out of that period was that despite decades of investment in buildings, the university model of the 21st century relies much more on its digital estate than it does on its physical estate. Investment should reflect that through a proportionate amount of research funding to properly secure and support it.
Increase Executive Support for Collaboration
Senior managers can work to better support their cybersecurity teams to collaborate with peers in other universities. This will help to minimise the number of organisations that suffer from a particular attack and, in some of those cases, their own university will be the beneficiary of this collaboration. They should also proactively support their security teams to build strong professional relationships within the network.
Reform Insurance Policy Constraints
There is a conversation to be had about the extent to which insurance policies can or should preclude this type of collaboration because it is currently detrimental to the security of the overall ecosystem. Preventing sharing threat intelligence may protect one institution but it leaves others vulnerable for longer than they should be. As no organisation is impermeable from cyber-attacks, this practice will eventually come back to bite. The insurance sector should take a sector wide view and support practices that strengthen, rather than weaken, universities.
Final Thoughts from Talion
This research project revealed what many of us in the sector have long suspected: the will to collaborate exists — but the system discourages it. That’s a solvable problem, and it starts with policy change, leadership courage, and shared responsibility.
At Talion, we are proud to be part of a cybersecurity community that includes forward-thinking partners like UCISA and UCL. This research reflects our shared belief that we’re stronger together — and that resilience in higher education depends on more open, human, and trust-based cybersecurity practices.
With Gratitude
Thank you to Professor Madeline Carr, Anna Piazza, and Srinidhi Vasudevan from UCL; Deborah Green and Siân Thomas from UCISA; and to the 130 university cybersecurity professionals who offered their time and insights. Your contributions have created a foundation for meaningful change in how universities approach cyber resilience.
—
About the Author
Keven Knight is the Co-Founder and Owner of Talion Cyber Security, a UK-based Managed Security Services Provider (MSSP) delivering world-class protection to global businesses through a tailored, human-first approach. With more than 20 years of experience in security operations, threat intelligence, and managed detection and response (MDR), Keven has worked alongside some of the world’s most demanding organizations across financial services, government, healthcare, and critical infrastructure.
A contributing member of UCISA, Keven is a passionate advocate for sector-wide collaboration and digital estate protection—particularly in industries like higher education where resilience depends on transparency and trust. His mission is simple: to give organisations control, clarity, and confidence in their security strategy.