The publicity around the recent HEPI policy note How safe is your data? Cyber security in higher education resulted in widespread press coverage, including items on national BBC radio. The policy note makes a number of valid points. However, the press reports tended to sensationalise the issue and failed to recognise much of the good work that takes place in our institutions.
ucisa recognises that implementing effective cyber security in higher and further education institutions is challenging. Although the BBC report has focused on a number of negative (although nonetheless important) aspects, we are aware that our member institutions carry out a range of measures to mitigate the risk of cyber security breaches. These include implementation of Cyber Essentials, employment of specialised cyber security staff and compulsory cyber security awareness training for members of staff. Further in most, if not all, institutions the risk of a cyber security breach is recognised on institutional risk registers and monitored at a senior institutional level.
The recruitment of specialist cyber security staff is particularly difficult in the sector and many struggle to retain such staff. ucisa notes that an effective shared service to support cyber security operations has been running for a number of years in Scotland and encourages Jisc to explore the development of similar shared services for the benefit of the wider sector.
ucisa has produced a number of resources to support institutions to deliver effective cyber security. The Information Security Management Toolkit was developed to assist those who have responsibility for implementing information security across the organisation by providing advice and guidance. The Toolkit highlights the need for institutional ownership and the importance of awareness campaigns. ucisa procured information security awareness training on behalf of the sector in 2015 and continues to work with colleagues to maintain and develop that material.
ucisa will continue to work with Jisc to ensure that we are offering complementary materials and services and to ensure that the importance of cyber security is well understood by the executive within our institutions, managed within their risk and governance processes and that it is appropriately resourced.