The main topics of discussion at itSMF UK’s recent sector spotlight on the higher education sector were cybersecurity and major incidents: the showstoppers for which we all rigorously plan but hope to avoid.
Looking back on this event just a few weeks later, it is not lost on me that since then the sector has unfortunately suffered at least another two serious cyber incidents, both leading to extensive disruption to the daily routine of the institutions.
So what lessons can we learn from the day’s presentations?
Our first session from Kevin O’Brien and Andy Dunn from CSI offered some excellent advice on what we can do to help prevent a cyber incident – credential management, device management, MFA, traffic/log monitoring, air-gapped backups to name but a few. We then segued into preparing for the worst, and having plans in place should this ever happen – a theme that would run through all the presentations that followed.
We have all (hopefully) documented and tested our major incident processes – not something you want to be working out after the event, and the same is true for cyber. We need a playbook to help us focus on the task(s) in hand, who does what (roles and responsibilities), lines of communication, impact assessment – the list goes on…
In short, prepare for the worst, and be ready to adapt your response to the nature of the attack or system failure.
Our next presentation, from the University of Oxford’s Andrew Dixon and Ian Teasdale, highlighted the great work that they’ve done in the major incident management space, using lessons learned from previous incidents to drive forward a well-defined and understood process, together with a continual improvement culture which has dramatically reduced the number of major incidents.
Again, there was a strong focus on being ready, and for everyone to know what to do, and who was doing it – clear comms being every bit as important as all of the other activities. Business continuity readiness/testing also came through strongly in this session – don’t wait until you need your data or power backups to find out that you can’t read them or that the fuel tank is empty. The same goes for failover infrastructure.
What can I say about the next session, “Northumbria University’s cyber-attack – lessons from managing a major incident” presented by their CIO, Simon Corbett?
It had all the ingredients of a best-selling thriller, but unlike fiction, this was very much for real…
Simon expanded on the events of September 2020 with real conviction and honesty; not an easy thing to do, given the nature of what they’d been through. We heard first-hand accounts of the situation that Northumbria’s staff and students were faced with, together with a candid walk through of events. The session focussed not just on the incident’s impact and the technical steps to regain control of their landscape, but also plenty of detail on the human side of the event; the whole gamut of anger, stress, and disbelief.
There were obviously many things that couldn’t be said, but we felt your pain, Simon – thank you for sharing!
Last, but not least, we heard from OpenText’s Mike Rutherford who presented the findings of their extensive research on the state of cyber security in HE. At least a couple of the stats made uncomfortable reading – close to 90% of respondents reporting at least one “successful” cyber attack in the past year, with 70%+ of the same group admitting to still not being as ready to deal with future threats as they would like to be…
All in, and in spite of the dark corners that we explored, it was a very positive event, with plenty to take away whether you work in HE or not.
