A recent article in the New York Times highlighted the growing number of cyber attacks on US universities. The situation is likely to be much the same this side of the pond. Universities host significant research which would be of interest to commercial organisations and certain overseas governments and are something of a honey pot for cyber criminals.
The Centre for the Protection of National Infrastructure (CPNI) has been aware of the risk that cyber crime presents to the UK’s intellectual property and, after focussing on the commercial sector, highlighted those risks to Vice-Chancellors at their conference in 2012. The advice that was given concentrated on the twenty controls for cyber defence – it was suggested that universities should adopt these in order to protect the research information and intellectual property within their institutions. However the controls are something of a blanket approach; they fit well for a commercial organisation where a breach of rules is likely to result in dismissal and they fit well for government departments where strict rules can be enforced relatively easily. Universities on the other hand are encouraged to be open. There is a requirement not just to share the results from research openly but also to make the data on which that research was based available so that it can be re-used. Collaborative research, with institutions across the world and with industry, is encouraged. There is a desire for universities to be a focal point in their local community, to foster greater engagement with members of the public and to play a role in regional development. Then there is the university membership –employees, students and visitors connecting their own devices onto the campus network. All in all, not the type of environment that lends itself to the rigid, blanket application of security controls.
The need for effective cyber security in the sector is being discussed by a working party convened by Universities UK. There is, I believe, understanding that the controls need not be applied to the whole of the university estate – most of the data held within an institution is not sensitive so doesn’t need that level of protection. However, whilst the locations of corporate data such as student or personnel records are largely known, the same is not necessarily true for research data. It has long been recognised that a significant body of research data is held on individual academics’ PCs and laptops and that this data is not always backed up, let alone secured. Similarly, whilst an administrator is likely to have an understanding of how personal data should be handled, is the same true of the researcher and sensitive data?
What is needed, as Brian Gilmore pointed out at a recent UCISA event, is a risk based approach – data needs a level of protection commensurate to its sensitivity. But in order to appropriately protect data, the institution needs to know where it is and understand its value and sensitivity. Educating research staff and changing their behaviours is critical to this and is probably the biggest challenge to effectively protecting the UK’s intellectual property held in our institutions. Once that has been addressed, institutions will have better control of the critical data within their walls.