The type of organisation that is arguably most at risk of cyber crime…
You don’t need us to tell you that the wealth of digital information and the ease by which it can be shared, means cyber security is an increasing issue all organisations need to address for success.
While many associate cyber security with big businesses – often in the financial and technology sectors – there is another area that at present is generally not giving cyber security the attention it requires.
That sector is higher education and specifically, Universities.
Research shows that Universities rank near the top when it comes to data-security incidents, and there are two main reasons for this:
1. An open, collaborative environment
Universities arguably have the most open and collaborative environments of all organisations. What with a range of devices, digital tools and applications being used by students, teachers, graduates, visitors, businesses, and researchers to access, collaborate and share information across, what can be, a global network.
2. Types of information available
The information available on a universities network can include confidential student information such as personal, medical and financial details. As well as a wealth of intellectual information and research, which could be used to benefit commercial activities.
Hopefully it is clear as to why cyber criminals are attracted to universities. To summarise, it’s because:
universities have information that is both accessible and valuable – The perfect combination.
What should universities be doing?
Of course universities need to implement security technologies to protect against cyber attacks. But at the same time they do not want to inhibit or shut down their open, collaborative culture.
Instead they should begin by identifying the areas of their network that require the greatest protection (predominantly based on the sensitivity and value of the information that can be accessed there) and implement appropriate security controls, controls that allow the network to still function in the interests and needs of students and teachers, and so to ensure success of the university.
Universities need to understand that it is about risk management, not risk removal.
Building on this ethos, universities need to make it clear that cyber security is ultimately a responsibility that should extend across the whole institution, it should not just be the concern of the IT/digital department.
A culture of cyber security needs to be built (especially so because the majority of cyber attacks and data loss/theft can be attributed to human error). To do this Universities need to begin by focussing on increasing awareness of cyber security, and then educating and training everyone on it – This is where effective internal communications is required.
Internal communications will amongst other things, be responsible for:
• Classifying the behaviours that are placing information at risk, and identifying areas of priority.
• Creating awareness campaigns (and materials) based around the behaviours that pose the greatest threats.
• Establishing training programs and materials, and leadership toolkits in order to change behaviour so that individuals follow the correct procedures when faced with risky situations.
• Forming risk management policies, to be followed after a loss/breach of data, helping to reduce the potential impact of the data loss.
• Keep up-to-date on the changing threats and risks to inform continual awareness and behavioural change.
• Continually cultivating the security conscious culture, which can be achieved through the use of ongoing communications/campaigns and through security champions (selected teachers/lecturers or students).
To point out, and it is an obvious point to make, but:
It is the users of the network who are crucial to the security success of a network.
The users of a network should be able to identify whether their behaviour is posing a potential security risk, and if so, act accordingly based on policies and procedures learnt through awareness campaigns, education and training programs – All of which will only be achieved as a result of effective internal communications.
Internal communications are vitally important for all organisations trying to improve cyber security. Although if you had to identify the type of organisation where internal communications could be said to be the greatest defence against cyber attacks and data loss, no one could really argue with you if ‘Universities’ was your answer.
Unsurprisingly, we are working with organisations of all types (including Universities) on using internal communications to increase awareness of threats and risky behaviour, and to educate and train individuals in order to change behaviour. We are very experienced in this area, so please get in touch if you would like our assistance.
Until next time…