Information systems and cyber security

This article was previously published on the Leadership Foundation website.

Most of today’s key information systems are no longer paper-based, but electronic. The recent experience of TalkTalk has led to nervousness amongst many organisations as to whether their systems are sufficiently robust and resilient to withstand intrusion by those who have criminal intent and seek to obtain financial and personal data.

While higher education institutions (HEIs) may feel they have less to fear than broadband or retail companies, they cannot be complacent.

Detailed knowledge of information systems and cyber security is frequently an area of weakness for many governing bodies. The predominant age groups and backgrounds of many governors, and often the executive team, mean that few governing bodies have security experts amongst their membership. Members are themselves normally ‘digital immigrants’, rather than ‘digital natives’.

So what are governing bodies to do? First and foremost, they need to be confident that the institution’s systems are sufficiently robust and resilient to withstand attempts to gain unauthorised access. Governing bodies will have greater confidence about any assurance if, for example, the information systems have also been subject to thorough testing and probing by an independent and external body.

Most internal auditors employ specialist staff and provide a service to test an institution’s systems to establish their resilience to withstand cyber attack. An institution’s Audit Committee should consider whether it needs to request the internal auditor or alternatively a specialist security company to simulate potential cyber attacks and test the institution’s defences.

While HEIs may believe they are not exposed to the same degree as many commercial business, they would be unwise to ignore the risk of service disruption and reputational damage that a cyber attack could bring.