Why worry?
Governors and governing bodies are responsible for exercising oversight of a provider’s activities and protecting its reputation. Cyber-attacks pose risks to the provider’s systems and effective operation. They have the potential to cause significant financial and reputation damage.
Providers need to vigilant at all times. The risks are not diminishing, and the form of cyber-attacks constantly changing.
National Cyber Security Centre
Created in 2016, and part of GCHQ, the National Cyber Security Centre (NCSC) seeks to ensure the United Kingdom is the “safest place to live and do business online.” In addition to the Cyber Security Board toolkit, as part of its work the NCSC, working with Advance HE, has hosted two Round tables (See, for example, Round table 10). A key point being that all higher education providers face threats.
The role of Governors
The role of Governors and governing bodies is to seek assurances from management that the provider has the necessary resilience to withstand cyber-attacks, and that consideration has been given to how it might effectively respond to a major attack should one occur.
Exercise in a Box
To improve the preparedness of organisations the NCSC has developed a new toolkit: Exercise in a Box. The tool is of benefit to all private and public organisations, with specific pathways designed for small and medium sized enterprise and local authorities.
Exercise in a Box provides organisations with a “number of scenarios, based on common cyber threats,” which allow the user to explore how best they might best respond.
The tool is provided free, although accessing the tool requires users to register with NCSC, and a video providing a brief introduction to Exercise in a Box is available here.
Exercises
Once registered, users gain access to a general guide and the materials allowing participation in a number of exercises. These are:
1. Discussion exercises (each exercise is estimate to required 30 to 90 minutes to complete)
a. A phishing attack which leads to a ransomware infection.
b. Mobile phone theft and response.
c. Being attached from an unknown Wi-Fi network.
d. Insider threat resulting in a data breach.
2. Cyber threat simulation exercises (estimated to be 3 to 4 hours)
a. A simulation that allows the user to see if they can locate and stop a mock threat.
Using the materials
The different scenarios and accompanying materials can be used in a variety of ways. For example, they might be used by the provider’s management team to discuss and test how they might respond to a given cyber-attack. Equally, the discussion exercises might be used as part of a governing body’s strategic away day, allowing governors to gain increased awareness and understanding as how the provider might best respond should a cyber-attack initially succeed.
Conclusion
In a higher education policy environment where there is much uncertainty, it all too easy to down-play the risks associated with cyber security. This would be unwise however, as anecdotally, a significant proportion of providers have been subject to attack. Further, it is unlikely that the scale or sophistication of these attacks will diminish any time soon.
Governing bodies would be well-advised to seek assurances for management that not only are the provider’s systems and procedures resilient, but, should an attack get through, the provider has considered how best to respond. With this in mind the NCSC’s new toolkit is likely to be of interest.