Like with many other aspects of running a university, the responsibility for cyber security assurance lies firmly with Governors. That might come as a surprise to you, and perhaps not a welcome one, but it makes sense once you think about it. After all, cyber incidents can be extremely costly, hugely disruptive to the day-to-day running of a university and can cause significant reputational damage.
In other words, since cyber security is central to a university’s health and resilience, it needs to be a key priority for boards of Governors.
However, you may feel you don’t know where to start on the topic, or that the subject is too complicated. New guidance from the National Cyber Security Centre (NCSC) has been written to address exactly this in the form of the Cyber Security Board Toolkit.
The Toolkit comprises nine modules that explain the main risks and the mitigations that can be employed to significantly reduce the chance of a major and disruptive cyber incident. It is not meant to be read from cover to cover, rather used as an online resource for you to dip in and out of to best suit your needs.
For those Governors who feel like they'd benefit from more context, there's a useful introduction to the topic as well as modules on embedding cyber security in the organisation, growing cyber security expertise and getting the culture right.
The Toolkit has been developed in conjunction with boards across industry, including input from university governors at a joint Advance HE / NCSC roundtable held in December. One of the findings from this discussion was that although many universities are acutely concerned about intellectual property theft, fewer were taking seriously enough the risks from untargeted attacks, and many acknowledged they needed to give more thought to how best to manage supply chains in an increasingly digitalised world.
Crucially, each section of the toolkit contains questions that governors might want to ask of themselves, the Board and the university more broadly. These questions are accompanied by examples of the sort of answers that might show what 'good' looks like.
Ultimately our call to university Governors has three parts to it:
- On a personal level: commit to learning the basics about cyber security so you can have useful and informed conversations about security with your technical experts and feel confident asking questions of them.
- As a board: understand cyber security is a collective responsibility, not one to be delegated to a particular individual or committee.
- As an organisation: treat the cyber threat like any other business risk: spend time identifying your key assets, assessing vulnerabilities and considering your risk appetite. Only then should you consider potential mitigations and take action.
I'll end with the wise words of Ciaran Martin, our CEO. When announcing the Board Toolkit in a speech to the CBI Cyber Conference last year, he said
People at board level need to understand the basics – and I stress, basics – of cyber-attacks, cyber risks and cyber defences … we need you to get a little bit more technical. That’s daunting, but it is doable. It’s essential.
The Cyber Security Board Toolkit will continue to be developed in light of feedback. Do let the NCSC know how you use it and what could be done to make it more relevant or useful to you.