‘Lack of investment in cyber security is a false economy’
A new government report highlights that senior leadership teams don’t always take cyber security seriously until their organisation suffers a serious attack.
Building on the UK 2021 cyber security breaches survey, researchers carried out in-depth interviews with staff at 10 organisations that had suffered a variety of serious attacks, including phishing and ransomware.
In the resulting report, Exploring organisational experiences of cyber security breaches, interviewees shared examples of how their security posture strengthened following an attack, once senior managers realised the importance of investing.
One IT director who was able to secure quick sign-off for a new supplier and a raft of preventive measures, said: “I feel a lot happier now.”
A second IT director said the board had agreed to “everything I need” and a third explained that “Before [the attack] I was the man who made it difficult to do things, which I think is standard, but now people understand what they are paying for.”
A head of digital reported that their organisation had subsequently made a “significant investment” to maintain better services, and a further contributor said the attack had “helped accelerate the delivery” of a cyber security programme.
Unfortunately, the frustrations described above are familiar to some IT and security directors in the education sector, who have shared similar anecdotes with us.
While it’s good that positive action can emerge from a crisis, these incidents show a lack of investment in cyber security is a false economy. In our experience, the cost of mitigation and recovery is likely to far outweigh any up-front costs for technical controls and expertise.
Having supported many colleges and universities to recover and rebuild from ransomware attacks over the past couple of years, we know that financial costs can easily top £2m.
Indeed, all 10 organisations quoted in the new government report said they lost money as a result of their attack. Seven also noted customer dissatisfaction and four said the experience had been stressful for employees, all of which chimes with our own 2022 cyber impact report (pdf).
Similarly, we hear that security and IT teams at affected campuses have come under extraordinary pressure and had to work very long hours over sometimes prolonged periods to recover from an attack.
Some ransomware attacks on education providers have wiped out data, disabled business-critical systems and forced campuses to temporarily close, which of course disrupts teaching, learning and other daily operations. That kind of upset is never going to land well with staff or students and can attract media attention, which carries a further reputational risk.
Ransomware is not the only threat that education providers need to protect against: we agree with the report’s sentiment that “cyber crime is a significant and growing business risk, with cyber attacks increasing in both volume and technical sophistication”.
And the report is also right to acknowledge “the need for ever greater levels of vigilance and investment in cyber security”.
As I’ve described above, leaders must take responsibility. The impact of a cyber attack will likely be more severe at any university or college where vice-chancellors, principals and their boards do not take strategic responsibility for cyber security.
- For the latest cyber security thinking and to network and share experience with peers, register for the 2022 Jisc security conference, which takes place on 7-8 November at the ICC Wales, and on 9 November online
- Senior leaders should familiarise themselves with the National Cyber Security Centre’s toolkit for board members, which is meant to answer the question, ‘How do we know what good looks like for cyber security?’
- To complement that toolkit, Jisc has put together a list of 16 questions that leadership teams should be asking to check their cyber security posture
About the author
I have oversight and responsibility for policy and governance related to information security, data and advice and guidance concerning wider regulatory issues that are relevant for Jisc, the Janet network and our members.