However, Dr John Chapman, Jisc’s director of information security policy and governance, who runs the annual survey, warns the threat environment remains challenging and there’s no room for complacency.
Carried out in June 2022 and receiving 123 responses from UK institutions, the survey shows almost all 97% of higher education and 94% of further education providers have cyber security on their risk register, a rise of two and five percentage points respectively when compared to 2021.
High numbers also regularly report on cyber risks and resilience to their executive board; 87% of HE and 79% of FE organisations.
Dr Chapman explains why this is important:
“A robust cyber security posture is only possible with strong leadership and we cannot emphasise that enough: board members must be accountable and responsible for cyber security governance and risk management.
“Organisations where senior teams don’t understand that cyber security is a strategic priority are less likely to have the kind of investment, robust processes and technical measures in place to defend well against the growing number of threats.”
Assessment of cyber security
The stats also suggest that creating a strong cyber security posture remains a challenge. When asked: ‘How well do you feel your organisation is protected?’, HE organisations are cautious, with only 16% (10 out of 62 institutions) scoring themselves eight or more (where 10 is best protected).
Perceptions are more positive in FE, with 39% scoring their organisation eight or more.
Comments around this question suggest that organisations rating themselves five to seven have controls in place but understand there is always more to be done to keep up with threats.
For those scoring eight to 10, the importance of robust systems and processes were key themes, along with audits, certification and external support.
Dr Chapman continues:
“Colleges and universities are right to be circumspect about cyber security. Certainly, there remains a minority of tertiary education providers that are not as well protected as they should be – and this is where Jisc can support. Member organisations can access our expertise and range of services to help assess and strengthen their cyber security posture.”
Ransomware/malware is named in the survey as the top threat for higher education (HE) organisations, with phishing /social engineering the number one threat for further education (FE). Unpatched vulnerabilities take third place for both HE and FE.
Compulsory security awareness training is more common for staff than students, with 84% of HE and 77% of FE organisations implementing this. As in previous years, FE organisations (21%), are more likely to run compulsory student training than HE (5%).
Dr Chapman continues:
“Top threats identified by colleges and universities are similar to 2021, which is unsurprising given the persistence of ransomware attackers targeting the sector over the past two years. In 2020 there were 15 serious ransomware attacks on HE and FE providers in the UK, with 18 in 2021 and at least 11 so far this year.
“Accidental data breaches rank fourth on the list of threats, so I’m pleased to see an upwards trend in security awareness training, although ideally, mandatory training for students would be more widespread.”
Download the survey reports
Jisc is launching a campaign, ‘defend as one’, to unite higher and further education in a common cause - to build robust defences across the sector. Members can sign up to receive personalised instructions on how to improve cyber security posture across their organisation.