Introduction
At the start of 2022, Socitm published our Public Sector Digital Trends 2022 report. In it we talked about the importance of developing new collaborative networks for our members, to share the heavy lifting as more public services move to primarily digital delivery.
We also stressed that cyber remains a priority that underpins everything our members do in the digital space. And with these themes in mind we’ve been working closely with Jisc, the UK’s digital body for tertiary education and research, to explore how we can work together on these and a range of other issues that affect our respective member organisations.
This summer we brought together digital leaders and subject experts from education and from local authorities for a roundtable. The lively discussion explored a range of cyber security issues that are common across our respective members, focusing especially on cyber skills.
As always, I’m grateful to everyone who made time to contribute. The sharing of experiences, insights and ideas about ways to combat the chronic shortage of cyber security skills was hugely helpful. The honest information about what our respective members are doing well, and what they want help with, is informing development of plans at Jisc and Socitm. Expect to see future collaborative initiatives to provide support.
This briefing gives you a flavour of the conversation and a set of recommendations that warrant further exploration. Socitm and Jisc will continue to work together to ensure you have access to the insight and expertise you need, so collectively we can increase the cyber resilience of our members.
Dave Sanderson
Director of member services, Socitm
This roundtable was conducted between representatives from organisations that are members of Jisc and Socitm, under the Chatham House Rule.
‘Recognise cyber threats as a business risk’
In their introductory remarks, roundtable delegates agreed that cyber security is a top priority. But they said several issues are hampering efforts to mitigate against increasingly frequent cyber attacks. These are a few of the comments shared:
“In our organisation we’re lucky to have the technology we need, but we don’t have the skilled staff to deploy it”
“Lack of funds, ageing infrastructure and the nature of open campuses all make the challenges huge in education”
“A lot of support, for example from the National Cyber Security Centre (NCSC), is aimed at the private sector and smaller commercial businesses. Education and public sector bodies are different”
“We can never neutralise the threat, but we need some sort of metrics to measure if we are getting better at dealing with it”
“We need to work and learn with partners around cyber to build inter-agency resilience”
Before going on to talk about how Jisc and Socitm can work together to help our members make speedy progress on cyber security, we felt we needed an update on the cyber security landscape from David Batho. David is senior security specialist at Jisc, working with a team of cyber security experts to monitor current and emerging risks and help Jisc’s member organisations protect themselves against risks and fight off attacks if they occur.
Threat actors are highly skilled
David reported that the first half of 2022 had seen Jisc members in higher and further education face eleven major incidents that impacted business as usual (BAU), including one that resulted in the complete failure of an organisation’s core systems and back-ups.
He said that threat actors are now highly professional, with detailed knowledge about the infrastructure employed in education organisations and up-to-the-minute skills to exploit vulnerabilities. And whereas a couple of years ago it might have taken a few months for newly identified vulnerabilities to come under attack, now it is just a few days before cyber criminals attempt to take down systems, steal information or hold it to ransom, disrupting BAU and creating a major safeguarding and reputational issue.
“At the mid-point of the year, the cost of cyber crime to the education sector in 2022 is already £100m”
David Batho – senior security specialist, Jisc
Fighting with one hand behind our backs?
Skills
Education organisations struggle to find and keep the cyber security skills they need
As we’ve seen, threat actors have leading-edge skills at their fingertips. But back on the right side of the law, education organisations and public sector ones more generally, face fierce competition for these same skills, which are in short supply in the legitimate labour market. As large sprawling operations, they have complicated infrastructure running multiple systems and technologies. The skillsets needed to monitor and protect all these are vast. Suitable candidates are rare and the private sector can usually pay better and make job offers more quickly.
Delegates are adopting new strategies to overcome the problem.
“Our HR department think they are competing with other education institutions but they aren’t,” said one. “We’ve been restricted by pay bands but now we are looking into market supplements.”
Others talked about the importance of stressing the ‘value-added’ – for example, addressing candidates’ desire for job satisfaction and doing something worthwhile – alongside incentives such as training. For example, several are taking on apprentices, training them up with the specific skillsets they require and accepting that they will either move up through the organisation or move on. One education organisation talked about successes they’re having taking interns from the science faculty into the security team.
“Accepting that there will be a churn is realistic,” said another. “Providing our own tailored training can benefit everyone and build a healthy flow-through if you do some careful succession-planning to anticipate and manage change.”
Leadership and governance
Senior managers don’t always understand the scale and complexity of the cyber security threat
“It’s not like a fire in a building, you know where that is. A cyber attack is harder, for a while you don’t know where it is, how it got in or what’s happening.”
Helping senior managers recognise that this is a business problem, not an IT one, could ensure they commit time, energy and resource to addressing it. But how to do that? It’s an issue that needs more thought and planning, but it’s worth noting that Jisc now has a cyber security community group, open to members in education and research (and also Socitm members), that produces regular threat reports and holds quarterly online sessions to discuss these. This is a tool that will help to keep cyber security high on a board’s agenda.
All our member organisations need ways to achieve this level of board attention for cyber before a major incident in the organisation, not after.
Security controls
Without consistently applied security controls, cyber criminals are pushing against an open door
“Don’t underestimate the value of rigorously applied basic security protocols”
Staff and students using devices remotely cause many of the security headaches in education organisations, and with the rise in home working this issue affects other public sector bodies too. Many large organisations are running ageing legacy infrastructure (described by several as ‘spaghetti systems’) and this adds complications. A disciplined approach to basics like timely patch management, for example, is essential.
So, too, is stringent monitoring so that alerts are spotted and acted upon – David Batho referred to a case where an organisation’s security alert system was flagging the presence of a threat actor but this went unnoticed for a few days, so the attempt went unchallenged.
Jisc say 99% of the ransomware attacks they help members with involve a failure in some aspect of managing active directories. Their key advice in this area? Employ multi-factor authentication (MFA) for all staff and students. There are links to further information, support and advice from Jisc in the next steps section at the end of this briefing document.
Strength in numbers
In looking for ways to address all the issues around cyber and build a strong response to the risk to education and local authority organisations, the conversation circles back time and again to collaboration and skills.
Defining cyber security skills
What skills do we need? With the cyber security landscape changing fast, the skills we need today haven’t existed for long and they may not be the ones we will need tomorrow. So how do we target our search and plan our response to threat?
Delegates talked about collaborative efforts to benchmark what we need within our IT departments now, and anticipate ways to develop these as, for example, asset management and managing MFA evolve. And they discussed being realistic about what we can expect to find in individual candidates. This discussion was summed up by Jisc’s executive director of security Steve Kennett:
“As employers, organisations should think carefully about what they really need when they write a job description. Sometimes that might simply be an enthusiastic, competent person who is willing to develop. Not everyone needs to be good with budgets, for example.”
Championing skills
With so many competing demands for senior management attention, a new approach might be needed give cyber security the higher-level focus it needs. During the meeting we talked about developing sector champions to explain the complexity and urgency of the issue – as well as the market cost of hiring staff. Someone from outside an organisation could be better placed to reinforce the fact that the risk is real but impossible to describe or quantify.
Jisc estimates the average cost of a ransomware attack at £2m+ and a champion may be what’s needed to emphasise the wisdom of funding prevention rather than cure.
Funding skills
But, of course, perceived new costs at a time of high inflation and looming recession will look unpalatable to senior leaders. Delegates spoke about successes they’d had in securing extra budget; one spoke of going to their audit committee and using the corporate risk register to unlock funding for new posts. That, however, was only part of the solution as the posts remain unfilled due to a lack of suitable candidates.
Pulling together
“We should explore how to build inter-agency resilience and learn how to respond together when things go wrong”
At Jisc and Socitm we see the same issues around cyber security affecting members of both organisations and we’re keen to explore how we can come together to help in developing solutions that help us identify, recruit and train the talent we need to protect members against cyber crime.
Working together more closely will also enable member organisations to:
- Share intelligence, identify risks, troubleshoot and share good practice
- Forecast future threats and the likely costs of addressing these
- Act together to manage escalating licensing costs
- Procure and share technology that’s in short supply, so we aren’t competing against one another
Jisc, as the UK’s not-for-profit digital body for tertiary education and research, is well-placed to support such an initiative. Jisc and Socitm will be working together over the coming months on an action plan to help members access the cyber security skills they need and boost organisational resilience.
Areas of focus
We want to lead and support our members to keep momentum in the continuous journey to address improving cyber security and addressing cyber skills. The below are recommendations highlighted by our cross-sector roundtable and are the starting point for us to draw on our collective expertise and incite change.
- Educating/training:
- a) Executive leadership on cyber investment and methods to help make the business case, eg. engagements that can aid executive leadership to understand the investment needed in cyber security, and how to know if that investment is being successful
- b) General staff: Information security training and cyber awareness
- Resource: A cyber skills matrix – What skills do you need (whether within your team or to outsource) to manage and maintain (not just deploy) XYZ cyber capability, for example, MFA. Ideally with costs associated
- Recruit/maintain cyber skills:
- a) Case studies / ideas / stories related to recruitment and retention: e.g., what makes the public sector attractive?, growing skills through apprenticeships / graduate schemes, thinking differently about recruitment etc.
- b) Guidance: sharing timely guidance to include zero-day attacks
- Single policy voice: Providing a single unified voice on policy. Specific example given is that Cyber Essentials + is not designed for the complexity of our organisations and therefore not necessarily an appropriate vehicle
- Geographical syndicates on skills/resources: Similar to WARPs across sectors
Next steps
Socitm and Jisc commit to working together to ensure we collectively support our members to improve their cyber posture. Relevant information will be updated on Socitm’s resource hub.
However, in the meantime, here are some quick and practical actions you can do now to continue improving your cyber posture.
Connect
Join an existing community to hear and share effective practice:
Learn
Improve and refine your knowledge to improve cyber skills:
Implement
Building solid cyber practice and culture together: