Digital networks and digital information are such core elements of the lives of organisations and private individuals that cyber threats that undermine our confidence in their security potentially risk undermining their transformative benefits. Equally, increasingly restrictive security controls in the name of security risk undermining the very value that these new technologies potentially bring. These questions are complex and are getting increasingly important as the online threat from states and criminals continues to grow.
As part of our conference looking at cyber security in higher education we are publishing a report exploring how some of these issues apply in higher education. It is not aimed at a technical audience; rather, it looks at the management steps that universities need to consider. Based on the work we have undertaken to date it is our belief that the technical expertise to implement appropriate and proportionate targeted controls is already largely available to universities.We recommend that institutions develop decentralised approaches to cyber security that account for the diversity of practices and priorities found across universities, based on three broad steps:
- Identify valuable information, assessing its risks and management priorities. Only a third of Chairs of FTSE 350 companies believed they knew what their data assets were as part of their responsibilities of protecting their institutions.
- Establish appropriate oversight and communication between the board as owners of the responsibility of managing institutional risks and the owners and controllers of data who are best placed to assess the value and risks of information
- Implement security controls – security controls need to be targeted on the basis of risks, with the tightest controls focused on information that is both high value and high risk.
Establishing ownership of cyber risks at board level and identifying valuable information is an essential first step in striking an informed balance between protecting information and balancing against other data management priorities. This calculation is important in higher education where data is linked to the ‘enterprise’ as well as being an intellectual asset produced by research. Many forms of data are already subject to data management standards, such as when accessing patient-identifiable data from the NHS. However the challenge of assessing risks is particularly complicated where the potential value of certain types of information may need to be taken into account.
Data management priorities in institutions are also informed by practical and cultural factors that place a great value on openness. Research often requires open exchange and dialogue, placing a greater priority on usability over security. Publishing is increasingly moving toward open access and open data. However, even within this increasingly open landscape, cyber threats can still represent significant risks to the integrity of data before and after data is published.
Ultimately, developing the right response to the cyber threat is as much a cultural as a technical question. Research and knowledge management policies will need to consider how they can provide researchers with infrastructure that gives them appropriate levels of security. Likewise all members of an institution will need to understand the threats facing an institution and their front line role in appropriately securing their data. In the long run many of these lessons will apply far beyond just our working lives.
Will Hammonds is a policy researcher at Universities UK