- About us
- About colleges
-
Corporate services
- Corporate services
- Mental health and wellbeing
- Data Protection/GDPR
-
Employment Services - college workforce
- Employment Services - college workforce
- Employment: How we support members
- Introduction & Employment Helpline
- Absence & Sickness Management
- Contracts and T&Cs
- Disciplinary, Capability, Grievance & Harassment
- Equality, Diversity & Inclusion
- General Employee Relations & HR Issues
- Holiday/annual leave related
- Industrial Relations
- ONS reclassification related guidance
- Pay & Pensions
- Recruitment
- Redundancy, Restructuring & TUPE
- Safeguarding/Prevent
- Workforce Benchmarking, Surveys & Research
-
Governance
- Governance
- Governance: How we support members
- Governance Timeline
- Representation
- AoC National Chairs' Council
- National Governance Professionals' Group
- Code of Good Governance
- External Board Reviews
- Resources
- Governors Inductions
- Student Governor Inductions
- Student Governor Support Hub
- Guidance
- Hot Topics
- Governance Briefings
- Archive
-
Projects
- Projects
- Get Involved!
- Resources
- Contact the Projects Team
- Apprenticeship Workforce Development (AWD) Programme
- Creating a Greener London – Sustainable Construction Skills
- The 5Rs Approach to GCSE Maths Resits
- Creative Arts in FE 2024 – developing student voice through creativity
- DfE Multiply Capability Support Programme
- Digital Roles Across Non-digital Industries
- GCSE Resits Hub Project
- Pears Foundation Youth Social Action Programme: Phase 2
- T Level and T Level Foundation Year Provider Support Programme
- T Level Professional Development (TLPD) Offer
- The Valuing Enrichment Project
- Film London - Metro London Skills Cluster
- Resources/Guidance
- Sustainability & Climate Action Hub
- Partnerships
- Honours Nomination
- Brexit
- Ofsted Inspection Support
- Recruitment and consultancy
-
Events and training
- Events and training
- Events
- AoC Annual Conference and Exhibition 2024
- T Level and T Level Foundation Year Events
- Events and training: How we support members
- Network Meetings
- Previous Events and Webinars
- In-House Training
- Senior Leadership Development Programme
- Early Career and Experienced Managers' Programme
- Sponsorship and Exhibition Opportunities
- Funding and finance
-
Policy
- Policy
- Meet the Policy Team
- Policy: How we support members
- Policy Areas
- Policy Briefings
- Submissions
- Policy Papers & Reports
- AoC Strategy Groups
-
AoC Reference Groups
- AoC Reference Groups
- 14-16 Reference Group
- 16-18 Reference Group
- Adults (inc. ESOL) Reference Group
- Apprenticeship Reference Group
- EDI Reference Group
- HE Reference Group
- HR Reference Group
- International Reference Group
- Mental Health Reference Group
- SEND Reference Group
- Sustainability & Climate Change Reference Group
- Technology Reference Group
- WorldSkills Reference Group
- Opportunity England
- Research unit
-
News, campaigns and parliament
- News, campaigns and parliament
-
Mission accepted
- Mission accepted
- Mission accepted: case studies
- Mission one: kickstart economic growth
- Mission two: make Britain a clean energy superpower
- Mission three: take back our streets
- Mission four: breaking down barriers to opportunity
- Mission five: build an NHS fit for the future
- Mission accepted resources
- Post-election hub
- General and mayoral election resources
-
Comms advice and resources for colleges
- Comms advice and resources for colleges
- Media relations: 10 ways to build effective relationships with the media
- How to choose a PR agency
- Legal considerations for communications and media work
- How to plan for a new build
- Crisis communications: your go-to guide
- How to handle photo consent for media and marketing
- How to evaluate a PR and media campaign
- How to react to regulation, funding and restructuring issues
- How to react quickly and effectively to the media
- Working with the media: a complete guide
- How to write a compelling case study
- How to write for the web
- Communications, marketing and campaigns community
- AoC Newsroom
- AoC Blogs
- College case studies
- Work in Parliament
- AoC Campaigns
- Briefings
- Communications, media, marketing and research: How we support members
-
Equality, diversity and inclusion
- Equality, diversity and inclusion
- Equality, diversity and inclusion blogs
- AoC’s Equity, Diversity and Inclusion Charter
- AoC’s Equity, Diversity and Inclusion Charter for further education sector organisations
- AoC’s Equity, Diversity and Inclusion Charter signatories
- Diversity in Leadership
- Black FE Leadership Group and AoC partnership agreement
- AoC's Equity Exchange
- Equality, diversity and inclusion: how we support members
- Equality, diversity and inclusion case studies
- ETF Inclusive Leadership Coaching Programme
- Equality, diversity and inclusion briefings
- Home
- News, campaigns and parliament
- news views
- aoc blogs
- Why cyber-security is never ‘done’ - Dr John Chapman
Why cyber-security is never ‘done’ - Dr John Chapman
Dr John Chapman
Over the last couple of years, a long line of industry experts have been quoted in the media explaining why the UK education sector is a target for cyber-attackers, and ready with guidance on how schools, colleges and universities should protect themselves.
While the advice is usually sound, it’s wrong to imply education is any more a target than other sectors. I also take issue with some of the more alarmist language: for example, just this month, one US cyber-security solutions provider chief information security officer unhelpfully described academic institutions as “sitting ducks”.
It’s irresponsible to pick out particular organisations or sectors as easy targets. The statement is also sweeping and inaccurate because it does not represent reality in the UK. I know this because, as the UK tertiary education sector’s expert digital body, Jisc has access to excellent information sources on the topic of cyber-security at colleges and universities.
Together with various security professionals, particularly at the UK’s National Cyber Security Centre, we gather and share knowledge and experience of cyber threats and attacks with our members; our experts talk daily to IT and security staff at colleges, universities and research centres; and we also conduct an annual cyber-security posture survey among those member organisations.
The real picture is far from rosy, though. It is a certainty that across sectors not all organisations are as well protected as they should be, and the same applies to tertiary education providers. Indeed, our 2022 survey suggests that creating a strong cyber-security posture remains challenging.
For example, when the survey asked “how well do you feel your organisation is protected?”, higher education (HE) respondents were cautious. Only 16 per cent scored themselves eight or more out of 10, suggesting strong awareness of the threat landscape. Further education replies were more positive, with 39 per cent scoring eight or above.
Comments around this question suggest that organisations rating themselves five to seven have controls in place, but feel they could do more to keep abreast of threats. For those scoring eight to 10, robust systems and processes were important themes, along with audits, certification and external support.
What is heartening is that survey results over the past six years indicate the general picture is improving. The 2022 survey report, which received responses from 123 organisations, indicates that cyber-security remains a high priority among senior leaders at UK colleges, universities and research centres.
Almost all responders – 97 per cent of HE and 94 per cent of FE providers – have cyber-security on their risk register, a rise of two and five percentage points respectively compared to 2021. High numbers also regularly report on cyber risks and resilience to their executive board (79 per cent of FE organisations).
This is important because senior leaders should take responsibility for cyber-security governance and risk management. In our experience, organisations where senior teams don’t rate cyber-security as a strategic priority are less likely to have the kind of on-going investment, processes and technical measures in place to defend well.
Over the last couple of years, ransomware has become – and remains - a well-documented danger to all kinds of organisations across the globe, educators included. In 2020, there were 15 serious ransomware attacks on HE and FE providers in the UK, with 18 in 2021 and at least 11 so far this year.
So, ransomware is rightly named in the 2022 survey as the top threat for HE organisations, with phishing /social engineering second. These places are switched for FE, with unpatched vulnerabilities taking third place for both HE and FE. This is a similar picture to 2021.
Accidental data breaches rank fourth on the list of threats this year, so I’m pleased to see an upward trend in security awareness training, although ideally, mandatory training for students would be more widespread.
Compulsory security awareness training is more common for staff than students, with 84% of HE and 77% of FE organisations implementing this. As in previous years, FE organisations (21%), are more likely to run compulsory student training than HE (5%).
More and more providers are recognising that in-house expertise is a critical piece of the cyber-security jigsaw. A total of 90 per cent of HE respondents report they had specialist staff in place this year.
The figure remains lower in FE, at 33 per cent, probably reflecting the fact that colleges find it more difficult to compete with the large salaries offered in the private sector. On the plus side, this represents a ten-fold increase since we first ran the survey in 2017.
Taking the survey stats and other information available to us, my conclusion is that, while there is a growing understanding of cyber risks within our sector, threats are still a huge problem. And it’s not going away anytime soon; just like the laundry, cyber-security is never “done”.
The views expressed in Think Further publications do not necessarily reflect those of AoC or NCFE.