Academia is ‘waking up to cyber security’

Interview: Steve Kennett, security director of Jisc, outlines the services it provides, points to five key steps for protection, and says the universities, colleges and research bodies are becoming more aware of the risks

Academic research might not be the most fertile landscape for nightmares about data security – the scope for harm is not as obvious as in areas such as health and social care or financial records – but Steve Kennett says its institutions have to be as wary of the threats as any.

Steve Kennett“We’ve got lots of people there, universities doing research, handling sensitive information and creating intellectual property. Information is the key that everybody wants,” he says.

As security director of Jisc he is at the centre of efforts to protect the sector against cyber threats, working through the organisation’s role in providing digital solutions for universities and colleges, and in running the Janet research network.

He initiated a major change in its approach to cyber security at the beginning of this year, shortly after stepping into the role, when he pulled the previously disparate elements of the effort into a single division. It was aimed at providing better oversight and control, improving the flow of information between teams and making them quicker to react to threats, and has adopted an approach based on the principles of the National Cyber Security Strategy – defend, detect and deter.

Taking the lead

“We take the lead in coordinating a response across education research, deal with security incidents, work closely with the National Cyber Security Centre (NCSC), link with their operations centre, look at what they are doing in strategic initiatives and try to map them into what we are doing,” he says.

“You can break down what we do into three simple things: protecting the network; protecting our members and customers; and helping them protect themselves. Not only do we protect the Janet network, but we help them understand how to protect their own networks.”

The division has about 40 people working in three teams: a security operations centre, including response specialists and DDoS (distributed denial of service) analysts; a professional services element for tasks such as penetration testing, web filtering and certification; and a team looking at critical infrastructure and research and development. The latter group is responsible for horizon scanning, an element of the three-year rolling plan that determines much of the division’s work.

He says the advantages in this are that it creates a team with strong expertise and which has a view across Jisc, and of how others are using the Janet network. 

Protecting the network also provides a major challenge, with connections to between 900-1,000 institutions, and Kennett says they all have to play their part. This underlies a lot of the work done by the cyber security division, aimed at developing a strong culture throughout the higher education sector.

Cyber Essentials

To this end, he emphasises the importance of following the NCSC’s Cyber Essentials guidance, rating it as a necessity for any public sector organisation. Jisc has set up a scheme in which one of the team goes out to members every couple of years to help them go through the list to develop good practice, and often nudges them towards the more demanding requirements of Cyber Essentials Plus or even the ISO 27000 group of information governance standards.

Over the past year the division has launched new services for the sector. They include a vulnerability assessment system, run with cyber security company Khipu, that involves scanning a network to identify any vulnerabilities and providing any necessary patches.

Another is a ‘phishing as a service’ scheme. It involves a dummy phishing attack to show up the scale of the threat and identify areas of risk, and comes with training courses delivered online and an option for Jisc cyber staff to go to the user’s site.

There is also in-house penetration testing, which tries to find ways into a network to identify vulnerabilities, followed up by providing any security patches that are needed.

Others include an audit of an organisation’s infrastructure, and a ‘cyber x-ray’, which involves liaising with finance teams to track down all the hardware that has been purchased, building a picture of the infrastructure and providing any necessary patching.

Five steps

Kennett also outlines five key steps to strengthening defences and building a better culture: “Back up your information, keep your technology up to date, have an incident response plan, maintain and invest in the security of your devices, and assess the risks of exposure.”

He sums it up in terms of breaking down the risks.

“We’re trying to remove the risk for our members. In the business of cyber security it’s not about bits of tin and hardware, but about looking at and mitigating the risk.”

He shares the view of most cyber security specialists that it is not all about technology, but educating people throughout an organisation and ingraining good habits. This is a big challenge in higher education, where millions of students have access to its institution’s networks, and he says it needs a sustained effort to ensure they take precautions such as protecting passwords and locking devices when they are not being used.

“It’s about generating a good cyber culture,” he says. “Technology isn’t always the answer.

“It’s a big complex subject, about the technology, the people, the services.”

Advocating collaboration

Kennett is also an advocate of a collaborative approach to defending against cyber threats. Jisc recently went public with its role in the Atlas project, a partnership that involves sharing anonymous data traffic with Arbor Networks to feed into its intelligence on DDoS, malware and botnets.

“When we talk to other organisations it’s important that we all build a better understanding. If we can help people with research, understand how threats evolve, we are quite happy to work with institutions. I’m a strong believer that we should not keep cyber security in the dark.

“There are elements where you don’t want to give away your capability; but I think that not just academia but UK plc needs to share more information about threats. The more we can see, the more we can make it safer.”

One of top five

As for academia’s general attitude towards cyber security, nationally and internationally, Kennett has a positive outlook. He says it is in the top five sectors for its efforts, points to an increase in the number of chief information security officers and data protection people, and says they are very aware of the risks to users and systems and of the possible reputational damage.

“I’m really pleased to see everybody treating it with the right regard and respect,” he says. “Some are more advanced than others, and some did not have a lot to achieve, but as a sector academia is really getting its act together.

“That goes globally as well. I link in with equivalent networks overseas and we now have a cyber security working group. We’re talking about how best to deal with threats as a group, sharing intelligence.

“Everybody in the academic sector is waking up to this issue.”