UCISA has launched an excellent new resource to help institutions plan the communication response during a major cyber incident. The Cyber Incident Communications Toolkit, developed by the UCISA Security Group focuses on the importance of collaboration both internally and with partners to ensure provision of an effective and coordinated communications response with students, staff, funders, and other stakeholders.
I had the pleasure of talking at the launch event, and gave the following overview of the security landscape to explain why this toolkit is needed and how Jisc can help you when you are attacked:
As you all know, the security landscape isn’t getting any quieter. Ransomware incidents continue to affect our members and in the past 6 months there has been a spike in activity from the ransomware group Vice Society targeting the education sector. This has been noted internationally, by our partners in Europe, US, Canada and Australia, but also seen clearly in the UK. This is continuing a trend of the last few years with 15 serious ransomware incidents occurring in the sector in 2020, 18 in 2021 and at least 15 last year.
The increase in serious incidents resulted in the National Cyber Security Centre issuing an unprecedented three alerts to the sector between September 2020 and June 2021.
Like all internet-connected organisations across all sectors, the education and research sector must routinely defend against a high volume of relatively unsophisticated, but incessant, speculative and opportunistic attacks. Protecting against these, many of which can be prevented by implementing basic security controls, must form the foundation of all organisations’ security strategies.
However, the nature of our sector, its ways of working, the breadth of activities and the huge range of data and information handled combine to make it an attractive target for much more sophisticated and determined attackers, including state-sponsored groups.
While basic controls are a crucial part of organisational defences against all threats, sophisticated state-sponsored attackers have the skills and incentive to take the time and trouble to circumvent them. In comparison, speculative attackers are more likely simply to target another less well defended organisation instead. The sector must be ready and prepared to defend against both types of attack and to know what to do when attacks are successful.
The sector’s security challenges are exacerbated by institutions’ necessarily large, complex digital infrastructures, and the cultures of open access and collaboration necessary to facilitate a broad range of effective and efficient teaching, learning and research activities. This creates a very large potential attack surface of networks, devices and internet facing services for attackers to exploit.
A successful defence is dependent upon establishing and maintaining a strong security posture. The model Jisc promotes comprises four interrelated components, or pillars, underpinned by a foundation of dialogue, all of which must be in place to sustain an effective defence in depth approach:
• Governance – this relates to an organisation’s overall approach to identifying and managing cyber security risks. Activity in this area should ensure both that a strategy is in place and that the required structures, policies and resources are in place to deliver it. Strong governance and leadership demonstrate organisations take security seriously.
• Assurance – assurance activities should encompass both internal and external review and audit, to check if the organisation is doing everything it should be in the manner that it should be. External review should be based on an appropriate framework, such as Cyber Essentials or ISO 27001, but compliance must be regarded as a baseline or starting point for assessing risks and their mitigations, not the end goal or a tick box exercise.
• Technology – this encompasses the broad range of systems and infrastructure all organisations now depend upon. In this context it relates not only to specific security components and services, such as firewalls and multi-factor authentication, but also to ensuring that security is embedded across all operations, configurations and working practices.
• Culture – this should ideally allow the encouragement of open, honest and transparent consideration of security and its importance across the entire organisation. Key to this is ending or preventing a culture of blame. Individuals must feel empowered to report issues, incidents and concerns, even (or perhaps especially) if or when they think they may have done something wrong.
These four interrelated posture pillars are dependent upon open and transparent dialogue and communication across the organisation. Never discussing security, leaving it on the “too hard” pile, “kicking the can down the road”, or workplaces where people feel unable or are not supported to raise security issues or concerns, can only be detrimental to security posture.
Strengthening security must be recognised as an ongoing whole-organisation issue: IT and security teams have a hugely important role to play but cannot be successful if they are working in isolation from and are not appropriately supported by the rest of the organisation.
Increasing your security posture is essential, but the reality is there is no such thing as 100% security.
As well as ransomware incidents, Jisc CSIRT is constantly helping members respond to security breaches, credential thefts, denial of service attacks and more. And knowing how to respond to such incidents is crucial to minimising their impact. The proverbial wisdom: “fail to prepare, prepare to fail” is very apt when it comes to incident response and having senior support, technical controls and training and awareness in place will mean far less pain, misery and expense for when – not if – you have an incident.
Good, effective communication is a key part of this, so Jisc very much supports the UCISA Cyber Incident Communications Toolkit.
I’ve not got much more to say because the toolkit communicates everything clearly, but I’m particularly grateful that the toolkit includes the reference to the requirement in the Janet Security Policy to report incidents to Jisc. Every organisation connected to the Janet network must have a designated Security Contact with appropriate knowledge, skills, resources and authority to fulfil their role. Part of that role is they must notify Jisc of any significant incidents or attacks which:
• have the potential to disrupt the continued operation of their organisation;
• carry a likelihood that other organisations may experience a similar attack, or that the incident could spread to those organisations;
• could have a negative impact on the reputation of the education and research sector; or carry the likelihood of Government or national media interest.
And that last point is particularly important. Ever since the infamous TalkTalk breach from 2015 that Jason mentioned, national media has taken a very keen interest in cyber security incidents and handling communication appropriately is crucial.
The final point from me is just a reminder that Jisc CSIRT is there to help you prepare for, detect, analyse, contain, and recover from cyber security incidents. Even if you don’t need assistance, Jisc CSIRT would still really like you to contact us as your incident may be part of a wider campaign and any information that can be provided may help other Janet-connected members.
The Toolkit and accompanying resources are available to UCISA members via login at https://www.ucisa.ac.uk/Events/2023/March/Cyber-Incident-Communications-Toolkit/Event-Other-Info-List/resources