Underscoring the need for awareness training. Only about half of the staff at UK universities have had any InfoSec training.

In a recent report by RedScan pen testers it was revealed that only about half of the staff at 134 universities polled in the UK have received any sort of information security training. Further, about 8% have reported 5 or more security breaches to the Information Commissioner’s Office (ICO) in the past 12 months.

RedScan’s CTO, Mark Nicholls said “UK universities are among the most well-respected learning and research centres globally, yet our analysis highlights inconsistences in the approach institutions are taking to protect their staff, students and intellectual property against the latest cyber threats. The cost of failing to protect scientific research is immeasurable.”

This just underscores the need for Cybersecurity awareness training, regardless of the organisation. Many of the universities have small cyber security teams, which would have been acceptable 20 years ago, when  cyber security was a subset of the IT department. But modern Cybersecurity threats have now moved beyond the capabilities of internal operational IT departments. As with many organisations, universities have limited budgets, making it almost impossible for any one university to stay on top of the current threat landscape.

I propose that a number of universities band together, to form a Cybersecurity group responsible for the confidentiality, integrity, availability and awareness across a number of universities. That way they can take advantage of economies of scale, share the workload and work collaboratively to enhance their Cybersecurity.