This presentation is about the need for cybersecurity governance in universities. Recently, insurance underwriter Lloyds of London working with the University of Cambridge, calculated that our region was exposed to over $16 Billion of cyber-attack risk. The presentation will explain the increasing risk to universities by drawing on case studies of actual cyber disasters at universities and examining both the causes and the consequences of these events. Consequences which have dented finances, tarnished reputations and had repercussions up to the Vice-Chancellor and beyond. The presentation will also suggest a practical approach for implementing effective cybersecurity governance to mitigate these risks.
By all accounts the President of the University of Maryland was somewhat disappointed to learn, in February 2014, that hackers had stolen personal data including names, dates of birth and social security numbers of 309,000 staff, students and others from the University of Maryland. Since the incident, the President has appointed a new CIO, has gone on YouTube to apologise, has been grilled by a US Senate Committee, has paid for five years’ worth of Identity theft protection for those who were affected and has reportedly said that the cost to the university is in the order of tens of millions of dollars.
Sadly, there have also been many instances of data breaches reported from other universities including the University of Greenwich in London which had two attacks in 2016, where personal student information was stolen and made available on the internet. In Australia and New Zealand, different legalisation has meant that there is less requirement for disclosure, but that is changing.
Within Universities, this is an issue of institutional Governance. In an open institution, managing the balance between opportunity and risk in Cybersecurity is difficult but essential, and the increasing risk of cyber-attack brings the potential for significant reputational and financial damage as well as the possibility of investigation by regulatory bodies. This is no longer just an issue for IT as it impinges on University wide risk and the trade-off between cost and risk at an institutional level. It requires implementing sound governance of Cybersecurity across the university as part of the risk portfolio.
This presentation will examine some case studies of cyber disasters at universities and will suggest a practical approach for implementing effective cybersecurity governance to mitigate risk, keep the Vice-Chancellor out of jail and save the university significant cost. It might even save the CIO!