The recent global ransomware attack by WannaCry has reinforced awareness of everyone’s vulnerability to attack in the cyberrealm, whether it is against individuals or corporate entities.
Given that information and know-ledge are the stock in trade of universities, it’s not surprising that cybersecurity is among the top risks faced by institutions such as the University of Cape Town.
Not only do university information systems contain the names and contact details of thousands of students and staff members (including banking details for staff) but also contain other valuable information: research statistics, intellectual property and health information from medical and science labs, to name just a few examples.
All that information needs to be protected. In addition, university information systems themselves are powerful tools that hackers like to take over and use for their own illegal purposes.
The challenge for university cybersecurity is to govern security in a way that doesn’t hamper research, teaching or learning. Educational institutions require flexibility. For instance, more and more university lecturers are incorporating blended learning into their course content, when it’s appropriate.
Blended learning allows students to access learning resources for a specific course online at any time of the day. And staff members often need access to the university system when they must work away from campus, during evenings or weekends when they are at home.
This means that UCT, for instance, can have tens of thousands of users logged into its network at any time, from anywhere in the world, working at different levels of access to university information and its information system’s analytical and processing power.
UCT is the first university in South Africa to develop a cybersecurity strategy. In summary, we have followed these basic steps.
Decide on a framework
There are a host of systems available around the world. We selected the cybersecurity framework provided by the National Institute of Standards and Technology in Maryland in the United States. The framework involves five cybersecurity steps: identify, protect, detect, respond and recover.
Identify problem areas
Outside contractors can assist with this process. BitSight, for instance, provides a security ratings scorecard that is so well regarded that a good BitSight score may help to reduce cybersecurity insurance premiums.
Factors to benchmark can include the number of security incidents reported in a month or a year, cybercrime incidents, hacking incidents, software piracy, and the unauthorised use of the internal email system, to name a few.
Know where you want to go
One of our primary goals has been to raise awareness of cybersecurity and how to report security issues. In October 2015, for instance, we initiated cyber workshops.
Building awareness has been a key achievement and we have been rewarded by a good response from UCT staff and students, who are keen to bring suspicious emails and other security issues to our attention.
Other milestones include allocating a significant cybersecurity budget, establishing South Africa’s first university-based computer security incident response team with technical expertise, developing the country’s first cyber and information security policies for a university, and training 80 staff members in basic cybersecurity.
Identify barriers to plan
Among the barriers is the matter of university policy taking years to be written, revised and finally passed. Budgets have to be adjusted to accommodate the costs of cybersecurity, including possibly upgrading technology.
An early barrier can be cultural: making people aware of the need for cybersecurity. In spite of the many news reports about cyberattacks, hacking, phishing scams and banks that have lost depositors’ funds because of cybercrime, many people remain unaware of the risks.
Measure the plan’s success
UCT measures the number of things, including phishing emails, that are reported, such as virus attacks, attacks on the web server, reports of spam, incidents of suspected criminal activity, and malicious code and malware activity. We also have the ability to measure our suppliers for similar factors.
Other South African universities have been keen to learn more about creating a cybersecurity strategy, and we have been communicating with them. Last year, information technology staff from several universities attended a two-day workshop at UCT led by a Canadian cybersecurity specialist.
Like every other South African university, UCT belongs to the Association of South African University Directors of Information Technology (Asaudit), which provides a platform for sharing know-ledge and opportunities for networking, engagement and collaboration.
We have been asked to make a presentation at the national Asaudit technology event in June. UCT and Dimension Data will run the first Cybersecurity Symposium Africa from July 17 to 19. For more information, visit cssa.uct.ac.za
Sakkie Janse van Rensburg is the executive director for information and communication technology systems at the University of Cape Town