The digital transformation of higher education has revolutionised how universities operate and engage with their stakeholders. However, it also brings about new challenges, for instance in the realm of cybersecurity. The increase of the number of cyber attacks on universities – as Hans Pongratz, expert at the Zentrum für HochschulBildung (zhb) of TU Dortmund, pointed out as well at the latest edition of U:FF – shows that protecting sensitive data, safeguarding information systems, and mitigating cyber threats are crucial responsibilities for universities in the digital age.

In this blog post we will explore common cybersecurity challenges faced by universities, best practices of the University of Lille as well as French national efforts and points of attention for Germany. The University of Lille serves as an excellent example of proactive cybersecurity measures with a focus on fostering a culture of awareness. We had a chance to speak with Pierre Boulet, Vice President for Digital Infrastructure and president of the professional network association L’association des vice-présidents en charge du numérique dans l’enseignement supérieur.

Understanding the Challenges

According to Boulet, decision-makers often lack a comprehensive understanding of the intricacies of technology. This makes it essential to first raise their awareness about cybersecurity risks to prioritise the issue. French institutions face tough funding conditions too, but leadership must allocate adequate resources to develop effective, dedicated policies and procedures. According to Boulet, this means that 10% of the total IT budget of an institution would need to be assigned to cybersecurity.

“We have put a lot of efforts into organising fire protection and safety, but today, the risk of a cyberattack is much more probable than a fire and must be a strategic priority” 

Lille has close to 80,000 students and a large campus with old buildings and high maintenance costs. The university struggles to assign 10% of the IT budget to cyber security, but takes a proactive approach on key priorities nonetheless. 

Developing and Implementing Cybersecurity Policies and Procedures

The University of Lille has made significant strides in developing and implementing policies and procedures. While cybersecurity is not explicitly mentioned in the University of Lille’s overall strategy, it does hold a significant position within their digital strategy. Boulet points out that monthly meetings with chief information security officers, IT staff and data protection officers to ensure regular evaluation and prioritisation of cybersecurity lies at the heart of organising its efforts such as:

• Mapping staff devices and current security levels
• Performing penetration testing to identify vulnerabilities
• Forcing password changes for all accounts to improve security
• Participating in regular phishing exercises (facilitated by the French national agency)
• Educating staff and students
• Seeking collaboration with other universities and policy makers to align efforts

Bringing different stakeholders around the table might seem obvious, Boulet says, but “knowing what to protect and where to put the effort is important. If you ask 10 people about this, you will get 10 different answers”. From his experience, identifying a team that can drive discussions across a university is an absolute need. In the event of a major cybersecurity attack, it is imperative to respond swiftly to minimise damages. Network and server isolation, a near-forensic analysis to understand the breach are key steps that need to be taken are crucial according to Boulet: “Only when you understand what has happened can you correct and restart, and this takes valuable time.” 

Striking a Balance between User Convenience and Control

Under Boulet’s guidance, the University of Lille has implemented multiple measures to protect sensitive data and information systems. These include robust data backup procedures (2 online and 1 offline storage to ensure minimal data loss), securing email systems, encryption, and updating of software. This remains, however, a continuous effort.

“Especially if personal devices are used by teachers and researchers, or if the IT team does not have the full picture of all devices or the software installed on them, it is vital to raise awareness about data handling practices.”

Boulet and his team deploy various strategies to do so, such as offering cybersecurity training for new staff and the integration of cybersecurity as a topic within the students’ curriculum.

However, there is a fine line between what users prefer and what security measures demand. When considering today’s risks and the varying levels of technical expertise among users in digital educational environments, our responsibility sometimes means that we need to take control. Raising awareness and continuously assessing risks is not enough. To implement effective measures we need to be ready to disrupt the user experience, for instance by forcing users to set more complex passwords or take mandatory training, and we need to have strategies to overcome resistance of users.

A National French Strategy

Since 2022, the French national agency for cybersecurity has appointed a go-to person for 

Higher Education. They are also in the process of developing a directive to help streamline efforts and enhance collaboration among institutions on a national level. Why is this so important? Boulet emphasises that it is not just about staying aligned with best practices in the field and keeping on top of national regulations and standards. 

National-level exercises and support, such as a national security operational centre, will have a greater impact. Individual universities can detect breaches, but they often have too little resources to monitor and respond to attacks 24 hours per day, 365 days per year. Building a national centre is in fact one of the 30 measures currently being discussed as a specific action in the new digitalisation strategy of the French Ministry of Education (expected in Q3). This aligns with the work Boulet has led on a 2022 concept note, which offers guidance to all French universities (available in French here).

In it, concrete recommendations are provided in line with French and European level strategies, such as the 2023 NIS2 Directive, an EU-wide legislation on cybersecurity which provides legal measures to boost the overall level of cybersecurity in the EU and which has set higher standards for public and research organisations.

Recommendations 

As we embrace digital transformation, cyber security challenges will remain a critical concern; universities must stay vigilant. Based on our interview with Boulet we can share several recommendations:

National Level

In the context of the digital transformation of German Higher Education institutions it is worth considering why universities may find it hard to define cybersecurity as one of their key priorities. Do we need to shed more light on competing demands in digital transformation initiatives that divert attention and resources away from cyber security? Could national simulation exercises generate a greater awareness and identify common issues?

• To foster a collective commitment to safeguard the digital future of higher education it will be crucial to engage with university leaders and IT experts, policymakers from different ministries, providers and national stakeholder organisations in an open dialogue
• To build awareness, identify gaps and build bridges within and between institutions, investment in a national crisis simulation exercise (such as OZON) with a central scenario and a modular design can be considered as a vital instrument to improve the resilience of institutions. Germany can already benefit from lessons learnt:

“Individual institutions are increasingly prepared with their own crisis plans, but sectoral preparation is lacking. With the increased dependence on IT and the vulnerability of data, the likelihood of sectoral crises has also increased. The Dutch Institute for Security and Crisis Management recommends that sectoral preparations be laid down in a sectoral or national crisis plan for education and research. This will require discussing the roles and responsibilities of the umbrella parties within the sector.”

(https://www.surf.nl/en/news/ozon-2023-cyber-crisis-exercise-evaluation-basics-in-place-time-for-sectoral-collaboration)

Leadership Level

• Establish cybersecurity as a strategic priority at the highest level of management

• Organise and involve a team composed of experts in different roles in cybersecurity risk management discussions

• Collaborate with national governing bodies and agencies and follow relevant regulations and standards

IT Level

• Prioritise resource allocation for cybersecurity measures based on risk assessment
• Conduct regular audits and penetration testing to identify vulnerabilities
• Implement phishing exercises and educational programs to raise awareness among staff and students
• Exercise control when needed
• Mark data that needs to be saved and save it in 3 locations, 1 of which offline

Finally, Ask Yourself

• When did you last take or provide a cybersecurity training course? Has this been implemented for all faculty, staff and students at your university?
• When you are working while travelling, is your content adequately protected? 
• Is your important data marked to be saved in case of a breach?
• Are you comfortably stepping out of a room in a public building while leaving your computer unlocked?
• Could security become a component of the curriculum for courses you are involved with – not just to protect students and the institution but also to ensure graduates will be equipped with essential skills?

It will be essential to draw inspiration from success stories, like that of the University of Lille and to remain vigilant in safeguarding our educational institutions. By collectively prioritising cybersecurity and knowledge sharing, we can fortify the defence: you’re invited to contribute by sharing your ideas and good practices with the HFD Community via the comments box below!