The digital transformation of higher education has revolutionized the way universities operate and engage with their stakeholders. However, it brings new challenges, for example in the area of cybersecurity. The increasing number of Cyberattacks on universities – as does Hans Pongratz, an expert at the Center for Higher Education (zhb) at TU Dortmund University, at the latest edition of the U:FF emphasized – shows that protecting sensitive data, securing information systems and mitigating cyberattacks are key tasks for universities in the digital age.

In this blog post, we will look at the general challenges for cybersecurity in higher education, the best practices of the University of Lille, and France’s national efforts and focus for Germany. The University of Lille is an excellent example of proactive measures focused on developing awareness of the need for cybersecurity. We had the opportunity to speak with Pierre Boulet, vice president for digital infrastructure and president of the professional network association L’association des vice-présidents en charge du numérique dans l’enseignement supérieur.

Understanding the challenges

According to Boulet, decision makers often lack a comprehensive understanding of the technical intricacies. Therefore, he said, it is important to first make them aware of cybersecurity risks in order to prioritize the issue. French institutions are also faced with difficult financial conditions, he said, but leadership must allocate adequate resources to develop effective policies and procedures. According to Boulet, this means that 10% of an institution’s total IT budget would need to be spent on cybersecurity:

“We’ve gone to great lengths to ensure fire safety and overall security, but today the risk of a cyberattack is much more likely than a fire and therefore must be a strategic priority.”

Lille has nearly 80,000 students and a large campus with old buildings and high maintenance costs. The university struggles to spend 10% of its IT budget on cybersecurity, yet takes a proactive approach to the most important things.

Develop and implement cybersecurity policies and procedures.

Lille University has made great strides in developing and implementing policies and procedures. Although cybersecurity is not explicitly mentioned in Lille University’s overall strategy, it occupies an important place in its digital strategy. Boulet notes that monthly meetings with information security officers, IT staff and privacy officers to ensure regular cybersecurity assessment and prioritization are central to organizing their efforts:

• Mapping of the devices of the employees:inside and the current security levels
• Execution of penetration tests to identify vulnerabilities
• Forced password changes for all accounts to improve security
• Participation in regular phishing exercises (supported by the French National Cybersecurity Agency).
• Training of staff and students
• Collaboration with other universities and policymakers to focus action.

Bringing the various stakeholders to the table may seem obvious, Boulet says, but “it’s important to know what to protect and where to engage. If you ask ten people about this, you will get ten different answers.” In his experience, he said, it is absolutely necessary to find a team that can drive discussions across the university. In the event of a major cybersecurity attack, he said, it is essential to respond quickly to minimize the damage. Isolating networks and servers and performing near-forensic analysis to understand the attack are the most important steps to take, according to Boulet: “Only by understanding what happened can you fix it and reboot, and that takes valuable time.”

Striking a balance between user:friendliness and control

Under Boulet’s leadership, Lille University has implemented several measures to protect sensitive data and information systems. These include resilient backup procedures (two online and one offline to ensure minimal data loss), secure email systems, encryption and software updates. However, he said, this is an ongoing task:

“Especially when teachers’ and researchers’ personal devices are in use, or when the IT team doesn’t have full oversight of all devices or the software installed on them, it’s important to raise awareness about data handling.”

Boulet and his team use a variety of strategies to do this, such as offering cybersecurity training to new employees and integrating cybersecurity into the undergraduate curriculum.

However, there is a fine line between what users:inside prefer and what security measures require. Given today’s risks and varying levels of technical knowledge among users in digital educational environments, responsibility sometimes means taking control. It is not enough to raise awareness and continuously assess risks. To take effective action, we must be willing to disrupt the user experience, for example, by getting users to set more complex passwords or participate in mandatory training. We also need to develop strategies so that users do not resist.

A French strategy

Since 2022, France’s national cybersecurity agency has appointed a point of contact for higher education. In addition, a guideline is currently being drafted to bundle the measures and improve cooperation between the facilities at the national level. Why is this so important? Boulet stresses that it’s not just a matter of following best practices in the field or complying with national regulations and standards.

Support and training at the national level, such as through a national security center, achieve greater impact. Individual universities can detect breaches, but often have too few resources to monitor and respond to attacks 24 hours a day, 365 days a year. Indeed, the creation of a national security center is one of the 30 measures currently being discussed as a specific method in the French Ministry of Education’s new digitization strategy (expected in Q3). This is consistent with the work Boulet has done on a 2022 concept paper that serves as a guide for all French universities (
available here in French
).

This makes specific recommendations in line with strategies at the French and European levels, such as. NIS2 Directive of 2023, an EU-wide cybersecurity legislation that provides legal measures to improve the overall level of cybersecurity in the EU and has set higher standards for public institutions and research institutes.

Recommendations

As the digital transformation continues, cybersecurity challenges will remain an important issue; universities must be vigilant. Based on our conversation with Boulet, we can derive some recommendations:

At national level

In the context of the digital transformation of German universities, it is worth reflecting on why universities find it difficult to define cybersecurity as one of their top priorities. Do we need to shed more light on competing demands of various digital transformation programs that divert attention and resources from cybersecurity? Could national simulation exercises create greater awareness and identify common problems?

• To foster a collective commitment to securing the digital future of higher education, it is critical to engage in an open dialogue with higher education leaders and IT experts, policymakers from various ministries, vendors, and national advocacy organizations.
• To raise awareness, identify vulnerabilities, and build bridges within and across institutions, investing in a national crisis simulation exercise (such as OZON) with a central scenario and modular design can be seen as an important tool for improving institutional resilience. Germany can already benefit from the knowledge gained:

“Individual institutions are increasingly armed with their own crisis plans, but sector-based preparation is lacking. With the increasing reliance on IT and the various vulnerabilities of data, the likelihood of crises in individual sectors has also increased. The Netherlands Institute for Security and Crisis Management recommends that preparations be defined in a sectoral or national crisis plan for education and research. This requires discussing the roles and responsibilities of the umbrella parties within each sector.”

(https://www.surf.nl/en/news/ozon-2023-cyber-crisis-exercise-evaluation-basics-in-place-time-for-sectoral-collaboration)

At management level

• Anchoring cybersecurity as a strategic priority at the highest management level
• Organize and involve a team of experts from different areas in discussions on the management of risks.
• Cooperation with national bodies and authorities and compliance with relevant regulations and standards

In the IT area

• Prioritize resource allocation for cybersecurity measures based on risk assessment.
• Conduct regular audits and penetration tests to identify vulnerabilities
• Conduct phishing drills and training programs to raise awareness among staff and students
• Enforce cybersecurity measures as needed
• Marking and storing data in three locations, one of them offline

Finally, ask yourself …

• When was the last time you conducted or offered cybersecurity training? Was this conducted for all faculty, staff:members, and students at your university?
• Is your data sufficiently protected when you work on the road?
• Is your important data marked so that it can be saved in the event of a security breach?
• Is it okay for you to leave a room in a public building without locking your computer?
• Could cybersecurity become a part of the curriculum for the courses you are involved in – not only to protect students and the institution, but also to ensure that graduates are equipped with essential skills?

It is important to be inspired by success stories like that of the University of Lille and to remain vigilant in protecting our educational institutions. By working together to prioritize cybersecurity and knowledge sharing, we can strengthen our defenses. Feel free to share your ideas and best practices with us and the HFD community via the comments section!