Cyber Security risks face education sector

cyber security risks

Is the education sector facing cyber security risks?

In the US last week a hacker broke into the University of California’s computer system which contained 80,000 students. This apparently occurred in December whilst the university was in the process of patching a security flaw in their financial management system.

University of California

This followed a similar breach earlier this year at the University of Florida where private information of current and former employees were accessed going back to 1980. A lawsuit has been issued which is seeking a class action status. There was also criticism on how the breach was managed.

On this side of the Atlantic in December university students were unable to submit work as a result of the academic computer network called “Janet” coming up against a distributed denial of service (DDOS) attack causing reduced connectivity and disruption. The University of Manchester was one of the universities impacted by the DDOS attack.

Earlier, last year the University of London Computer Centre (ULCC) was hit by a cyber attack which again left millions of students unable to access the organisation’s IT services. The centre provides services to over 300 UK institutions and supports over two million higher education and further education students on its open-source learning platform Moodle.

The education sector accounted for nearly 10 per cent of all breaches in the past year, according to cyber security company Symantec.

Symantic Internet Threat Report 2015

Personal Data

Universities and colleges contain an abundance of personal data which makes them attractive to hackers, such as credit card details, medical information of current and former students and employees. This also becomes complicate to manage as students come from many different parts of the world bringing with them wide ranging data protection regulations.

Multiple Entry Points

The education sector traditionally provides multiple entry points with a huge spectrum of users having access to its networks. The access is also available 24/7 365 days a year via many devices that may not be secure such as laptops logging in from remote wi-fi locations.

Social Media

Within the education framework social media features prominently and in the absence of social media policies with specific standards in place this can leave a university vulnerable in terms of the inadvertent sharing of information that may not be meant for the public domain.

Separate Networks

A college or polytechnic may consist of a number of separate networks which may not contain a high level cyber security and therefore present a number of cyber security risks.

Intellectual Property

Certain establishments contain highly sensitive research information in the fields of science, health , defense  and aerospace. This could make them a target for hackers and terrorist organisations.

Cyber Security Research

Cyber security research itself could also be a target with the Global Centre for Cyber Security Capacity building  in Oxford University’s Martin School. A number of universities have been awarded Academic Centres for Excellence in Cyber Security Research, such as the Bristol and Kent Universities which means that they will work more closely with the Government Communications Headquarters (GCHQ).

Cyber liability insurance can play a very important role in supplying an extra layer of comfort in the event of a cyber attack to education establishments, providing coverage for a significant number of the potential cyber security risks that exist in this sector.


Should we share Cyber Security information ?

cyber security

Should we share cyber security information ?

Is this a good idea… there are very good reasons why we should share cyber security information and there are also reasons that perhaps it may not be such a good idea.

The current landscape seems to be moving towards the sharing of this confidential and sensitive information with regulation being imposed on both sides of the Atlantic in recent months to promote and encourage the sharing of cyber security information.

At the end of last year  the EEC announced The Network and Information Security Directive (NIS) which is a security and reporting directive for companies in critical business sectors , namely transport , energy , health and finance. This is also applicable to the businesses such as Google and Amazon.

This Directive includes a requirement to report cyber security breaches which is aimed to encourage greater visibility of cyber crime and data breaches within companies and for companies to address their own cyber security.

It is anticipated that this will be ratified in the Spring, with implementation anticipated within the next two years.

In the US , also at the end of last year, the Cybersecurity Information Sharing Act (CISA) was passed by the Senate which allows companies to share cybersecurity threat data with the Department of Homeland Security (DHS) and other federal agencies. A number of bodies that already exist in the US which include the sharing of cybersecurity information . These include Enhanced Cybersecurity Services (ECS) which is a  voluntary information sharing program and whose aim is to help better protect busineses customers and the National Cybersecurity and Communications Integration Centre (NCCIC) which shares  information with public and private sector partners.

In the UK the Cyber-security Information Sharing Partnership (CiSP) exists which is part of CERT-UK . This is a joint industry government initiative set up to share cyber threat and vulnerability information in order to increase overall awareness of cyber threats and help mitigate the impact this may have on UK businesses.

The British Insurance Brokers Association ( BIBA) have recently endorsed (CiSP) to encourage insurance brokers to join CiSP to share the knowledge of over 4000 cyber-security professionals from over 1500 organisations. The government is also very keen that the insurance industry works closer with cyber security professionals and it is likely that we will see evidence of this in the future via associations and collaborations.

Let’s now review the positives and negatives of sharing cyber security information :-


  • It provides information to business on the latest forms of malware, spear phishing campaigns, and known malicious domains
  • Improvement in technology to combat the latest forms of security threats
  • Information derived from claims that insurers can assess / rate and improve the coverage under cyber insurance policies.
  • Assessment of insurers aggregation
  • Information to help insurers analyse cyber catastrophe models
  • Provision of knowledge to help anticipate future terrorists lead cyber attacks


  • Possible release of confidential information of cyber attacks and data breaches to third parties
  • The information provided may impact on a company to carry out businesses with existing customers being concerned with poor cyber security measures.
  • Collateral damage to reputation of a business and impact on stock market share price
  • Hackers gain access to extremely sensitive data bases
  • Perceived by some that “big brother” is spying and will encourage surveillance of businesses
  • Inadvertent sharing of personally identifiable information

The cyber security industry also has an important role to play as they are arguably possess the greatest amount of cyber security data, this is no doubt considered valuable intellectual property and there would be a reluctance to readily share this to a wider audience without distribution to secure destinations.

The sharing of cyber security information is more advanced in the US than the EEC / Rest of the World and is reflective of two very differing cyber landscapes , with the US being more mature in terms of number and size of cyber security breaches and the existing litigation that helps drives notification.

The sharing of cybersecurity information definitely has a role to play in the development of the improvement of cyber security and the defence of cyber attacks that can threaten a business……  how it is shared is perhaps the current dilemma facing governments and regulators.

EU – US Privacy Shield – is data safe again?


The privacy of the transfer of data between the UK and US received a boost this week when the European Commission announced that political agreement had been reached on what is effectively a replacement of the Safe Harbor, known as the “Shield Decision”. A Working Party has subsequently published their initial reactions which the European Commission must take into account if the Working Party does not agree with “The Shield Decision”. In the event that that national data protection authorities refuse transfers on the basis of this decision this will be raised to the European Court of Justice.

This is the result of three months of negotiations between the EU and US  after the fall of the Safe Harbor agreement that existing up until October last year. The deadline of 31st January was missed as negotiations over run with both parties failing to agree new privacy boundaries.

In the meantime it is understood that local data protection authorities will continue to accept standard contractual clauses and binding corporate rules for transfers  of data to the US, providing privacy protection between these countries.

The main obligations imposed on firms handling Europeans personal data are as follows:-

  • US firms will need to commit to “robust obligations”  on how personal data is processed and individual rights guaranteed . This will be monitored by the US Department of Commerce.
  • Clear safeguards and transparency obligations will be imposed on the US Government which will set out specific limitations for law enforcement and national security reasons
  • There will be protection for EU citizens rights with options for redress. This will include avenues for citizens who feel the privacy of their data has been misused with strict guidelines for response to complaints

It is by no means “home and dry” , in addition to the Working Party involvement , Europe’s national privacy agencies meet to pass their own judgement on how data can be safely moved from the EU.

How does this impact on the cyber insurance market and insurers perception of data being at risk ?

It is too early to assess the impact of this decision , especially as the “Privacy Shield” has some way to go before being fully ratified , but any privacy protection laws and regulations assists cyber insurers in being more comfortable with the associated risks of loss of personal data and individuals privacy.

Cyber Security – New EEC Directive

Cyber Security - New EEC Directive

This week the EEC announced  the first cyber security law , the Network and Information Security Directive . This is a security and reporting directive for companies in critical businesses sectors such as transport , energy , health and finance. This will also apply to to the likes of Google and Amazon .

The directive is primarily two fold :-

1.Requirement of companies to report cyber security breaches

2.Requirement of companies to ensure that they have a secure digital infrastructure in place.

A body of teams will be set up manage incidents in the shape of Computer Security Incidents Response Teams (CSIRTS).

This is likely to ensure greater visibility of cyber crime and data breaches within companies. The impact of which could have commercial consequences as to whether companies can be considered to have adequate cyber security in place by its trading partners . The emphasis of this law is clearly to encourage companies to address their  cyber security and it would be prudent that companies are proactive now in order to be ready for the implementation of this law which is anticipated to come into force within the next two years .

This is a timely decision, as in the US this week , the Federal Trade Commsssion won a lawsuit against Wyndham Worldwide Corporation who failed to properly safeguard customers information . Three separate data breaches were suffered affecting 619,000 customers and led to $10.60M in fraudulent credit card charges. As a result of this Wyndham will be required to improve all aspects of their cyber security.

This new directive should not be confused with the General Data Protection Regulation which will bring unformity to data protection laws in the EEC and compulsory data breach notification for all businesses.

The impact of this new directive will no doubt provide insurers in the cyber liability insurance market with some much needed comfort as one of their focuses in their rating and assessment of exposures is the level of cyber security.

If  this is going to improve it will eventually impact on premiums and conceivably exert downward pressure on premium rates.


Small Businesses – Cyber Security

Small Businesses - Cyber Security

It may be obvious but what cyber security exposures does a small business have that could lead to cyber crime or a data breach ?

A typical small business is likely to have the following  cyber security exposures:-

Computer Servers – your servers and servers of other third parties of who you may be dependent upon.

Laptops – of all your employees and any temporary staff.

Mobile Devices – do you know who has a mobile device, do they work from home , do they use wi-fi in the local coffee shop ?

Removable Media – are all USB sticks accounted for and are employees allowed to remove then from the office?

Paper Records – do you still use paper files , these should be replaced by electronic files.

Electronic Files – what data is stored on your electronic files , is it personally identifiable information ?

Company Website – is this protected by the most up to date firewalls?

Databases – what data is stored on your electronic files , is it personally identifiable information ?

Software – how old is your software , does it need to be updated , is it regularly patched ?

Computer Networks – what is your dependency on third parties?

Use of Cloud Services – does your cloud provider purchase professional indemnity insurance ?

Once you are comfortable that your have identified all of your technologies , a risk analysis should be carried out , followed by a review of your internal procedures such as the website privacy policy and conditions. This should be carried out in tandem with all of your external procedures and providers , such as any third party and cloud providers for whom your computer services may be relying on.

Are your Business Continuity Plans and Disaster Recovery Plans up to date ?

Are your staff trained in all the most up to date cyber security company policies ?

Have you considered Cyber Insurance for your business  ? – the purchase of this type of insurance is the balance between owning your cyber related exposures and being confident that you can manage and accept these risks. This is against the risks that you may not be able to manage and the areas that could cause the business a significant loss and impact severely on your balance sheet.

Cyber Security Threats for 2016

Cyber Security Threats for 2016

Cyber security will remain a high profile issue for businesses  as we move into 2016.

Many small businesses do not appreciate the speed at which cyber related exposures are developing and the importance of robust cyber security being in place , it is therefore vitally important to be aware of these as businesses are nowadays almost 100% reliant on technology.

Existing cyber security risks will develop and new ones are likely to emerge, some examples of these are as follows:-

  • Outdated technology may be susceptible to unauthorised access from a hacker if patching has not been carried out on a regular basis.
  • Current security procedures need to be updated to keep pace with the sophistication of hackers  techniques.
  • Forgotten maintenance of the Internet may lead to opportunities for hackers
  • The Internet of Things will provided increased connectivity between many more devices and has the potential to produce vulnerabilities in security loop holes.
  • Businesses are increasing moving towards the use of cloud providers and therefore being able to monitor data is likely to become more difficult. With the abolishment of the Safe Harbour this will have of particular impact to firms trading in the USA.
  • Perceived increased focus by hackers on small businesses that may not have the same standard of IT security as larger companies.

The underlying message is that the cyber risk landscape is constantly evolving and businesses must be increasing on their guard to anticipate this by updating and improving their existing cyber security.