15 Virtual Brochure – February 2024 E) Cyber Security We observed in 2022 that some institutions were likely to be underestimating their risk of exposure to a cyber incident and also overestimating the effectiveness of their mitigation strategies. In a year that has seen further significant cyberattacks against several UK universities, as well as against multiple companies and institutions, this position has changed. On the whole risks registers evidence a more in-depth consideration of risk grounded in the design and maturity of the digital estate and third-party relationships Mitigation activities include: - technical controls, e.g., multi-factor authentication (MFA) and - encryption, network access controls and segmentation, firewalls, - anti-virus/malware systems, patching, cloud configuration - vendor and supplier risk assessments - use of specialist expertise to undertake deep dives into risk exposure and inform improvement plans - improved scanning, testing, detection monitoring and incident response plans, facilitated cyberattack exercises - specific policies and procedures, mandatory staff training, awareness raising and exercises. Risk commentary In our 2022 briefing on the European risk environment, we noted that the HE sector was continuing to underestimate the likelihood and impacts of environmental sustainability risks relative to other sectors. 2023 has seen a collective shift in focus with the publication of a major report on accelerating net zero in HE2. At an institutional level there has been an evident change in risk perception this year with a substantial increase in both the ranking of both the inherent and residual risk scores. This reflects a growing recognition of the cost and practical challenges of realising decarbonisation plans across aging estates while balancing financial sustainability risks. Last year we encouraged institutions to think about the risks of climate change beyond the reputational and do so again. As complex organisations, we encourage all institutions to ensure that the full range of cybersecurity risks and controls are identified and documented, particularly taking account of international partners and relationships, and often devolved activities taking place in faculties and schools.
RkJQdWJsaXNoZXIy NTI5NzM=