25 Virtual Brochure – February 2024 A) Cybersecurity and data security. Cybersecurity remains the top business risk identified by a majority of CAEs across all sectors. Feedback reported by the ECIIA suggests a sense that inherent risks may have plateaued, with residual risks seen as reducing slightly as a result of more robust cyber defences, improved network architecture, automated monitoring and strengthened testing and awareness raising. However, the ECIIA cautions against overoptimism noting that: more emphasis on longer-term integrated financial forecasting and use of scenarios and stress testing - hacking has become more commercialised and many attacks are more sophisticated, as evidenced by the attacks on British Airways, Boots, and the BBC via their third-party payroll provider. - There are increasing attacks by state-sponsored actors and a growing risk of attacks to global underwater cable networks. - Emerging technologies such as generative AI can be used to support cyberattacks. Most organisations now assume that they will be subject to a major cyber incident at some point and are developing more detailed business continuity plans and investing in recovery solutions that enable digital capability to be rebuilt from the bottom up in the event of significant data loss or corruption. This informs the relatively high ranking of the business continuity risk. Considerations for HE In our risk analysis this year, cybersecurity was on average, the highest ranked risk in HE sector risk registers. We note that some risks registers evidence a more in-depth consideration of cybersecurity risks and the growing maturity of controls across the digital estate and third-party relationships. Issues to consider are: - How well prepared is your institution to respond to a major cyberattack? Are the consequences for staff, students, partners, and suppliers understood and documented? Is there an integrated, business-wide response plan? - How rapidly could your institution recover from a major cyberattack, particularly at critical times of the academic year? Is there a detailed and tested business continuity plan in place? - How strong is your cyber and data security culture in faculties, departments and across partner organisations or individuals (including overseas) with access to your systems? How do you evidence this?
RkJQdWJsaXNoZXIy NTI5NzM=