Cyber Security

Overview

The vast majority of organisations in the UK rely on digital technology to function.  Good cyber security protects that ability to function and ensures organisations can exploit the opportunities that technology brings. Cyber security is therefore central to the University’s health and resilience.

New regulations (such as GDPR) as well as high profile media coverage on the impact of cyber incidents, have raised the expectations of students, partners, staff, customers and the wider public. Quite simply, the University has to get to grips with cyber security.

Cyber Security is the protection of devices, services and networks - and the information on them - from theft or damage via electronic means.

There are three common myths concerning cyber security. Understanding why they're incorrect will help you understand some key aspects of cyber security.

Reality: You don't need to be a technical expert to make an informed cyber security decision.

We all make security decisions every day (whether to put the alarm on, for example) without necessarily knowing how the alarm works.

Reality: Taking a methodical approach to cyber security and enacting relatively small changes can greatly reduce the risk to your organisation.

The vast majority of attacks are still based upon well-known techniques (such as phishing emails) which can be defended against. Some threats can be very sophisticated, using advanced methods to break into extremely well defended networks, but we normally only see that level of commitment and expertise in attacks by nation states. Most organisations are unlikely to be a target for a sustained effort of this type, and even those that are will find that even the most sophisticated attacker will start with the simplest and cheapest option, so as not to expose their advanced methods.

Reality: Many cyber-attacks are opportunistic, and any organisation could be impacted by these untargeted attacks.

The majority of cyber-attacks are untargeted and opportunistic in nature, with the attacker hoping to take advantage of a weakness (or vulnerability) in a system, without any regard for who that system belongs to. These can be just as damaging as targeted attacks; the impact of WannaCry on global organisations - from shipping to the NHS - being a good example. If you’re connected to the internet, then you are exposed to this risk. This trend of untargeted attacks is unlikely to change because every organisation - including yours - will have value to an attacker, even if that is simply the money you might pay in a ransomware attack.

A good way to increase your understanding of cyber security is to review examples of how cyber-attacks work, and what actions organisations take to mitigate them.

In general, cyber-attacks have 4 stages:

Survey - investigating and analysing available information about the target in order to identify potential vulnerabilities.
Delivery - getting to the point in a system where you have an initial foothold in the system.
Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access.
Affect - carrying out activities within a system that achieve the attacker’s goal.

Employees, senior executives or stakeholders in organisations are often the target of cyber-attack, because of their access to valuable assets (usually money and information) and also their influence within the organisation.

Attackers may try and directly target your IT accounts, or they may try and impersonate you by using a convincing looking fake email address. Once they have the ability to impersonate you, a typical next step is to send requests to transfer money that may not follow due process. These attacks are low cost and often successful as they exploit the reluctance of staff to challenge a non-standard request from someone higher up in the organisation.

Good cyber security awareness throughout the University, security policies that are fit for purpose and easy reporting processes all help to mitigate this risk.  You should also consider how information about you (that is publicly available) could assist an attacker who is trying to impersonate you.

Defending against cyber-attacks

The key thing to understand about cyber security defences at the University, is that they are layered and include a range of measures, from technology solutions to user education to effective policies. The table below gives examples of defences that help the University to combat common cyber-attacks.

SurveyDeliveryBreachAffect
User Education Network perimeter defences Patch managment Forensic investigations
  Malware protection Monitoring  
  Password policy Malware protection  
  Secure PC & server configurations Restricted user access  
    Device controls  

Embedding cyber security into our structure and objectives

The role of cyber security is to enable the University's objectives and, increasingly, enable competitive advantage. A cyber security incident will affect the whole University - not just the IT department. For example, it may impact on online sales, impact on contractual relationships or result in legal or regulatory action.

Contact us

If you have a question about how we use your personal information, please email us at gdpr@derby.ac.uk or call +44 (0)1332 592151.