The impacts of a serious cyber incident go far beyond just financial costs

What is it that makes education and research such an attractive target for hackers? It’s not, after all, a sector with the financial resources of business or banking. But colleges, universities and research institutions all hold personal information on students and staff, and many hold sensitive research and intellectual property data as well – all of which can be exfiltrated and either held to ransom or sold on.

Building in resiliency to prevent threat actors from causing disruption is particularly vital in a sector where loss of services can have a significant long-term impact on students. Yet by their very nature, these complex estates - replete with legacy systems and remote access requirements - present hackers with an extremely large attack surface and multiple points of entry.

A recent real-life incident provides a great example of how prior preparation can make all the difference, and highlights the importance of working in partnership to defend as one.

One click on a phishing email is all it takes

When Heather Lowrie took up her position as the first-ever CISO at the University of Manchester, she was well aware of the cyber security risks facing the sector. The risk quickly became reality when, within a few weeks of starting, she found herself dealing with a sophisticated and particularly vicious cyber attack that threatened to paralyse the whole university.

Like 91% of all attacks on the sector, initial access was gained via a phishing email, which led to subsequent persistent access, exfiltration of data and threats to escalate. Core systems were impacted, disrupting the university’s ability to support its researchers, while interdependences with organisations like the NHS in Greater Manchester and beyond carried a potential risk to life.

As an integral part of the Greater Manchester ecosystem, the university is very conscious of its responsibility to support critical services in the wider community. “Going dark” was therefore not an option. The decision was made to stabilise things, allowing the university to function as normally as possible during the incident and ensuring that academic colleagues could continue their work.

This meant the university had to recover and rebuild at the same time.

Prior preparation: cyber exercises and incident command structures

Several things stood the university in good stead when it came to preparedness.

As a result of cyber exercising undertaken with Jisc the previous year, a major incident was on the strategic risk register and appropriate corporate governance was already in place, along with a number of mitigations.

The university’s incident command structure - which had been established during the exercises and included representatives from various departments including HR, legal, IT and senior leadership - was ready for immediate mobilisation.

And, as a Jisc member, the university was able to immediately call on Jisc’s cyber security incident response team (CSIRT) to help solve the problem.

A critical coalition of support provides strength in community

Heather and four security colleagues formed a smaller CSIRT to focus full-time on mitigating the incident. This core team liaised with the rest of the command structure as well as with external bodies who offered help, such as Jisc, the National Cyber Security Centre (NCSC) and the North West Regional Organised Crime Unit.

Heather cites this external support network as key to handling the incident, and says it provided a much-needed morale boost for the university’s teams.

Jisc’s continuous pen testing was also critical to recovery. Jisc provided close monitoring throughout, and containment if re-compromised as there was risk of a secondary attack. Assurance during recovery effort and 24/7 visibility over rebuilds is included in every institution’s membership.

Inside the war room – the human cost

It took three months of intensive work 24/7 to contain and eradicate the threat, recover key services and start rebuilding the university’s core platform.

Heather and her team, along with Jisc colleagues, spent that summer working round-the-clock in a war room: holidays were cancelled and personal lives reprioritised.

The human toll on those directly involved in incident response, as well as on the wider teams, is one of the key areas of impact from a cyber incident and should not be underestimated. Not to mention the stress caused to students who are unable to carry on valuable work. Any recovery plan needs to include a focus on staff wellbeing.

Building in resilience for the future

The incident at the University of Manchester is now closed - but it remains a live investigation. Work does not stop. Lessons learned from the incident are already enabling the university to be more resilient as a result.

Heather says the emphasis now is on supporting the university’s core mission and mitigating the impact of future attacks. The aim is to move to a zero vulnerability posture to improve business continuity and disaster recovery capabilities, and build in assurance.

“We are incredibly grateful to our Jisc colleagues for their dedicated support and commitment, both during the active phase of the cyber attack and afterwards,” she says. “The assurance we received from Jisc was a critical part of our recovery and we look forward to partnering with Jisc throughout our future transformation roadmap.”

Further information

Any UK research or education institution connected to the Janet Network can avail themselves of the accredited expertise of Jisc’s CSIRT and cyber incident response teams as part of their Jisc membership, along with core services like Janet Network resolver to help maintain a safe digital environment.

For more information on reducing cyber risks, read the report Cyber security and universities: managing the risk by Jisc, the NCSC and UUK.

To find out more about how Jisc can help protect your network, book your ticket for Networkshop 2024, which takes place 18-19 June 2024 at Nottingham Trent University and 20 June online.