The University of Manchester avoided disaster in last year’s cyber attack – now it wants to set an industry example
When PJ Hemmaway joined the University of Manchester as CIO in 2022, the organization began an overhaul of its IT and cybersecurity capabilities to contend with the growing array of threats faced by higher education institutions.
“When I started, the university and myself agreed that cybersecurity is going to be one of our top priorities,” he tells ITPro.
“I started increasing the size of the security team, and we appointed our first Chief Information Security Officer, Heather [Lowrie],” Hemmaway adds.
By early June 2023, this process was in motion, and it proved critical in the days, weeks, and months ahead. Hemmaway was looking forward to what would’ve been his first day off in around a year, but that was all thrown out the window when Lowrie got in touch to say they may have suffered a security breach.
As it transpired, suspicions of a breach were correct. Like many incidents of this kind, what started as a simple mistake by a member of staff resulted in a chaotic period for the university, its students, and IT teams.
A phishing email allowed a threat actor to compromise an individual’s credentials, enabling lateral movement on the university’s networks, and eventually resulted in a data breach.
It was here that Hemmaway and university staff took immediate action to contain the incident, beginning an arduous process of recovery. The university worked closely with higher education sector partners, such as Jisc, to follow best-practice guidance, as well as with the National Cyber Security Centre (NCSC) as part of the recovery.
The groundwork put in by the team prior to this aided the process, Hemmaway tells ITPro.
“I think it’s important to note that we were on the journey with cybersecurity,” he says. “So the good news is we had a lot of ideas to start, pre the cyber incident.”
“The incident meant that we moved at pace, and that means that we shifted left with a lot of our ideas and a lot of our strategies. So, as we came out of the eradication and stabilization phase of the cyber incident. We then moved over to, essentially, continuous improvement and transformation.”
Part of this recovery process in the aftermath included securing partnerships with a range of organizations to bolster the university’s capabilities and help it contend with future threats.
Hemmaway explains this included working with Microsoft, ServiceNow, Amazon Web Services (AWS), and Tanium to introduce real-time protection tools. The university’s partnership with the latter of these had proved particularly successful and enabled it to unlock vital data-driven insights.
“In terms of the actual benefits that we’re seeing, we’ve got a plethora,” he says. “My security teams and my infrastructure teams tell me we’re now getting real-time threat detection, we’re getting data analysis coming through, that way we get to quickly analyze those large data sets for our estate that’s looking after 75,000 people.”
“In addition, we are getting to detect anomalies a lot quicker. Also just in terms of being able to respond, in terms of speed and accuracy. So that way we’re able to step in a lot sooner.”
Like many organizations including higher education institutions, the University of Manchester is also drawing on a range of AI-based tools and services to help contend with potential cybersecurity threats.
“When you look at the Tanium products that we’re using, they do have machine learning at the heart of what they do from a model perspective,” Hemmaway explains.
“This means the more data that we’re loading up into our different products, the more insights that we’re getting. As I say, that helps us with detection. It helps us with data analysis.”
Using AI-based tools has been critical for improving network and operational visibility, according to Hemmaway. Given the sheer scale of the assets the university deals with, using these tools helps deliver real-time information that could be the difference between repulsing a future attack or falling prey once more.
“Gone are the days where you’ve got to learn scripts overnight, and it’s 24 hours to one to two days before you get the insight,” he says.
“What I’m now seeing with the dashboards is real-time usage in terms of what’s happening over the last couple of minutes. That helps us avoid false positives, and it also helps us understand data sources.”
Higher education has its security concerns
Research repeatedly points to the higher education sector as among the most targeted industries globally. A recent UK Government survey, carried out by Ipsos, showed nearly half (43%) of higher education institutions experienced a weekly breach or attempted cyberattack.
Microsoft’s Digital Defense Report 2024 also found education and research to be the second-most targeted sector after IT, accounting for a fifth (21%) of all recorded victims between July 2023 and June 2024 .
A key factor in this heightened risk, Hemmaway says, is the simple fact that many institutions conduct vital research that threat actors – be they state-backed or financially motivated – would love to get their hands on.
Earlier this year, UK security service MI5 warned cybercriminals have ramped up targeting of universities to undermine national security and steal critical research.
But while other industries have increased cybersecurity spending, higher education has been hampered in its ability to adapt due to budgetary limitations. Earlier this month, Jisc urged the UK government to further bolster cybersecurity support for higher education amidst a torrent of threats.
“I think what we’re doing is fighting with both of our hands tied behind our backs,” Hemmaway says. “When you look at the student fees, they were essentially fixed in 2009 with one increase since then.
“That means the fee of £9,250 is worth a third less now than it was back then.”
Macroeconomic conditions combined with limited cyber budgets mean many universities have to box clever in an increasingly precarious threat landscape. This is why partnerships with industry are key, Hemmaway adds.
“Since COVID, cost of living, inflation costs have gone up, and that means it’s absolutely important that the tools, partnerships, and services that we introduce provide efficiency and effectiveness to help us do more with what we’ve got,” he says.
The University of Manchester has learned its lessons, now it wants to build
Reflecting on the cyber attack, Hemmaway says the university has learned its lessons. But neither he nor the team is content with simply acknowledging the incident and moving on.
Given the state of the global threat landscape, they want to build and position the university as an example of resilience, both for the higher education sector itself and for the broader industry.
“I think the University of Manchester fared differently compared to some of the other institutions that have been hit by cyber incidents,” he says.
“We were one of the only universities that managed to keep the majority of our services online during what was a busy period of the year, in terms of it was the end of the year and then it was going into confirmation and clearing. Again, because of the power of our partnerships, we managed to get through that.”
Much of the university’s future approach has already been laid out in its IT 2030 strategy, unveiled in mid-September. Hemmaway says a key focus for the university will be drawing upon its industry partnerships to bolster its IT and security capabilities in the coming years.
This strategy has five key pillars spanning a broad range of areas, including a sharpened focus on enhancing digital solutions through these vital ties with industry vendors.
Similarly, the university is investing heavily in fostering a culture of innovation and security awareness by engaging with staff to inform them of potential risks.
“This means a lot to me – empowering our people through engagement, motivation, and inclusive practices, they are fundamental to what we do,” he says.
“So when we’re talking about culture, we’re talking about training. Obviously, higher education has its cost pressures at the moment. However, the University of Manchester is taking security absolutely seriously. It’s our institutional, number one risk and because of that we’re investing in our people to operate the tools that we’re purchasing.”
Source link