Start of Term Tips for Higher Education Institutions

The start of a new term can be a busy time, with lots of new systems for staff to get to grips with. You want to be sure that you are ready to act swiftly in the event of a cyberattack and avoid the risk of losing large amounts of data. Higher education institutions will need a plan to pre-empt such attacks and mitigate the regulatory and reputational consequences.

What Steps Can You Take to Prepare for a Potential Cyberattack?

• Appropriate security measures - old systems and applications can make your HEI vulnerable to a data breach and it may also be difficult for your IT support to detect a virus or threat. The UK GDPR requires HEIs to implement appropriate technical and organisational measures to ensure the security of personal data on your systems. Although certain measures can be costly, there are some measures that you can implement at a low cost, such as data encryption, password protection and multi-factor verification methods. It is important to keep software up-to-date, so that the latest security features are installed. We also recommend having a form of record-keeping in place as to which staff members have access to databases and recommend storing data separately to avoid the risk of all data being accessed from a single database. If there has been a changeover of staff over the holidays then records and access permissions should be updated accordingly.

• Staff training and awareness - human beings are often your weakest link. Ensuring that individuals within your HEI have the tools to spot a potential scam can be one of the simplest and most effective ways of preventing an attack. This can be achieved by regular training and updating staff on common methods used by hackers to avoid them falling victim. The start of a new academic year is a great time to roll out updated training.  

• Supplier contracts - it is common for organisations to use external suppliers or platforms to manage certain activities. It is important to check the contracts that you have in place with third party suppliers who may be processing data on your behalf. Check that your contracts include the relevant data obligations for each party and that you agree an appropriate liability cap for loss of data. This will be especially important if you have appointed new suppliers ready for this academic year. You should understand the requirements in relation to notifying your HEI of a data breach "without undue delay" as required under the UK GDPR. If your contracts refer to notifying within a "reasonable time" this will be open to debate and may be risky to your HEI's reputation due to the need to inform your data subjects about the breach.

• Response plan - you should have a step-by-step response plan in place to deal with data breaches, including those that may occur during holiday periods. This should include having senior members of staff and your IT support on standby to make decisions in the event of a data breach and respond as quickly and efficiently as possible. To comply with the UK GDPR, you must notify reportable personal data breaches to the ICO within 72 hours of it taking place. Depending upon the severity of the breach, this may need to be followed by notifying the individuals who are affected by a data breach. Your response plan should also include any requirement to notify other regulators (such as the Office for Students) you may have, as well as notifying your insurers so that you receive the cover you are entitled to.

• Insurance cover - there are many types of insurance policies available and you can choose what is best suited to your HEI. Insurance can cover your HEI's and third party data and digital assets, as well as losses resulting from a data breach and legal proceedings in the event of claims being made by data subjects.

 The start of term is an excellent time to ensure you have taken reasonable precautions and have a response plan to deal with a cyberattack which, coupled with your plan of action and systems, will make it more difficult for hackers to interrupt the day-to-day running of your HEI and if a data breach was to occur, you can deal with it swiftly.

If you require any further assistance or advice on this area, please contact Andrew Gallie on 07467 220 831, or Nahida Rashid on 020 7665 0841, or complete the form below.