The ongoing funding crisis engulfing UK universities could leave them even more vulnerable to cyberattacks, a sector IT leader has warned.

Patrick Hemmaway, chief information officer at the University of Manchester, said institutions were already suffering from years of underfunding, which?has put them more than a decade behind companies in the private sector.

Cybersecurity in universities has been ¡°underfunded for the last 20 years, and from a technology perspective that means that in addition to technical debt, there¡¯s a skills debt as well¡±, Mr Hemmaway told Times Higher Education.

¡°But also, unfortunately it comes down to culture in many different organisations. If you¡¯ve got a strong advocate for security, and a digital agenda, things get prioritised¡±, he added.

ÁñÁ«ÊÓƵ

¡°But prioritising funding goes back to what he¡¯s not going to be spending money on. Every pound that we spend on cyber is obviously coming away from something else. Be it buildings or looking after our students.¡±

Manchester has made headlines multiple times in recent years after being affected by?several cyberattacks, with one incident last year resulting in students and staff being told their data could be sold on the black market if the university did not take action.

ÁñÁ«ÊÓƵ

Universities are increasingly becoming targets for cyber criminals?becaus eof the vast amount of data they hold. Research by the Department for Science, Innovation and Technology last year found that half of UK universities that had identified breaches were facing cyberattacks ¡°weekly¡±.

Underinvestment across higher education meant that firms in the private sector ¨C including banks and insurance companies ¨C are at least 15 years ahead of universities on being able to tackle cyber threats, Mr Hemmaway said.

¡°How many universities at the moment have a director of IT security or a chief information security officer and an adequate understanding of taking IT security seriously?¡±, he asked.

¡°It¡¯s only over the last couple of years that universities are now leaning in and actually bolstering their security services. Many universities still have probably only a handful of people that actually focus on security,¡± he said.

ÁñÁ«ÊÓƵ

Collegiate systems risked fragmenting information and knowledge-sharing across a university further, Mr Hemmaway added.

¡°You¡¯ve got some universities that are 800 or 900 years old, that are highly federated. In terms of the services that they provide they¡¯re very, very siloed inside their institutions. If you¡¯re siloed within an institution, it¡¯s very hard to get a grip of what your vulnerabilities are in terms of your assets. That¡¯s where we as a sector are at the moment. I think we¡¯re probably several years away from being anywhere near industry at the moment.¡±

David Batho, director of security at Jisc, a not-for-profit that provides IT support to higher education providers, said ¡°under-investment in cybersecurity is false economy¡± but added that it was still a ¡°top priority¡± for universities in protecting ¡°their vital infrastructure¡±.

A survey carried out by Jisc this year found that cybersecurity was the most commonly cited challenge that universities are facing ¨C ahead of student recruitment.

ÁñÁ«ÊÓƵ

Mr Batho added that Jisc has?called for a ¡°coordinated¡± approach to reinforce the sector¡¯s cybersecurity and ¡°generate long-term savings¡±, as well as requesting investment from the government to fund a security operations centre to ¡°enhance protection for UK institutions and research from cyberattack¡±.

juliette.rowsell@timeshighereducation.com