AU IS INVESTING IN STRENGTHENED IT SECURITY
The risk of cyber attacks is increasing sharply. Aarhus University uses many IT systems and stores huge volumes of data, so it needs to upgrade its defences against data loss or theft and IT downtime. The university has just decided to allocate extra resources to this area.
The need to protect the university's data – both research data and other kinds of data is increasing, as are breakdowns in the IT infrastructure caused by external cyber attacks. Aarhus University's defences against data loss, data leaks and breakdowns in our IT systems must be reinforced. Given this fact, Aarhus University will be investing DKK 32.7 million in enhancing IT security between 2018 and 2022, and DKK 7.2 million will be set aside each year for regular upgrades from 2023 onwards.
“We’ve determined that the threat scenario is changing significantly in this period. This involves not least external pressure on the university’s IT security, so an investment in upgrading our IT security is not a choice we have – it’s a necessity,” says University Director Arnold Boon, who adds:
"We need to do an even better job of protecting our research data as well as our other data, which is our ‘treasure’. At the same time, we must make a targeted effort to make sure that we all take responsibility for protecting our data and do our bit to safeguard ourselves against external disruptions to our IT infrastructure."
High risk – greater effort
The Centre for Cyber Security (CFCS) now categorises the university’s risk of being hit by cyber crime as high. Aarhus University has also commissioned its own analysis of the university's current security level relative to the threat scenario. The IT service company CGI, which performed the analysis, has also made a number of recommendations on steps the university should take to improve its security. The university's accounting firm also pointed out in its auditor’s comment that not all units have a sufficient level of safety.
While IT security has been a high priority for quite some time, the university’s efforts have shown themselves not to be sufficient in light of current developments, explains Deputy Director Peter Bruun Nielsen, AU IT:
“We are now intensifying our security efforts. We know where we need to take action and work is already underway, and with the new extra funding, we will be able to achieve the safety level I believe is necessary to defend ourselves in light of the changed threat scenario. It will be a matter both of new IT tools as well as improving our safety processes and optimisation of our own behaviour so that we don’t make it easy for malicious agents to carry out cyber-attacks."
Stricter security requirements for the university’s employees
"We will have to introduce stricter requirements than we have today. We need to have an overview of which computers, smartphones, tablets, servers and other devices access our network, and what the software is running on them. We will also be imposing stricter requirements to ensure that our systems receive regular security updates, because obsolete systems that are not kept updated are vulnerable, and these vulnerabilities can be exploited,"explains Nielsen.
Earlier this year, Aarhus University conducted an employee survey to assess their knowledge of the university's rules for IT security. The conclusion of the investigation was that employees generally lack knowledge of the rules, and that efforts need to be made to address this both in the administration and at the faculties.
"We are critically dependent on our efforts to protect our data and safeguard us against breakdowns in our IT infrastructure. No compromises are possible in this area. It’s essential to our ability to conduct research, both in relation to the surrounding society and as a basis for our teaching activities at our high international level of excellence. Our partners also require us to be able to document our IT security, so in many ways this investment is absolutely necessary,"explains University Director Arnold Boon.
Facts:
There are three main focus areas in the university’s effort to improve IT security.
- So that AU can protect itself effectively against external threats in the future, the university will invest in tools that can automatically and proactively monitor the university's IT networks and prevent access from entities or persons who present a security risk.
- We will also upgrade our processes in relation to IT security, for example by introducing annual risk assessments. In addition, all departments and schools must evaluate what steps need to be taken to improve IT security locally. It is the responsibility of management to follow up on all of these initiatives, and to ensure that all employees understand how we protect our data.
- Steps must be taken to make sure employees know what they can do themselves to improve IT security. For example, being alert to phishing mails or avoiding weak passwords, which can increase the risk of cyber attacks with consequences for the entire university.