With a new intake of students to deal with, universities have been assembling and manipulating a huge amount of personal data to help things run smoothly in the first weeks of term. In light of recent news that 500 million Yahoo! users had their data exposed, the security of university information, and how to handle its potential loss, will be salient concern for technology teams and reputation managers alike.
I wonder how many comms teams found themselves dealing with cyber security issues during this period? Recent research finds that nearly two in three higher education institutions in the UK have faced a cyber-attack in the last twelve months. While many major institutions seem to recognise the threat a cyber-attack poses to their day-to-day operations, fewer seem ready to engage with the potential for damage to their reputation.
It’s easy to see why higher education institutions could find themselves in the firing line when it comes to cyber-attacks. One of the major targets for cyber criminals is data. Think back to dating website Ashley Madison, or more recently, the World Anti-Doping Agency. Hack into records, get hold of confidential data, and then release it to cause harm and embarrassment or demand a ransom in exchange for its safe return. It’s a common MO.
Universities hold masses of data. Student details, staff details, financial information… the list goes on. As big data is increasingly harnessed into learning analytics, monitoring student behaviour patterns to analyse learning techniques, and reduce drop-out rates, the volume of data being held is only likely to grow further. Like it or not, storing such data makes universities a target.
Imagine the scenario; a VC gets a call from their head of IT to inform them of a large breach. Student files, containing details of fees, home addresses, course marks, have been posted on an untraceable website. Colleagues are scrambling to get the site shut down. Then the phones start ringing off the hook. Confused students, angry parents, journalists… how to respond?
Put simply, cyber security could be the next big reputation threat to higher education institutions unless institutions factor it in to their communications and crisis communications strategy. Not just who says what, but the channels used and the tone adopted.
Each institution will have its own challenges in ensuring it is prepared. But these three principles should be at the heart of their plans.
- Make sure everyone knows their role in the event of an attack. Who needs to be talking to who? How will messaging and statements get signed off? That means fostering an environment and establishing a process where all parties – senior management, comms, IT, operations – are in dialogue and sharing information.
- Have the framework in writing. Where is your crisis communications preparedness pack? (You do have one, don’t you…?) What key messages will you most likely want to communicate. Is there a list of mobile numbers for colleagues involved in the event of an attack?
- Know your stakeholders and know your channels. Who needs telling what in the event of an attack? It’s hard to know until the worst happens, but run a scenario planning exercise and test it out. And what happens when usual lines of communication like Twitter or your website are compromised?
No-one wants to dwell on emergency scenarios more than they have to. But universities can’t afford to let communications be an afterthought when it comes to cyber. The ultimate risk if they do is loss of reputation and, crucially, loss of trust.