Universities notoriously have a complex network to manage and secure. IT professionals have to deal with an intricate combination of staff and student users, who can access the network both on and off-campus, a multitude of devices that are university and student-owned – and which frequently connect to foreign networks – and a high turnover of users each year. This situation lends itself to a high-risk cyber-environment, so IT professionals must be extra-vigilant when working to secure a university network from malicious actors.

It is for this reason exactly that Jisc, a not-for-profit organisation dedicated to providing digital technologies for UK education and research institutions, created Exercise Mercury – an activity that universities can participate in to expose weak spots and vulnerabilities in their network that could grant access to cybercriminals.

During Exercise Mercury, two universities are paired off and spend a week attacking the other to discover vulnerabilities in their processes, policies, procedures, infrastructure and digital footprint. Each institution can use their full range of skills, resources and personnel – this isn’t an activity solely reserved for IT. After what is essentially a simulation of a cyberattack, the winner is the one who would have caused the most damage – after which, each university can go away and resolve the vulnerabilities discovered.

A Lesson from Exercise Mercury

Exercise Mercury is now in its third year, having been launched at the 2018 Jisc Security Conference. During this time, it has been noted that the main areas of vulnerability discovered are often the same.

The biggest of these areas of vulnerability stem from IT teams not accurately knowing what assets they have, how many, and who owns them. This is a pain point that particularly affects higher-education organisations due to their large, distributed networks with staff and students often working in non-typical ways. Exercise Mercury found that the main cause of this vulnerability was legacy IT, which includes technology that was used for one project that is now long forgotten about, and technology that has been moved to the cloud but not yet upgraded.

So, if IT professionals don’t have a hold on all of their assets, how can they hope to respond if they are compromised? This dilemma is magnified in a university setting where IT teams are having to deal with countless requests from students and staff with already limited resources. Add the monumental task of migrating to the cloud, or to a new OS (such as we saw recently with Windows 7 EOL), and it can seem impossible to keep on top of everything.

What’s the next step?

Whilst digital transformation is the buzzword of the moment, what this shows is that higher-education organisations may need to get their house in order before investing in the next big thing. According to a recent Ivanti survey, over 60% of IT professionals are currently missing key information in their ITAM programme. So, IT teams must start from the ground up and complete a proper audit and discovery of all the technology that is being used on the network, and from there they can work out how to keep it secure.

This period of discovery will also enable security teams to make their policies and processes more cohesive with the technology at play. The findings from Exercise Mercury highlighted that the communication of these policies needs to be “more push than pull” – they should be made as easy to find and digestible as possible.

Currently, 43% of IT professionals still track IT assets in spreadsheets – a shocking figure when we assess that discovery and data is at the heart of everything. Universities should look to invest in an IT Asset Management tool to better understand what hardware and software is in use across the estate and by whom, as well as detailed information such as whether it is supported by the vendor, whether hardware is still under warranty, and what the relationship is between these technologies. It is only then that they can effectively secure their complex networks.

Find out more about how Ivanti can help protect your university IT environment here.