Reviewing protective security at a UK university

Written By fra juniper

Executive summary

  • This brief describes an anonymised case study of a protective security review conducted at a UK university. 

  • The review underlines the challenges universities face in applying traditional security models and the opportunities to capitalise on existing best practices.

  • The case study illustrates the value of conducting a holistic review as a basis for strengthening a university’s security posture.

Case description

This brief provides an anonymised account of a protective security review conducted for a UK university. This case study highlights the importance of a holistic approach to protective security and the value of alignment with UK government initiatives in this area. 

The review was sparked by rising awareness in academia about state threats to the academic community, to research, and to the commercialisation of intellectual property. The review encompassed the full range of threat actors, most notably cyber criminal groups, but reflected a recognition that state threats historically had been under-recognised. 

This engagement was with a university engaged in world-leading academic research and technological innovation. Our assessment considered security processes around the international collaboration and commercial partnerships that enabled this work. 

Assessment methodology

The review was holistic, encompassing physical, personnel, and cyber security, alongside assessment of security governance, organisational security culture, and processes for incident management. The assessment methodology was informed by guidance from the UK’s National Protective Security Authority (NPSA) and National Cyber Security Centre (NCSC).  

The university had historically adopted a siloed approach to security. Its cyber and physical security functions were comparatively well established but largely separate in their day-to-day working. De facto responsibility for other aspects of security lay across multiple organisational boundaries. There was no central security function to coordinate activity and as such the university had never previously conducted a holistic assessment of its protective security posture. 

The review process itself was consequently a valuable organisational learning process. Information collection and validation involved bringing together in a structured manner parts of the university community that had previously primarily interacted in a partial or ad hoc fashion. 

This internal engagement is one of the most valuable outcomes of the review process, something that can be overlooked in a focus on final reporting. Not only does it generally illuminate substantial bodies of valuable tacit knowledge, it can also reveal where there are knowledge gaps in the seams between different parts of the apparatus.

Indicative findings

The following findings are indicative and synthesised from multiple engagements in the UK higher education sector. They should be viewed as illustrative of common trends, rather than as specific.

Universities typically have a variegated threat profile. Parts of the academic community, some areas of research practice, and some commercial partnerships will face a high level of targeted threat, including from state actors. Other parts of the institution will be lower risk; however, the overall ‘background’ level of risk is generally higher than is appreciated.

The security apparatus within universities tends to be fragmented and in places ad hoc. This reflects the emergence of modern universities from federated and heterogeneous institutions, interspersed with periods of service centralisation and financial retrenchment. 

Funders and partners increasingly require that universities demonstrate the ability to conduct research securely. While universities will often have pockets of good security practice, they tend to lack the centralised visibility to co-ordinate these activities and to provide assurance on the security of their environment. 

In these circumstances, attempts to impose rigid security models devised for government agencies or the private sector are highly unlikely to be successful. Universities will need to develop appropriate and proportionate security arrangements that reflect their circumstances, priorities, and ways of working, while recognising that doing so will involve significant cultural change. 

Implications for research and innovation

We have conducted reviews for a wide range of organisations engaged in cutting edge research and innovation, from large universities with world-leading facilities and billions in grants, through to small startups and university spinouts. 

Regardless of size and shape, these organisations generally display a strong leadership commitment to security and a growing recognition of the deteriorating threat environment. However, they also tend to be highly resource constrained and to have limited practical experience in protective security. 

These dynamics are pronounced in UK universities. These institutions have in recent years often devoted considerable resources to cyber security. They are now being asked to grapple with threats from state actors that transcend boundaries between cyber, physical, and personnel domains; are directly targeted (versus more opportunistic cyber crime); and carry different stakes. 

Recognising, let alone mitigating, this class of threats requires a paradigm shift within university leaderships, professional services teams, and academic communities. A review of the organisation’s current protective security posture is an important first step in this process. On the basis of this review, universities can determine an informed organisational security strategy. Implementation against this strategy will also benefit from the lessons learned during the review process. 

Lessons identified

A holistic protective security review is a useful first step in strengthening an organisation’s approach to security risk. 

  • Reviews identify valuable tacit knowledge within the organisation, while highlighting gaps in capability.

  • The process of conducting the review itself develops internal connections and encourages organisational learning. 

NPSA frameworks and guidance should be incorporated into the security review process

  • Adopting common security review frameworks enables comparison with sector peers and qualitative benchmarking. 

  • Trusted Research and Secure Innovation guidance provides a valuable basis for action to address security vulnerabilities. 

Universities must develop an approach to security that reflects their circumstances.

  • Security models appropriate for industry or government are highly unlikely to be effective if applied without modification.

  • At the same time, universities must recognise and make the case for significant transformations in organisational practice and culture if they are going to be secure.

The UK government encourages organisations engaged in innovative technology research and development to conduct protective security reviews. UK Research and Innovation (UKRI) provides funding for early stage technology companies to undertake security reviews through its Secure Innovation Security Reviews scheme [LINK].

Contact us

Secured is a UK-based organisation that provides strategic advisory services to organisations concerned about threats to the security of research, innovation, and investment.

Our security practitioners help entities secure their intellectual property, build operational and financial resilience, and cultivate a positive organisational security culture. 

We provide research on the national security implications of emerging technologies as part of our scientific and technical intelligence assessment capability.

Secured is part of Tyburn St Raphael Ltd, a boutique security consultancy.

info@tyburn-str.com

hello@secured-research.com

fra juniper
Previous

Combined complex investigation and online exposure assessment
Next

SECURED geopolitical analysis in the news