IT Risk Universe 5

ESP ITRisk Universe2020

March 2020 Contents

Page

Executive summary 3

IT Risk Universe 5

2020 Technology issues for the Educationsector 6

Emerging technology issues for the Education 8 sector

Document Classification: KPMG Public ExecutiveSummary

The Education sector In the last 18 months we have seen risks and opportunities related to IT systems and the adoption of continues to undergo emerging technologies throughout the Education sector. For example: significant transformation with huge opportunities, however - A London based Russell Group University breached the General Data Protection Regulation after this comes with increased risk. sharing a list of people’s data with the Police without a legal basis to do so. Technology is playing a larger role than - A report into the effectiveness of information security controls, published by Jisc (formerly the Joint ever before in all aspects of higher Information Systems Committee) and the Higher Education Policy Institute (Hepi), had a 100% education, from administrative processes success rate in getting through the cyber-defences of higher education institutes. to student education, and as a result it is no surprise that industry leaders often - There have been a year-on-year increase in the number of University-related phishing attacks rank IT-related risks towards the top of which appear to have harvested credentials for university webmail services with the possibility of their concerns. these being linked to the Student Loans Company-related attacks. Our CIO survey 2019, conducted with - In the Higher Education Overview report published in January 2019, the ICO identified that only Harvey Nash, identified that almost 25% of the 16 Universities tested had an adequate Information Security policy in place, only 31% three-quarters of IT leaders reported they had a Incident management policy and only 19% had an effective way of communicating the policy are making moderate or significant to staff. investment in IT with investment in The Department for Education published its Penetration testing conducted mobile technologies not far behind. Strategy for Education in the summer of 2019 Greater investment comes with a number and highlighted the potential for the sector to over a sample of Higher of opportunities but also presents greater grow and flourish through the use and risks. Education institutions had a development of technologies such as cloud.

Lancaster University However, the potential to utilise such students' data stolen technologies is dependant on adequately by cyber-thieves mitigating system and control weaknesses Data included names, related to data privacy, legacy IT infrastructure, addresses, phone and a lack of technical capacity and capability 100% numbers and emails within the workforce. linked to studentswho failure rate had applied to join the university in 2019 and As reported by Jisc and Hepi in their in their Information 2020. Security Controlsreport Source: BBC News August © 2020 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG 3 2019 International Cooperative (“KPMG International”),a Swiss entity. All rights reserved.

Document Classification: KPMG Public ExecutiveSummary

We have provided an analysis for nine The points raised on the previous page and in the key risks we have identified Only31% press are echoed by our own findings and those of specifically for the Education sector. industry research bodies, who have also found a lack These are Data Privacy, Cloud of Universities sampled had of compulsory cyber security training for staff in Implementation, Cyber Security, IT documented Incident Education as a key risk. Whilst other public sector Infrastructure, Budget Restrictions, industries are able to stringently enforce cyber and Service Desk, De-centralised IT, Management Policies & data privacy training for their staff and new joiners, Data Governance and Legacy IT. this is not followed throughout higher education. As a Procedures result it exposes Education providers to human error, These risks are based on research ICO Higher Education Overview report a risk persistent despite the level of technology and our experiences with clients in the published in January 2019 investment. sector over the past 12 months. We feel that these risks should be Within this document, we have used our industry experience and our understanding of a wide range of considered as part of Higher technology and applications to produce a heatmap of IT risks we believe are most relevant to Educations and Universities’ risk Education providers, and should be closely managed. management programme for 2020/21. We have provided a focus on nine specific key trends in IT which we believe are key in 2020 throughout the Education sector. For each of these we understand your issues and challenges and have in place audit and assurance solutions to manage your risks so as to reduce the impact they could have on you, your stakeholders, and most importantly your students and service users. Additionally, we have provided a view of the key emerging technologies that highlight risks and opportunities for the Education sector and will continue to do so at an accelerated rate in the future.

‘The extent of the Cyber Security threat to institutions is growing in line with the growth in digital information.’ Cyber security and universities report – Universities UK

© 2020 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG 4 International Cooperative (“KPMG International”),a Swiss entity. All rights reserved.

Document Classification: KPMG Public IT Risk Universe The Educationsector The diagram below depicts typical IT risks for the Education sector. We have depicted each IT risk as a bubble with the size of the bubbles representative of the magnitude and impact of each IT risk. These risks should be considered as part of Higher Education's and Universities’ risk management programme for 2020.

Extended enterprise Strategic/ emerging risks

External Automation Cyber (inc. protecting Research Blockchain Service Desk Data) Brexit CloudIT

ITStrategy DSPToolkit* Data Privacy ThirdParty Assurance Artificial intelligence De-centralised IT

DigitalCRM IT Education Legacy IT RiskUniverse Stable / Known Changing / New

DevOps

IT Infrastructure UserAccess Data Governance Operational Security Resilience IT Programme Business Assurance Disaster Continuity IT Recovery Governance Budget Restraints Data Legend Quality Identified key risks ITOperations IT Capability Furtherrisks Internal Emerging Technologyrisks Operational policy and control Strategic/ execution/ business change/ risks *DSP Toolkit is only relevant to Universities who process NHS health data or have a medical school © 2020 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a 5 Swiss entity. All rightsreserved.

Document Classification: KPMG Public 2020 technology issues for the Educationsector

Data Privacy Cloud Implementation Cyber IT Infrastructure

The Department for Education (DfE) has The DfE’s strategy highlights that Cloud The National Cyber Security Centre has Aging IT Infrastructure can impede IT revised its Education Technology based storage solutions are more identified Phishing, Ransomware, and advances, and this was noted as one of Strategy in April 2019. Data Privacy has secure, cheaper to run, and enable a culture and awareness, as three of the the biggest barriers to achieving the been considered a key risk to be more robust approach to IT biggest risks to Higher Education (HE) EdTech strategy by the DfE. addressed in order to meet the aims of infrastructure. However, cloud adoption Providers with regards to Cyber the strategy, and the protection of does create a new risk in itself. Security. Advanced tools and machines, like cloud student data has been highlighted as a or virtualization function very differently priority. Firstly, cloud implementation These risks are extended by the to legacy tools and machines therefore programmes are complex and can resourcing restraints for Cyber Security issues are likely to arise such as ensuring The criticality of information across all require projects within the programme across the sector. The digital service staff acquire specific experience. industries including Education providers to be delivered simultaneously by provider for academia, Jisc, identified Replacing legacy systems with more has never been greater, with strategic different teams. This can often result in that only 60% of HE providers have a advanced ones enables Education decision-making often based directly on logistic and scheduling issues causing strategic Cyber Security Lead. providers to become more advanced and the results of data analysis, and the disruption and additional work during the offer a better teacher and student repercussions for the data's misuse at an build phase for Cloud Implementation Across the sector, the sensitivity and experience. all-time high. Programmes. value of research data and vulnerabilities of legacy systems increases the Legacy systems can also increase the This is partnered with the fact that Secondly, the adoption of cloud does not importance of cyber security, and the risk of technical debt. Without constant advances in technology are now reliant transfer risk to the third party cloud need to ensure controls are in place to incremental changes to systems, there is upon data more than ever, and the ethics provider; new risks need to be safeguard the organisation against cyber a risk they will become unfit for purpose, of such use draws a fine line between considered. Has the correct third party threats. and require additional investment in time innovation and misuse. due diligence taken place? and resources to rectify shortcomings. How can we help? Organisations within the education Cloud capability will enable institutions We can provide a number of Cyber A lack of IT infrastructure is one of the sector hold personal and sensitive data to work remotely, and be more agile to assessments based on your maturity biggest risks to the delivery of the that can range from a students name, to technological change in the future. We and cyber risk appetite. This can DfE’s EdTech Strategy. We can serious safeguarding issues affecting can help you consider the economies include assessment against national provide a diagnostic service to our children. We can offer a number of of implementing Cloud, and provide and international standards, including: clients to help identify IT Infrastructure services tailored to your privacy maturity, assurance throughout your Cloud Network and Information Systems weaknesses, and provide to ultimately improve your data privacy change programme, identifying the Directive (NIS), Cyber Essentials, and recommendations on how this can be control framework. risks at every stage, and providing the Ten Steps to Cyber. improved to meet the DfE target Universities using NHS patient data are feasible remedial recommendations. operating model. We can support you also required to submit a Data Security Further, we can provide a Cyber through every stage of the IT change and Protection toolkit self assessment. We can also provide third party risk Maturity Assessment against our own journey, from the hardware of the We have worked with clients to perform management solutions. These allow an framework, that can provide a maturity estate to the skills and capability of a gap analysis in this assessment and organisation to meet the GDPR level based on global cyber standards. the workforce. provide an independent review. requirements for due diligence.

Document Classification: KPMG Public 2020 technology issues for the Educationsector

Budget Restraints Service Desk De-centralised IT Data Governance LegacyIT

With the proposed fee changes Service Desk is considered to IT applications existing outside of Universities can amass Aging legacy systems can impede reducing the cost of an be the central point of contact IT control frameworks may not significant data stores, much of IT and teaching advances. Legacy undergraduate degree from between service providers and be visible to Central IT, and may this is personally identifiable, IT infrastructure or applications £9,000, to £7,500 per annum, users on a day-to-day basis. therefore be creating risk that commercially sensitive or has are prone to instability due to the possible ramifications are has not been measured and may significant value (i.e. research failing components, and risk likely to be widespread across Due to the siloed nature of not be adequately mitigated. data). It is crucial, therefore, disrupting the overall service. all departments within Higher Higher Education providers a that this is managed and Education Providers. centralised service desk is key De-centralised IT is growing at governed effectively to ensure Advanced tools and machines, for monitoring and resolving pace as organisations strive to that ownership and like cloud or virtualisation, With IT investment and incidents, disruptions and be more agile, flexible and accountability is clear and function very differently to legacy resourcing already limited for requests. competitive, providing faculties integrity is maintained. tools and machines therefore Education providers, the with a level of autonomy. This issues are likely to arise such as potential additional budget cuts Without an effective and creates security risks as these Having an established and ensuring staff acquire specific could further limit the ability of centralised Service Desk applications can’t be secured in effective data governance experience. Replacing legacy IT departments to meet overall function there is a risk that the same way that supported, structure is a common failing. systems with more advanced the demands of the incidents will not be escalated authorised apps are secured. We see the contributing ones enables organisations to organisations strategy. and resolved in an appropriate There is the added consideration factors being the complex become more advanced and offer manner. of Research data which has organisational structures and a better academic experience. significant value in universities devolved nature in which they and may be of interest to 3rd tend to operate. parties.

How can we help? With the growing reliance on We provide a Shadow IT We have a team of specialist Aging legacy systems can technology we can evaluate assurance program which data governance SMEs within impede IT and teaching We can provide a diagnostic the adequacy and seeks to: KPMG. We will provide a view advances. Legacy IT review of your IT Strategy, and effectiveness of the ICT on just how clear and well infrastructure or applications are provide an assessment on Service Desk, including -Provide management with an defined the governance of data prone to instability due to failing resourcing, priorities, and reviewing the governance assessment of shadow IT is within the University. We components, and risk disrupting capability to deliver said arrangements and supporting policies, procedures and will then test this view by the overall service. strategy. policy documentation, operating effectiveness; examining critical data sets and processes for handling -Identify control weaknesses confirming accountability, Advanced tools and machines, incidents and service that could result in proliferation integrity, availability and like cloud or virtualization function requests which impact of shadow IT solutions and completeness. We will also very differently to legacy tools business users. greater likelihood that shadow map the data feeds to provide and machines therefore issues IT is not detected. a view on duplication or are likely to arise such as supplementary data records. ensuring staff acquire specific experience.

Document Classification: KPMG Public Emerging technology issues for the Educationsector

Artificial Intelligence Automation Blockchain DevOps

Key issues arising from the use of AI Education faces IT risks through the Our clients in the UK are increasingly As DevOps grows increasingly include; gaps in corporate governance adoption of new emerging lookingto digitiserecordsandtransition attractive for Universities, it is andwhetherAI is operatingin linewith technology. One example is through to a paperless future.; an increasing important to consider how you can ethics and values; algorithm bias; re- theuseof robotics for automation of numberof Universitieshaveintroduced benefit from their use and the risks registration/validationofalgorithms;data campus managementand services. thiswithdemonstrablebenefits. involved. quality; making data exportable and Withtechnology rapidlychanging Developers/third party suppliers As Blockchaintechnologymaturesthe interoperable and regulatory and an increasing use of are being used to transform Higher shift to digital records will accelerate. constraints. automation, robotics,andInternetof Education IT infrastructure through Things(IoT), beingusedto enhance Additionally, through tokenisation of use of agile methodology. This Additionally, building public trust is student experience,develop various asset classes, security within may include implementing changes fundamentalas thepublicneedto want research,automate processes, the HigherEducationcan beimproved. directly into the live environment to sharetheirdatawiththirdpartiesfor Education sector must carefully thus, posing challenges and risks AI to harnessitspotential. consider the new rules and to the adequacy of changes, data regulatory requirements set forth integrity or customersatisfaction. and risksinvolved.

How can we help? KPMG has developed an AI KPMG has developed a pragmatic Despite the benefits to using KPMG offers DevOps based Control Management framework approach to assist our clients in distributed ledger technologies solutions from preparing thorough covering 17 categories for developing foundational (such as Blockchain) to store data, assessment and analysis reports, managing risks and controls for AI procedures to support their as per any digital process, a new helping to integrate tools and solutions. More specifically this transition to automation. The set of risks need to be understood administration to delivering has been tailored to AI solutions approach is designed to and controlled. In order to give professional services and training. (i.e. solutions that include incorporate a comprehensive assurance to our clients who are We can assist in the alignment of machine learning capabilities). view of risks and threats and adopting distributed ledger your DevOps, IT, and business KPMG can use its AI in control develop tailored procedures to technologies, we have developed teams to build successful Higher method to provide guidance and mitigate these specific risks and Education reaping the business ensure that Higher Education is threats. a Blockchain Maturity Model that benefits available from DevOps. ready if they have not yet assesses the Blockchain maturity implemented AI and assurance across eight key risk areas. We around current processes for the are able to provide an overall sector with AI implemented. maturity score, and specific recommendations targeted towards the key risks.

Document Classification: KPMG Public KPMG has an experienced team of Technology Risk Consultants that are constantly working with our clients to develop their approach to IT Risks. Our aim is to help you identify, optimize and manage your risks in this area in a cost effective way. To discuss please contact:

Nicolina Demain Tim Colclough Technology Risk Director Technology Risk Manager Higher Education Lead (Tech Risk) M: +44 (0)7887 826733 E: [email protected] M: +44 (0)7748 885220 E: [email protected]

Lee Dobbing Technology Risk Senior Manager Higher Education SM (Tech Risk)

M: +44 (0) 7919 293691 E: [email protected]

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2020 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Produced by CREATE: CRT106669

Document Classification: KPMG Public