University of Surrey’s Edification for its Cyber Protection

Cybersecurity modules implemented campus-wide to ensure awareness and safety


The Challenge

  • Protect previously siloed business functions from potential threats
  • Prevent attackers from taking advantage of uninformed users
  • Educate students and staff on cybersecurity best practices

The Solution

  • Proofpoint Security Awareness Training

The Results

  • Implemented customisable education platform across the business
  • Raised awareness of cyberthreats to the Executive Board
  • Secured the University from potential threats
  • Improved efficiencies by increasing resources for time-poor security team
University of Surrey’s Edification for its Cyber Protection
The University of Surrey is a public research university in Guildford, England, receiving its royal charter in 1966. Its research output and global partnerships have led it to being regarded as one of the UK’s leading research universities. The University is comprised of roughly 17,000 students, including undergraduate and master’s students, as well as researchers.

The Challenge

The security team at the University of Surrey had a complex challenge on their hands. Differentiating from typical enterprises, a university has two main operational arms. The core operational purpose is to deliver an excellent university experience to students and the staff which is split between research priorities and professional services. Each area has different needs, perspectives, vulnerabilities and potentially priorities from a risk management perspective.

The challenge to protect these separate functions, is that a blanket solution might not be appropriate for a central services area, like the finance team, or academics carrying out research in medical sciences. These functions will face different types of cyber threats and have different technology education requirements.

“Executing even basic cybersecurity hygiene through employee and student awareness goes a long way to protect against the vast majority of threats,” said Tom Ascroft, CISO at University of Surrey. “Therefore, we needed a structured system in place that would allow us to implement a fully customisable method of cybersecurity education and awareness. While we had some of the components necessary to implement an education process, we lacked the structure.”

“Unfortunately several other universities have recently fallen victim to cyberattacks. These attacks target people, not necessarily the institution, and therefore putting people at the heart of our cyber security strategy was vital.”

“Improving cybersecurity hygiene through employee awareness goes a long way to protect against threats, especially with universities falling victim to recent cyberattacks. With Proofpoint we were able to implement a structured, customisable cybersecurity education platform to fit our needs.”
Tom Ascroft, Chief Information Security Officer, University of Surrey

The Solution

Before beginning the tendering process, the security team conducted a gap analysis against ISO 27001 for central services, and implemented tactical improvements based on the analysis. From there, the team was able to put best practices in place and begin to tackle the challenge of structuring the cyber education process. Using its Gartner subscription, the security team was able to access its full suite of consulting services and expertise and narrowed down its choices to Proofpoint and two other companies, based on the Gartner Magic Quadrant report. 

Proofpoint was the clear the winner,” said Ascroft. “The sheer volume of content and the customisability provided meant that we could tailor the cyber education platform to fit our needs. To start, we created six baseline modules, designed for everyone from an undergraduate student to the University Vice Chancellor to give us a uniform benchmark on user awareness”

Building on the basic cybersecurity training, The University is leveraging the Proofpoint platform to develop hyper specific courses for different use cases. This can include the specific threats facing an employee working in accounts needing to know about BEC scams, to those working in retail needing to know about PCI DSS, and the best practices around cardholder information. With Proofpoint, the University of Surrey can personalise its training modules, so its staff and students learn what they need to know to keep the university safe from attacks. “While we expect everyone to sit the basic training,” explained Ascroft, “we also want to be sure people are aware of all the specific threats facing their vocations. If we can provide everyone with a basic understanding, which Proofpoint can help reinforce through testing, then that will provide solid footing to expand our cyber awareness program over time and remain secure.”

The Results

With Proofpoint, the University of Surrey can implement an iterative process to push out the training modules so that students, academics, and other employees become more aware of their cyber hygiene and the actions they should be taking.

“With this cybersecurity training, I can make sure everyone at the board level understands their accountabilities, responsibilities, and what the risks are to the university. Cyber Awareness is a cost of doing business these days. Proofpoint is essentially an extension of our relatively small team, making us more efficient. When we have questions come in, Proofpoint has the information for us, and we’ve now built a great relationship. Before, this just wasn’t possible, as our team was quite stretched and time poor. The system is an effective way of managing our cyber risk, and I’m looking forward to the dashboards and measurable tools that will give an in-depth analysis into our systems.”

Fortuitously, implementing Proofpoint PSAT coincided with the University of Surrey applying for the Gold Standard in Academic Centres of Excellence and Cybersecurity Education (ACE-CSE), an initiative of the UK’s National Cyber Security Centre (NCSC). In order to qualify, the university needed to demonstrate their excellent teaching standard but also their effective cybersecurity practices. The University was able to use the training modules as a centrepiece of the application process and is hopeful to receive the certification in the coming months.

“I’m confident this training will evolve into becoming a real differentiator for Surrey students and Surrey staff. That’s what I’m looking to achieve; to see how we can enhance our student and staff experience and keep the University safe, and Proofpoint helps us do just that.”

Download Customer Story