The Cyber Security Authority (CSA) has cautioned universities and other owners of Critical Information Infrastructure (CII) to strictly adhere to the Directive for the Protection of Critical Information Infrastructure following a recent cyberattack on the University of Nottingham in the United Kingdom.
According to the Authority, the breach at the University of Nottingham reportedly affected about 450,000 students and alumni, exposing sensitive information including personal records, contact details, student identification data, and financial information.
In a statement, the CSA said the incident serves as a reminder that no educational institution, regardless of its size, reputation, or technological advancement, is immune to cyber threats.
The Authority noted that although the attack occurred outside Ghana, its implications are highly relevant to the country’s educational sector and other critical sectors such as health, telecommunications, and transportation.
The CSA explained that Ghanaian universities are increasingly adopting digital technologies, including student information systems, online learning platforms, cloud services, digital payment systems, and research collaboration tools. While these innovations improve efficiency and accessibility, they also increase exposure to cyber risks.
According to the Authority, the key issue is no longer whether institutions will face cyberattacks, but whether they are adequately prepared to respond when such incidents occur.
The CSA therefore urged universities and other operators of critical digital systems to comply with the Directive for the Protection of Critical Information Infrastructure, which was launched in October 2021 to strengthen cybersecurity resilience across critical sectors.
The directive encourages institutions to establish effective cybersecurity governance structures, conduct regular risk assessments, implement robust security controls, report cyber incidents promptly, undertake periodic audits, and develop comprehensive incident response plans.
The Authority stressed that these measures are essential for reducing the likelihood and impact of cyberattacks while protecting essential services and national interests.
