The Cyber Security Authority (CSA) has cautioned universities and other operators of Critical Information Infrastructure (CII) in Ghana to strengthen their cybersecurity systems and comply with the country’s Directive for the Protection of CII following a recent cyberattack on the University of Nottingham in the United Kingdom.
In a press release issued on June 16, the Authority said the incident should serve as a wake-up call for educational institutions and other critical sectors across the country.
“The University of Nottingham incident should serve as a reminder that no educational institution, regardless of its size, reputation, or technological sophistication, is immune to cyber threats,” the CSA stated.
According to the Authority, the attack is believed to have affected approximately 450,000 students and alumni, exposing sensitive information, including personal records, contact information, student identification details and financial information.
The CSA noted that although the breach occurred outside Ghana, its implications extend to the country’s education sector and other critical industries.
“While the breach may have occurred thousands of miles away from Ghana, its implications are relevant to our education sector and other CII sectors, such as health, telecommunications, and transportation,” the statement said.
The Authority observed that Ghanaian universities are undergoing rapid digital transformation, with student information systems, online learning environments, cloud services, digital payment platforms and research collaborations becoming increasingly common.
While these innovations have improved efficiency and accessibility, the CSA warned that they have also expanded opportunities for cybercriminals.
“The question is therefore not whether Ghanaian universities or other critical sectors will be attacked, but whether they are sufficiently prepared when an attack occurs,” the statement added.
The CSA consequently urged all owners of critical information infrastructure, particularly educational institutions, to comply with the Directive for the Protection of CII, which was launched in October 2021.
According to the Authority, the directive forms part of regulatory measures aimed at strengthening cybersecurity across critical sectors and ensuring the protection of essential services and national interests.
“Recognising the growing threat landscape, the CSA has developed regulatory frameworks aimed at strengthening cybersecurity across critical sectors,” the statement said.
It added that “the CII Directive seeks to ensure that operators of critical digital systems implement appropriate safeguards to protect essential services and national interests.”
The Authority said the directive encourages organisations to establish cybersecurity governance structures, conduct risk assessments, implement security controls, report incidents, undertake regular audits and develop robust incident response capabilities.
“The Directive encourages organisations to establish cybersecurity governance structures, conduct risk assessments, implement security controls, report incidents, perform regular audits, and develop robust incident response capabilities to reduce the likelihood and impact of cyber-attacks,” the statement noted.
The CSA urged institutions to take proactive measures to strengthen their cyber resilience and safeguard critical digital infrastructure against emerging threats.
