The Cyber Security Authority (CSA) has urged universities and other operators of Critical Information Infrastructure (CII) in Ghana to strengthen their cybersecurity systems and comply with the country’s Directive for the Protection of Critical Information Infrastructure following a recent cyberattack on the University of Nottingham in the United Kingdom.
In a press release issued on June 16, the Authority described the incident as a timely warning for educational institutions and other critical sectors to reassess their cyber resilience against growing digital threats.
“The University of Nottingham incident should serve as a reminder that no educational institution, regardless of its size, reputation, or technological sophistication, is immune to cyber threats,” the CSA stated.
According to the Authority, the cyberattack is believed to have compromised the personal data of approximately 450,000 students and alumni, including personal records, contact details, student identification information and financial data.
The CSA noted that although the breach occurred outside Ghana, it carries important lessons for the country’s education sector and other critical industries that increasingly rely on digital systems.
“While the breach may have occurred thousands of miles away from Ghana, its implications are relevant to our education sector and other CII sectors, such as Health, Telecommunications, and Transportation,” the statement read.
The Authority observed that Ghanaian universities are rapidly embracing digital technologies, including student information management systems, online learning platforms, cloud-based services, digital payment solutions and international research collaborations.
While these innovations have enhanced efficiency and accessibility, the CSA warned that they have also increased exposure to cyber risks and created new opportunities for cybercriminals to exploit vulnerabilities.
As a result, the Authority called on all owners and operators of Critical Information Infrastructure, particularly educational institutions, to comply with the Directive for the Protection of CII, which was launched in October 2021.
According to the CSA, the directive forms part of broader regulatory efforts aimed at strengthening cybersecurity across critical sectors and safeguarding essential services and national interests.
“Recognising the growing threat landscape, the CSA has developed regulatory frameworks aimed at strengthening cybersecurity across critical sectors,” the statement read.
It added that “the CII Directive seeks to ensure that operators of critical digital systems implement appropriate safeguards to protect essential services and national interests.”
The Authority explained that the directive encourages organisations to establish effective cybersecurity governance structures, conduct regular risk assessments, implement appropriate security controls, report cyber incidents, undertake periodic audits and develop robust incident response mechanisms.
The CSA further urged institutions to adopt proactive cybersecurity measures and strengthen their cyber resilience to protect critical digital infrastructure from evolving threats.
