It’s been a few days since the JISC Security Conference however I am only now seeing light at the end of the tunnel, having spent the last few days catching up following my two days out at the event. As such I thought I would share some thoughts following Day 2 of the conference.
Defend as one
During the course of the 2nd day of the conference I attended a number of sessions where various educational institutions shared their experiences of cyber incidents. I will admit it was good to hear their experiences as generally all we get to hear of in relation to cyber incidents in schools, colleges, and universities, is the news posts which lack any of the detail as to the cause and impact of the incident, or of the resulting recovery operations. It would be good to hear more of the details around cyber incidents in schools, etc, as there is a great opportunity for use to learn from the experiences and collectively seek to be more secure, with this being summed up by the JISC conference tag line, “Defend as one”. I will however note the challenges in relation to this due to the sometimes sensitive nature of such information.
Cyber: An IT issue?
Now the event itself was very useful for me as a Director of IT, being surrounded by others in similar roles however, as identified by one of the speakers, this also represents a challenge. Technology security is not solely the responsibility of IT. It is the responsibility of all those who use technology, who manage or are the owners of data, who lead departments and who lead or govern within educational institutions. Equally all these people need to be onboard and considering what they might be doing in the event of a critical technology incident where they will need to try to keep operations going while the IT team focusses on the technical issue. Yet the JISC security conference was mainly attended by IT people. Clearly there is need for others to be more engaged, and I will certainly be looking to try and encourage other non-IT senior staff to attend events like this in the future.
Third Parties and supply chain risk
As the second day proceeded, I started to see some key themes and messages coming out, some of which aligned with some of my thinking, with one of these being the risk associated with third parties and the supply chain. Increasingly we are using more external solutions, either online based solutions, or solutions where we have technology solutions from a third party running on our networks. Examples might include a third party hosted web-site solution, a CCTV solution hosted on site, or a visitor management solution hosted on site. These solutions have access to school data or may be on the school network, and as such may either represent a risk to the data should they suffer a cyber incident or could represent a risk to the school network. If on the school network, they might introduce vulnerabilities, which we are unable to address and where instead we must wait for the supplier to identify and resolve by developing and deploying an update or patch. So this risk highlights the need for due diligence before introducing new solutions. This didn’t really happen during the pandemic, as we sought to act quickly to address the challenges so there is work to do in carry out the due diligence for systems now in use. Also, due diligence at the point of purchase represents a snapshot; Most technology solutions evolve over time, with new functionality being added or existing functionality adjusted and changed, meaning the due diligence which was originally conducted is now out of date and inaccurate. This highlights the need for periodic review, but this is then yet another task or piece of work which needs doing, and who does this due diligence where departments across a school, college or university as sourcing their own solutions? For me the key here is we need to look to do more in relation to examining the cyber resiliency and disaster recovery plans of the third parties we use.
Another theme which came across was the extent of the cyber incidents described. Basically, in some cases it meant going back to scratch, turning everything off and rebuilding. But this takes significant time running into weeks and months. This means it is key to identify the priorities for the recovery. What systems and processes need to be recovered first? If we don’t stop and consider this now, when things are running, we will likely find ourselves in the middle of an incident with every department and users screaming that they system or process is most important, and we will then waste significant time trying to debate and decide. Clearly there is need to examine all the systems and technology in use and then identify a clear and documented priority order for these systems such that when an incident occurs there is a clear priority order with which to work with.
The issue of data governance was particularly notable in discussions related to HE, to universities and this is likely due to their size and scope when compared with schools and colleges. That however is not to say that the same challenges don’t also exist in schools and colleges. The key question here is about the basics of data management and knowing what data we have, why we have it, where it is and likely most importantly who is responsible for it. And in terms of responsibility, I am not referring to IT teams being responsible as they run the systems the data is stored on, but who the owner of the data is. For example, admissions data doesn’t belong to IT, it belongs to the admissions team, while pastoral data belongs to the pastoral team. IT can never know the processes and uses of all the data stored by different depts on IT solutions, therefore they cannot therefore be responsible for the data management side of such data. It is the data owners that are responsible for what data they gather, how it is stored, how long they keep it, etc. It was key from some of the discussions that greater effort needs to be made to ensure all understand who is responsible for what data.
There was a lot to think about on Day 2 and to be honest I havent as yet had a sufficient amount of time to properly stop and reflect on the day or on the wider conference as a whole. And I suspect it will be a few weeks and maybe the end of term before this will properly happen.
That said the above represents some of my initial thoughts based on some of the copious notes I took during the course of day 2.
I will end on an important message as I see it; This can all seem like doom and gloom. The “when” rather than “if” of a cyber incident, the size and impact of such an incident and the multiple things we need to be doing to prevent and prepare, but against the backdrop that no matter what we do it may still happen. We cannot allow it to be all doom and gloom. My view is therefore that we need to simply seek to continually improve, to not try and do everything, but to try and seek to be more secure today than we were yesterday.