Member storyTwo colleagues look at a computer screen in an office.

Coleg Y Cymoedd: Cyber security assessment

Focused on improving their cyber security posture, the IT team at Coleg Y Cymoedd, together with Jisc, completed a cyber security assessment. By evaluating the effectiveness of their current measures, the process enabled them to identify what steps they could take to strengthen their security further.

With a comprehensive plan in place, the team is now upskilling and educating learners and staff at all levels across the college about the importance of effective cyber security.

Rory Meredith, director of digital strategy and innovation, and Chris Joseph, director of IT services, collaborated with Jisc to undertake a cyber security assessment (CSA) after the college received funding from Welsh Government.

Rory says:

“The funding enabled the college to prioritise carrying out the CSA. As is often the case in FE, the IT team is relatively small in number with a heavy workload and under tight budget constraints. The Welsh Government funding removed financial barriers and incentivized us to set time aside to carry out the assessment.”

Technical expertise

Rory and Chris are used to taking part in college audits which have always been scoped at quite a high level and followed a particular path.

“I have been through a number of audits with the team since joining two years ago, and we haven’t had the opportunity to reflect upon specific and detailed questions with experts that are knowledgeable in the cyber field, but the CSA was incredibly in-depth and revealing.

“It had the necessary focus and was much more comprehensive than anything we’ve ever experienced. I feel like we now have a better understanding of where we are and what actions we need to take to improve, than any other audit we’ve done.”

Chris adds:

“The audits we’ve been involved in before weren’t delivered by technical people, the cyber team at Jisc are technical, they understand us and the systems; it has been massively beneficial.”

Honesty is the best policy

Prior to the CSA, the team were reluctant to admit their problems and challenges out loud. Chris says:

“With the technical team at Jisc we were able to be honest. They are knowledgeable, approachable and we felt understood as an organisation. They were able to empathise with the college’s position in terms of mitigating the technical and business risks whilst also being flexible with learners.”

In addition to the CSA, the team also completed an internal infrastructure review which helped to bring into context the nature of the growing work in this area and the capacity needed within the team to effectively underpin delivery, compliant with legal obligations and relevant standards. Rory says:

“We’re now fully informed and aware of the work we need to do to improve our cyber security and are able to propose comprehensive plans and recommendations to become more effective.”

Working across the FE sector, the team at Jisc were able to draw on experiences and identify commonalities in terms of what small IT teams are facing.

“Jisc has not only been supportive with the CSA but also putting into context the wider picture.”

Putting cyber security firmly on the agenda

And the impact on staff and learners has been positive too. For colleagues working in the IT team, the CSA has helped to highlight the pressure they are under and identify areas for improvement. At a senior leadership level, cyber security is now firmly on the agenda and the CSA has helped to inform their strategic plan. Chris says:

“The senior leadership team (SLT) are supportive and aware of the improvements that are needed.

“Jisc communicating directly to our SLT was invaluable. We completely understand where we are and that we need to invest and grow our IT team, not only to build capacity, but to improve those technical skills and specialisms within the team.”

Rory says:

“The threat of a cyber-attack to business continuity is now much more tangible, especially given recent events across the FE sector in Wales, with other colleges being targeted. The CSA provides critical information on the actions we need to take as a college to mitigate risks.”

An organisation-wide effort

Staff generally across the college have been more accepting of the need to focus on cyber security. Rory continues:

“Communication has been key. Much of the work that IT staff are undertaking in this area is unseen, so we need to improve and increase our communication across the college to raise that awareness and to demonstrate that we’re only making progress in this area thanks to the understanding and co-operation of our staff; they play an integral role in helping to keep the organisation safe.”

In September/October 2022 before carrying out the CSA, the college introduced multi-factor authentication (MFA) for staff and learners.

“Informing them at that point about the importance of cyber security helped to embed that understanding and encourage empathy. We understand it can be an inconvenience and a disruption for them, so it’s essential we effectively communicate why the work is needed.”

The importance of ongoing training and communication is something the team are well aware of.

“We have a digital wellbeing champion at the college who actively visits all four campuses to meet with learners and inform them about online safety and cyber security.

“There’s a lot of great work going on by other people outside of our IT team. It’s not an IT Services only activity, it’s about the whole organization working together.”

A dark art

Heading into the CSA, the team already had a backlog of work which had grown as a result of Covid and the explosion in the provision of, and reliance on, digital technology. Having a heavy workload is something that the team has become accustomed to. The CSA has helped to reveal the volume of new work required, it’s potential impact on the mental health and wellbeing of the team, the new specialisms needed to carry out the work, and where investment in staff is essential. Rory adds:

“Before the CSA, we acknowledged that a consequence of having a small IT team is that everyone has to be more of a generalist rather than a specialist.”

Chris says:

“When you think about our estates department, they work on projects that you can physically see, feel and touch, such as a room refurbishment. You’ve got different individuals carrying out tasks, plumbers, carpenters, and electricians. IT is like a dark art in a sense, one person is often expected to understand and undertake work across a multitude of skills.

"It’s generally a theme that you see in colleges. If we can grow the team we can give people the opportunity to develop a specialism and acquire more focused knowledge, rather than spreading themselves too thin and having to retain all that information.”

Looking to the future

Going forwards, the CSA has already supported the development and delivery of a position paper for the IT department, which has been supported and validated by Jisc. In addition to a comprehensive plan with clear priorities, the team now has more awareness of the free tools that can assist the college, in terms of measuring the effectiveness of their own defences. Having secured cyber essentials plus in their work based learning (WBL) department, their ambition is to expand their achievement of cyber essentials across the whole college.

For Rory and Chris, they believe the only way to address security issues is to be open, honest and transparent. Rory says:

“The CSA has been super beneficial in helping us to move cyber up the priority list. Attacks are increasing across the sector and without this type of detailed assessment we wouldn’t have such a clear picture of what it is we need to do next to improve.”

Join the ‘defend as one’ campaign to come together with other members from across higher and further education in a common cause - to build robust defences across the sector and strengthen your organisation’s cyber security posture.

By working together to share intelligence, experiences and best practice, the sector will be better protected.