Alex Harding is IT services manager of Runshaw College. Alex and his team have taken the college from the information security starting blocks to being substantially on the way to achieving the coveted ISO 27001 accreditation. He shares how he did it.
Our starting point was effectively nothing. We had basic antivirus provision and email security but no big-picture thinking on information security. No policy, no frameworks, no tracking of incidents. I think much of further education (FE) is in that situation.
I remember the first time we came to the security conference in 2017 and there was a chap from a large university presenting. He said one of his challenges was that he had only about a million pounds to spend on information security. I reached in my pocket and I tipped all the change out of it on the table in front me. Our Jisc account manager was sitting next to me, and I said, "Andrew, it looks like we've got about £2.80 to spend on information security.”
Making the most of a tight budget
Given our financial constraints, we needed to be quite light touch and agile and build from the ground up. There are only 12 of us in the team, including the service desk, the infrastructure team and the IT systems team.
We started with the basics: a comprehensive and ongoing risk assessment, some overarching policies and then policies in specific areas such as password management, encryption and clear desks. And, of course, Cyber Essentials.
Taking an agile approach, we drew a freehand diagram of what we called the rich picture on a whiteboard. Everything’s on there: the college at the centre, where the threats might come from, what existing mitigations we've got. It’s a thought shower of what the threat landscape looks like for us.
We’ve unpicked that into a more formal risk assessment, prioritising as we go and, in some instances, stopping the risk assessment process to add mitigations and create policies.
Patching as we go has proved more effective for us than sticking for a couple of months, carrying out the risk assessment, doing the analysis. It fits our available resources better because, essentially, our available resources are any time we're not doing the day-to-day firefighting.
Changing threats and staff awareness
At the same time, the threats have been changing. A couple of years ago we had some big denial of service attacks. Now we're seeing more and more phishing attempts and social engineering – people-focused threats.
We have biannual penetration testing through Jisc and last year, for the first time, we introduced a simulated phishing attack, based around an end of term celebration / gathering feedback type of email. The team had been keeping a book on what percentage we thought would be successful but when I saw the actual template come through from the security team, all bets were off at that point. My phone did not stop ringing the following day as something like 30% of people gave it their credentials.
As a result, we devised a big campaign involving our staff magazine and phishing awareness training. In a repeat test just after Easter, we were down to 5-10%. There is clearly still a risk there but we’re moving in the right direction.
Increasing awareness across all staff – both teaching and support staff – is always the greatest challenge and is where the biggest risk lies. I think convincing people that just because we are in education and we're not making mega-millions doesn't mean that we're not a viable target for these attackers.
We’ve been taking the approach that it’s like health and safety – it’s everyone’s problem. If you spot a spillage in a corridor it’s a danger to others and you report it. In the same way, people need to report phishing near-misses: "oh, I had this phishing campaign and I didn't fall for it. I'll send that through to you."
Cyber Essentials and ISO certification
Maintaining Cyber Essentials Plus as a minimum standard is a key plank of our overarching information security policy and we will go for renewal every year. We learned a lot from that process itself.
Even though it's quite a light touch process, it highlighted that even at a low level there were gaps in our practice. Of course, we should be aiming higher and wider and going further. But it's a good starting point and a good solid foundation.
As for ISO 27001, we’ve started our journey but we are a long way from the finish line.
We’re prioritising risk treatments as gaps are identified and we’re proud that we’ve adapted our IT service management tool (Jira) to become our information security management system, allowing us to link key services and assets to elements of the risk assessment.
Alex’s advice for other FE colleges starting on this journey
Talk to your Jisc account manager. There’s a wealth of knowledge and experience in Jisc to help with those foundation steps and starting out. That's been a big win for us. We've learned a lot from the Jisc security team, CSIRT and joining the UK security mail base.
Look into Cyber Essentials and see where you are from that minimum standards point of view.