Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Cyber security and online safety

Photo jackie milneAuthor: Jackie Milne

As part of the Jisc Digital Leaders Programme I delivered sessions on cyber security and online safety. Given the time constraints, this was quite a challenge, and attendees from Skills, FE and HE kept me on my toes – passions tend to run high when you discuss risk, law and liability in the digital world, particularly with leaders of social media and IT enthusiasts.

Working through 5 common myths we came up with some interesting questions, such as;

  • What does good information security actually look like?
  • Are we more vulnerable as digital ‘leaders’?
  • Online use can be risky, how do we avoid that?
  • How can we communicate ‘risk’ across our organisations?

Myth one: cyber security is all about IT

When we tried to articulate what cyber security actually means, most people talked about systems and technologies. Then we decided there’s a bit more to it than that, apparent to anyone who keeps an eye on data breaches via the UK Regulator’s website. People make mistakes and processes are not always consistent or effective, so perhaps a better approach is to consider all three: people, processes and technologies. The aim is to identify risks, plug the leaks and minimise consequences.

Myth two: the silver bullet

If only. One solution just doesn’t fit the bill for every college, skills provider or university. What we can do is recognise the type of information/assets we have, prioritise them, and put in place a level of security which is appropriate. In other words, consider the sensitive nature/commercial value of your information, and the harm that loss, theft, damage would have on individuals and your organisation’s reputation. We are usually good at determining what physical and technological measures we need (even if that’s not what we necessarily have), it’s the organisational and management of data which presents further challenges e.g. who is actually responsible for this data? What policy do we have that sets out the approach we take? What procedures are invoked if something goes wrong? How do we learn from our mistakes? etc.

Myth three: it’s not personal

Maybe, maybe not. Sometimes a ‘hacker’ will want to use your bandwidth or storage without considering for a moment which organisation pays for it. Other times there might be a very personal motive behind a breach/post/comment. Just ask Morrisons!
The fact content is published immediately and easily can present risks in terms of personal liability/impact and that of your organisation e.g. posting a defamatory remark about a colleague’s skills, sharing personal data of learners inadvertently in a screen shot, ongoing harassment following a lecture on a controversial topic, to name a few. Awareness of risk means you may just take a couple of seconds, even nanoseconds, before clicking that post/send/comment button and ensure you know where to get support.

Myth four: risks are obvious

This can’t be true or we wouldn’t hear about the successes of various scams, phishing attacks and so on. It’s also subjective; a digital leader may be very aware of clicking attachments and links in a communication from an unknown source but what of your ‘followers’? Do all staff know they should be using VPN when accessing open wifi? Ensuring apps are from a trusted and legitimate source?
If ‘leading’ colleagues and learners, you don’t want to dampen enthusiasm or innovation, but you do want to make them risk aware and get it right yourself as a credible leader.

Myth five: it’s too risky

Not in the room I was presenting in! We know there are huge advantages to getting this right (£ and reputation for starters).

  • Don’t be put off, ask yourself some pertinent questions such as;
  • am I posting information about someone else, are they ok with that?
  • am I posting other peoples’ stuff, do I have permission?
  • am I up to date with relevant policies e.g. acceptable use?
  • do I know where to get help/what to do if there’s a problem?
  • which safeguards should I have in place e.g. when using an open network/mobile device?
  • have I read the policy on BYOD?

What next?

Be a resilient organisation with risk aware leaders and staff who are able to think through issues, be up to date with good practice and procedures, learn from others, communicate effectively and act quickly.

You are not alone, help is out there

  • in-house you will have expertise, so find out who that is and use it. This includes learners of course, who might be prepared to show you a vulnerability in your systems/processes/management or discuss issues openly
  • Jisc has a plethora of resources. If you can’t find what you’re looking for, tell us
  • professional networks, partnerships

I asked everyone what their next steps would be following my session. The options were as follows:

a. Congratulations all round
b. Start a conversation
c. Update guidance
d. Raise awareness with staff
e. Seek accreditation
f. Run!

Fortunately, no one left abruptly, and everyone agreed that A. could be complacent. That left B,C D and E. Provided delegates chose one of these, or any combination, I was happy 🙂

A big thanks to all who attended my sessions and I will take on board the requests for more examples of good practice as well as offering some form of packaged resource, to encompass relevant issues and stop reinventing the wheel.