As part of the Jisc Digital Leaders Programme I delivered sessions on cyber security and online safety. Given the time constraints, this was quite a challenge, and attendees from Skills, FE and HE kept me on my toes – passions tend to run high when you discuss risk, law and liability in the digital world, particularly with leaders of social media and IT enthusiasts.
Working through 5 common myths we came up with some interesting questions, such as;
- What does good information security actually look like?
- Are we more vulnerable as digital ‘leaders’?
- Online use can be risky, how do we avoid that?
- How can we communicate ‘risk’ across our organisations?
Myth one: cyber security is all about IT
When we tried to articulate what cyber security actually means, most people talked about systems and technologies. Then we decided there’s a bit more to it than that, apparent to anyone who keeps an eye on data breaches via the UK Regulator’s website. People make mistakes and processes are not always consistent or effective, so perhaps a better approach is to consider all three: people, processes and technologies. The aim is to identify risks, plug the leaks and minimise consequences.
Myth two: the silver bullet
If only. One solution just doesn’t fit the bill for every college, skills provider or university. What we can do is recognise the type of information/assets we have, prioritise them, and put in place a level of security which is appropriate. In other words, consider the sensitive nature/commercial value of your information, and the harm that loss, theft, damage would have on individuals and your organisation’s reputation. We are usually good at determining what physical and technological measures we need (even if that’s not what we necessarily have), it’s the organisational and management of data which presents further challenges e.g. who is actually responsible for this data? What policy do we have that sets out the approach we take? What procedures are invoked if something goes wrong? How do we learn from our mistakes? etc.
Myth three: it’s not personal
Maybe, maybe not. Sometimes a ‘hacker’ will want to use your bandwidth or storage without considering for a moment which organisation pays for it. Other times there might be a very personal motive behind a breach/post/comment. Just ask Morrisons!
The fact content is published immediately and easily can present risks in terms of personal liability/impact and that of your organisation e.g. posting a defamatory remark about a colleague’s skills, sharing personal data of learners inadvertently in a screen shot, ongoing harassment following a lecture on a controversial topic, to name a few. Awareness of risk means you may just take a couple of seconds, even nanoseconds, before clicking that post/send/comment button and ensure you know where to get support.
Myth four: risks are obvious
This can’t be true or we wouldn’t hear about the successes of various scams, phishing attacks and so on. It’s also subjective; a digital leader may be very aware of clicking attachments and links in a communication from an unknown source but what of your ‘followers’? Do all staff know they should be using VPN when accessing open wifi? Ensuring apps are from a trusted and legitimate source?
If ‘leading’ colleagues and learners, you don’t want to dampen enthusiasm or innovation, but you do want to make them risk aware and get it right yourself as a credible leader.
Myth five: it’s too risky
Not in the room I was presenting in! We know there are huge advantages to getting this right (£ and reputation for starters).
- Don’t be put off, ask yourself some pertinent questions such as;
- am I posting information about someone else, are they ok with that?
- am I posting other peoples’ stuff, do I have permission?
- am I up to date with relevant policies e.g. acceptable use?
- do I know where to get help/what to do if there’s a problem?
- which safeguards should I have in place e.g. when using an open network/mobile device?
- have I read the policy on BYOD?
Be a resilient organisation with risk aware leaders and staff who are able to think through issues, be up to date with good practice and procedures, learn from others, communicate effectively and act quickly.
You are not alone, help is out there
- in-house you will have expertise, so find out who that is and use it. This includes learners of course, who might be prepared to show you a vulnerability in your systems/processes/management or discuss issues openly
- Jisc has a plethora of resources. If you can’t find what you’re looking for, tell us
- professional networks, partnerships
I asked everyone what their next steps would be following my session. The options were as follows:
a. Congratulations all round
b. Start a conversation
c. Update guidance
d. Raise awareness with staff
e. Seek accreditation
Fortunately, no one left abruptly, and everyone agreed that A. could be complacent. That left B,C D and E. Provided delegates chose one of these, or any combination, I was happy 🙂
A big thanks to all who attended my sessions and I will take on board the requests for more examples of good practice as well as offering some form of packaged resource, to encompass relevant issues and stop reinventing the wheel.