3. What if…
Impact of a DDOS attack on the College
• Research places a network outage as costing on average £3,300 per minute. This is
the equivalent of the annual funding to the College for 1 full time student EVERY
MINUTE
• Average length of attack at a Scottish College is 21 minutes, equating to £70,000
• Loss of external links means loss of contact with external stakeholders, including
potential new applicants via the College website
• All levels of teaching interrupted from BCS ECDL courses to Degree level provision
• Depending on timing, could impact on processing student funding or staff salary
payments impacting relationships internally
4. What if…
The College suffered a Phishing/Malware attack?
• Loss of control of business critical infrastructure, information and/or IP
• Loss of access to affected network drive until restored
• Impact on staff time to restore affected network drive
• If information taken from College systems –
• Reputational damage and loss of trust
• Potential legal action against the College (Information Commissioner or private
individuals)
5. Cyber Mitigation
It’s not all digital
• Complacency can be the biggest threat to an organisation. The Cyber environment is
constantly evolving and you must evolve with it
• There can be a temptation to just throw money at the problem of Cyber Security with
the latest software protections and kit
• While important, all your efforts are only as effective as the
weakest link in your armour which research shows is almost
always
• People
9. Cyber Mitigation
Policies and Strategies
• Robust IT Security Policy
• Creative Learning & Technologies Strategy
• People Strategy
• Enhancing the digital skills and cyber awareness
of staff
10. Preparing People
• Effective training for your staff
• De-mystifying cyber threats
• Sense of ownership across the organisation – not just an IT
issue!
• Staff have awareness of cyber threats and bear this in mind
when developing/reviewing systems
• Raise awareness of staff to enable them to recognise a threat
• Educate staff to be aware of digital risks in both their work and
personal life
Cyber Mitigation
11. DDOS
Phreaker
Malware
Phisher
Click Jacking
Cybernetic Symbiosis
Shoulder Surfer
Patching
Fake Access Point
Hacker
Preparing People
• Effective training for your staff
• De-mystifying cyber threats
• Sense of ownership across the organisation – not just an IT
issue!
• Staff have awareness of cyber threats and bear this in mind
when developing/reviewing systems
• Raise awareness of staff to enable them to recognise a threat
• Educate staff to be aware of digital risks in both their work and
personal life
Cyber Mitigation
12. Preparing People
• Effective training for your staff
• De-mystifying cyber threats
• Sense of ownership across the organisation – not just an IT
issue!
• Staff have awareness of cyber threats and bear this in mind
when developing/reviewing systems
• Raise awareness of staff to enable them to recognise a threat
• Educate staff to be aware of digital risks in both their work and
personal life
Cyber Mitigation
13. How do we treat health
and safety?
Preparing People
• Effective training for your staff
• De-mystifying cyber threats
• Sense of ownership across the organisation – not just an IT
issue!
• Staff have awareness of cyber threats and bear this in mind
when developing/reviewing systems
• Raise awareness of staff to enable them to recognise a threat
• Educate staff to be aware of digital risks in both their work and
personal life
Cyber Mitigation
14. Hello!
I'm a programmer who cracked your email account
and device about half year ago.
You entered a password on one of the insecure site
you visited, and I catched it.
Your password from ken.thomson@forthvalley.ac.uk
on moment of crack: hu11city
Of course you can will change your password, or
already
made it.
But it doesn't matter, my rat software update it every
time………………..
Preparing People
• Effective training for your staff
• De-mystifying cyber threats
• Sense of ownership across the organisation – not just an IT
issue!
• Staff have awareness of cyber threats and bear this in mind
when developing/reviewing systems
• Raise awareness of staff to enable them to recognise a threat
• Educate staff to be aware of digital risks in both their work and
personal life
Cyber Mitigation
15. Preparing People
• Effective training for your staff
• De-mystifying cyber threats
• Sense of ownership across the organisation – not just an IT
issue!
• Staff have awareness of cyber threats and bear this in mind
when developing/reviewing systems
• Raise awareness of staff to enable them to recognise a threat
• Educate staff to be aware of digital risks in both their work and
personal life
Cyber Mitigation
16. Protecting your Infrastructure
• Invest in a secure firewall
• Up to date anti-virus and malware protection
• Deploy security patches timeously
• Regular vulnerability scans and action results
Cyber Mitigation
17. External Scrutiny and help/advice
• Cyber Essentials accreditation
• External audit
• JISC Review
• Penetration Testing
• JISC expertise on cyber resilience
• Member of Cyber Security Information Sharing Partnership
(early warning of cyber threats and secure exchange of
information)
• Member of Scottish Colleges Information Leadership Group
(sharing of knowledge and good practice)
Cyber Mitigation
18. Dealing with the impact
• You must recognise that, even with all the preparations in place
within your organisation, a sufficiently skilled/persistent attacker will
get through
• Structure your network to implement isolation and cut off impacted
sections and prevent spread
• Effective and robust business continuity plan in place and tested to
facilitate recovery to normal operations
• Build resilience to your network – multiple routes to the outside
world
Cyber Mitigation
19.
20. Dealing with the impact
• You must recognise that, even with all the preparations in place
within your organisation, a sufficiently skilled/persistent attacker will
get through
• Structure your network to implement isolation and cut off impacted
sections and prevent spread
• Effective and robust business continuity plan in place and tested to
facilitate recovery to normal operations
• Build resilience to your network – multiple routes to the outside
world
Cyber Mitigation