Back in June 2018, I was very fortunate to be offered the ucisa bursary to attend InfoSecurity Europe conference in London. InfoSec as a conference offers attendees insights into the latest trends surrounding information security, and largely focusses on cyber security threat prevention and mitigation.

 

Attending this conference was refreshing for me in two ways. I was exposed to a number of new and emerging themes and it was great to meet new people with exciting ideas, and a real drive to provide a safe, digital environment for colleagues and customers. I hope that with this blog post, I can give you a sense of my overall experience and share some of the information from the event.

Throughout the years I have supported The University of Chichester’s IT infrastructure journey from being based solely on site, to having a blend of both hosted and on-premise deployments. As Chichester grows both in terms of its IT deployment but also in numbers of students, staff members and other types of users, it is inevitable that our cloud footprint will grow too. With this, my role is focussing more and more on security whilst enabling digital transformation projects, which, by their own nature have implications when it comes to protecting the data of our user-base. One of the things I value most from being able to attend InfoSec was being able to share Chichester’s story with other representatives from both commercial and non-profit organisations and learn that they were too, facing the same challenges.

A common discussion point which came up regularly at InfoSec was prevention and mitigation methods against cyber-attacks. However, vendors and consumers generally agree that total prevention isn’t guaranteed and that it’s only a matter of time until an organisation’s next cyber incident. One session that I attended, had determined the average time taken to expose a breach is 191 days. For some organisations this presents potential cultural challenges as the workforce isn’t always empowered to blow the whistle when a breach is identified. Should a breach be discovered from outside the organisation however, the repercussions could be irreparable. One of my personal takeaways from InfoSec from the sessions was using repositories such as ‘haveibeenpwned.com’ and cross referencing these with our global email address lists to determine if any of email addresses had been leaked. Someone was even so kind as to point me in the direction of the PowerShell script which carries out the comparison, which we’re still using regularly now.

In the sessions and general conversations, email continues to thrive as the primary threat to an organisation’s information security. Email attacks have been at play for over twenty years now and yet commercial, education and non-profit organisations are still struggling to deal with these attacks. It was reassuring to hear that we weren’t alone in this battle.

 

I took many technical recommendations away with me from the conference, such as providing banners on external emails, identifying cloned addresses and recommendations to use Office 365’s security assessment, which identifies any vulnerabilities in your tenancy and makes the appropriate recommendations.

 

In light of the above, what was promising to hear is that many organisations are attempting to strike a balance between prevention measures and training. Implementing proactive measures to prevent threats is the immediate go-to action, however, both commercial organisations and HEIs are investing more into providing user training and assessing their security vulnerabilities within the workforce. I came out of InfoSec in high spirits, knowing that in the absence of an unlimited budget for investing in security measures, we are fortunate to have at Chichester an open dialogue with our students and staff with regards to awareness of cyber threats and good digital security practice in a modern University.

InfoSec really broadened my horizons to information security in a way that I hadn’t been exposed to previously. So much so that it has had an impact on my academic studies where leadership in cyber security forms the main subject area of the final year dissertation for my master’s. Recently I have been invited into teaching sessions to talk with degree apprenticeship students about some of the subject areas covered at InfoSec in the hope that it could have a positive impact in their professional lives.