Friday, 10 October 2014

Top Ten Issues in Higher Education



Each year EDUCAUSE / ECAR produces a set of Top-Ten Issues.

A presentation at the EDUCAUSE conference this week gave a first glimpse of the 2015 Issues.  These will be published next January, but are available here:



 Points 7, 8 and 9 all refer to Information Security.

How to make your University Secure - Poster


Presented at EDUCAUSE poster session.

How to Make Your University CyberSecure

I ran a workshop at EDUCAUSE last week titled: 'Diamonds and Paper Clips: Steps Needed to Make Your University Cybersecure'. 

We conducted a survey, and there were really interesting results. The results show percentage of universities represented having specific achievements:


Percentage with IS primarily in IT department: 95% (but strong views that IS has to become separated from IT)
Percentage with recognised and agreed Incident Response Process: 20%
Percentage with signed-off university IS policy: 25%
Percentage with information asset register: 35%
Percentage attempting to classify assets: 25%
Percentage with IS risk register: 10%
Percentage where university can identify most valuable information assets: 15%
Percentage where university can identify most valuable assets and perform risk assessment: 3%




Friday, 22 August 2014

How do you identify crown-jewel information assets and protect them?

I have developed an 'Information Asset Register Tool' that is undergoing testing.   Take a look!     If you do, please let me have your comments.

Excellent Information Security Guide

Internet2 has an excellent Information Security Guide.   It is designed to support university Information Security managers and is a superb resource with an excellent front page interface.

Definitely worth a look.

Wednesday, 2 July 2014




Why senior leaders are the front line against cyberattacks


Found a very interesting McKinsey article which empahsises that senior managers need to lead.  An extract:


"Cybersecurity is a CEO-level issue. The risks of cyberattacks span functions and business units, companies and customers. And given the stakes and the challenging decisions posed by becoming cyberresilient, making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior-management team."

Tuesday, 27 May 2014

The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills and carried out by PwC, was announced by David Willetts at the Infosecurity Europe conference.

The survey reported that 81% of large organisations suffered a security breach over the last year, and whilst this is down from 86% a year ago - and organisations are experiencing fewer breaches overall - the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year. For small organisations the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.

A very important and relevant finding this year is that, "70% of companies that have a poor understanding of security policy experienced staff related breaches, compared to only 41% in companies where security is well understood. This suggests that communicating the security risks to staff and investing in ongoing awareness training results in fewer breaches."

The full PwC report is available from: http://www.pwc.co.uk/audit-assurance/publications/2013-information-security-breaches-survey.jhtml, and provides a useful perspective for our University's Information Security activities and priorities.