Open Colleges is an online educational business, and I assume that you have students all over the world. Does this make your role harder?
Actually expanding internationally is a relatively recent event at OC, we have expanded into New Zealand and India and this strategy is still in its infancy. As we continue to expand internationally this does significantly increase our profile and exposure to cyber threats. Complexity is increased because we have a more complex network and new staff in multiple regions which all need to be educated for phishing attacks.
As a business with 100% of infrastructure on cloud platforms I don’t need to worry about data centres which has enabled us to move quickly into overseas territories. We are very careful when selecting cloud partners as we rely heavily on there security practices to protect our data and IP.
How well is Cyber Security understood within the Open Colleges management ranks and with the business?
OC is a digital education business so we have a mix of management awareness of cyber security. Luckily for me Nic Cola our MD came from Fairfax Digital and is very familiar with the threat of cyber attacks on an online business. The rest of the group has a mix of digital and education backgrounds who understand to different levels. Overall as a digital business we are well aware of the risks involved.
But we do need to continually remind all staff on the threats and how to protect ourselves. That’s also my job!
Trevor what approaches have you used to ensure that your Board also well versed on the critical nature of cyber security?
There are 3 main ways we keep the executive team and board versed
- Each attack is communicated so they can see the level of activity
- Each request for investment in cyber security comes with a report detailing the latest threats and analysis of OC threat risk.
- We also conduct “disaster” planning scenarios where cyber treats are one of the main threats
What’s your opinion around Social Media, you have to use this to engage with your audience – but it potentially makes you a target as 3rd parties know more about you?
Social media is heavily used by both our marketing to engage with leads and support teams to engage with students. We have seen an increase in the number of attacks as a result of our brand profile increasing, we only see this trend continuing.
We will continue to use these channels as they are very effective for OC but are prepared to invest cyber security resource as the risk increases.
Have you ever been spear phished? (from my personal experience it’s not a fun event – but I did share this with my management committee members)
There are have been attempts but todate none have been successful - the socially engineered phishing attack posses the greatest risk.
If we were to lose our student data it would be a bad event for our business.
This is one area we plan to increase our investment to ensure we can minimize the risk of such an attack. To me this is the type of attack which I lose the most sleep over.
Secure by Design is critically important in the online world. How do you ensure your developers maintain this mojo?
Firstly this starts with the talent we hire, they all must understand how to build secure applications. We also rely heavily on the team leadership where we have a strong Dev manager and DevOps AWS architect who responsibilities and KPI include a security focus.
The dev manager coaches and mentors all members of the team and we have peer code reviews built into the process.
We leverage the DevOps resource who is responsible for tooling (eg cloudflare) and monitoring this looks for when shortcuts have been taken and blocks the code. We also have the basics covered ensuring everything and is patched etc.
On a scale 1-5, would you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that?
I expect our investment in cyber security to increase significantly (4) over the next 3-5 because of the following reasons.
- Australian digital businesses are and will continue to be prime targets for cyber espionage and attacks
- As our brand profile increases we become bigger target
- Hacktivism or “Hacking as a service” will make it easier for anyone with a grudge to target OC.
- Attacks and threat will continue become more sophisticated and coordinated.
- Phishing attacks are not something a product or expert can fix and constant regular security training and awareness for staff is required, this is expensive.
- Our move internationally increased our network exposure and staff.
What’s the most important attribute that you must see to select new staff members to your team?
Customer or student focus is still the most important attribute, as this drives us produce better outcome not cool technology.
In terms of security we look for people who have worked on consumer products as they tend to be more security focused.
I’ve assumed that you are not working in a heavily regulated environment, do you think this helps or hinders the focus on information security that your team has?
Actually the education sector is heavily regulated and I believe this helps provide the basic level of protection designed for traditional education business, this is not good enough for digital education business so reliant on online platforms.
Therefore, it only hinders if you think compliant is good enough.
Finally what makes you excited to come to work?
Building a great online learning product for students, At OC we have build our own online learning platform which we have seen significant improvement in student engagement and gives us a competitive advantage. We have an exciting roadmap of features which all aimed at improving the experience and outcomes for students, trainers and support teams.