The WPM Higher Education Payment and Security Conference (PASC) is a very professionally organised and well-attended conference, mainly aimed at finance and information security leads from UK Universities, although several overseas universities also attended. This year, it was held at the impressive Celtic Manor Resort in South Wales. We had a jointly branded PA and 7Safe stand, as well as a slot on one of the expert panels, leading to several interesting conversations with potential clients, covering a wide range of issues including privacy, PCI DSS, cyber resilience, protective monitoring and identity and access management
Elliot Rose, partner in the Innovation team, gave a talk on Day 1 on the subject of ‘Beyond GDPR: Making Privacy Business as Usual’. Elliot also joined the GDPR Panel Session and Q&A with Mike Vale, University of Manchester and Stuart Ritchie, gdpr360. Elliot made the point that compliance is not the end of the game for GDPR:
“At PA, we’re working with organisations around the world to understand how the systems and processes needed for the GDPR, and other data privacy legislation, can create opportunities to improve decision-making and customer experience.
Students and staff in UK Higher Education will be won-over by the commitment to privacy and security. And the improvements in data management will generate new insights about the opportunities available for developing more effective programmes.”
PA’s John Skipper and Sujith Madathil Parambath staffed the PA and 7Safe stand.
How do we fix the ‘Data Protection and Privacy’ problem in UK Universities?
John said: “One common area of concern from university IT managers visiting our stand was the need to be certain that they had effective procedures in place to detect, report and investigate any potential data breaches. Under the GDPR rules, such breaches may need to be reported to the Information Commissioner and any students or staff affected within strictly specified time periods. Detailed data management and storage policies are key to success in implementing the GDPR, although it is important not to neglect cyber security risks in your data protection measures, as merely guarding against human error won’t deter the determined hackers.”
Data discovery/audit processes could help to save your institution’s reputation
Sujith received enquiries concerning both GDPR and PCI DSS auditing best practice. “Carrying out a paper-based and technical audit to establish what personal data is held on students, alumni and staff is a must do exercise. Where did the data come from and how long have you stored it? Do the individual data subjects know that you collect it, how you use it or which organisations it is shared with? And where are data records, in particular those containing any ‘sensitive personal data’ about, for example, a data subject's racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offence?”
Sujith added: “The HE sector needs robust compliance processes to cover all the rights that individuals now have under the GDPR. These include how you edit, electronically transport, securely store, correct, retain and delete a data subject’s personal information. All requests (if valid) from students and staff for personal data must also be supplied to them in an appropriate format. It follows that universities and colleges need to plan exactly how they will handle requests within the GDPR timescales and provide these free of charge. This can include requests regarding data that may not have been previously considered. A few examples are CCTV recordings, surveillance technologies, photos, attendance records and digital information held on social media, educational websites and apps.”
In addition to GDPR advice and project consultancy, PA and 7Safe provide cyber skills training courses for Security Operations Centre managers and staff, consultancy for all aspects of cyber security maturity and management systems best practice, and a full range of technical services that include cyber security incident response planning and telephone/onsite support, penetration testing and threat hunting to find malware.
# # #
It’s not a matter of if, but when. In 2017, 74% of British businesses said that cyber security is a high priority for their senior management, with 49% of those having experienced an attack or breach within that year. Despite this, only 11% have a formal cyber security incident management process or response capability in place.
We provide Cyber Security Incident Response (CSIR) services to organisations who would like to prepare for or are suffering from a cyber-attack or breach. We offer four-tiers of retained service to deliver peace of mind, and in the event that an incident is currently taking place we can be deployed on-demand. Our Cyber Threat Hunting (TH) services are integrated with our retained CSIR service tiers.