Sign up to receive updates for the latest tech thought leadership insights, videos, and podcasts.
CollegeCo*, a UK further education college providing A levels, HNDs and other qualifications, contacted ROCK prior to the introduction of GDPR. They requested that we review their current cyber security measures and practices to ensure everything was in order and sufficiently robust.
With GDPR legislation set to come into effect in just three months, CollegeCo contacted ROCK and requested that we audit their network, with a view to improving their cyber security posture. This, they explained, was to ensure that all possibilities had been considered. They were confident in the measures they had in place but, due to the highly-sensitive information they held, wanted to ensure every conceivable eventuality had been taken into account.
ROCK undertook an in-depth audit of not just the cyber security measures the client had in place but – in this instance, vitally – also common practices observed throughout the institution. This revealed that, whilst the organisation’s digital infrastructure was well managed and required few changes, they allowed staff to connect their own devices and flash drives to their network, but did not subsequently manage them. This generated a considerable and easily exploitable gap in their security.
Additionally, our research revealed that staff regularly took sensitive and unencrypted data off-site. Should this have continued following the implementation of GDPR, CollegeCo could have been issued with a significant fine.
ROCK identified more than 130 devices present on CollegeCo’s staff network. All of these were, following staff having agreed to a new BYOD policy, added to a recently installed UEM system capable of installing required patches automatically. This software also allows administrators to identify specific devices that have been breached and isolate them accordingly.
Following the implementation of an email management solution for all staff email accounts (which were accessed on multiple devices), 25,000 emails received by staff members were placed into a spam folder within a six-month period – exemplifying the frequency with which malicious communications had been present on unpatched and fundamentally insecure devices.
Finally, ROCK ensured that all of CollegeCo’s data – whether stored on internal devices or those that were to be taken off-site – was subjected to encryption with ROCK managing the decryption keys centrally.
*We value our clients and their right to a confidential consultation. While the name has been altered, the results are real.