"We've taken the approach that our staff are out strongest layer of defence. So, let's help them do that"
Nick Harris, Global Head of Information Security at Oxford University Press talks to Sooraj Shah about how his organisation sought to ensure the resilience of its services and its people during the COVID-19 pandemic, and beyond.
Nick Harris will be speaking at the teissR3 | Resilience, Response and Recovery summit taking place online, 15 - 24 September.
This year, the very popular teissR3 event focuses on how to improve your organisation’s cyber resiliency and adopt best-practice in incident response and crisis management in a post-COVID-19 world. Space is limited. Register your free place by clicking here.
How is resilience being defined in your organisation?
I think the key part there is it's business resilience, isn't it? So it's been defined somewhat fortuitously-- there's a big project that started last year to really look quite closely at resilience and business continuity. And that project also had to move much faster and much more in earnest come the new year.
And it's helped a great degree that the business has taken the lead. And that's really where I feel cybersecurity has got its strength in supporting that outfit. Ultimately we're here to support the business.
And it took a number forms. There was some actions around how we can keep people informed through the methods we got and knew. Because it's not so easy when you're sitting in your home office. You just can't ask your colleague. There's actions about keeping people safe, keeping morale and welfare high. And equally sort of all that we had in terms of ensuring resilience at the cybersecurity level.
And we took two leading actions in that, really. Partly was about resilience around our platforms. We are an educational provider. The educational industry got a huge amount of attention within the news, providing free applications and free access, and a huge amounts of change to respond to parents teaching, from teaching at home to the different methods that teachers were doing this remotely.
And with that it warranted some cyber attention that we didn't want. And we had to put in a few different technical controls to ensure the availability of our systems. Controls which weren't on the roadmap that we had to bring forward. Availability became so much more paramount, and equally we're trying to defend against people trying to undermine our brand and our image.
And the second part of it was about resiliency of our staff. Like I said, we're not in the office. We can't ask our colleague. Phishing emails, people deal with on their own now rather than asking someone, have you seen an email that looks like this? It looks dubious. They haven't quite got that resource.
So we set out a bit of a tick list that would really help the staff set themselves and help-- we take an approach that staff are our strongest layer of defence. So let's help them do that. So we gave them this list by which they could ensure they were doing certain practises at home well, what to look out for, how to secure a laptop when they're not with it. How to manage themselves and the home Wi-Fi. What to do with the family around. How to host video calls. Anything that would ensure the resiliency and the continuance of the organisation.
And that worked really well. It came with a lot of training and a lot of awareness campaigns that we've grown particularly around this new environment we found ourselves. Trying to shift staff's usual practise of keeping organisations secure to something at home. And doing it from home, and having resources and the knowledge by which to do that.