In the light of several highly publicised cyberattacks on businesses and schools, the leadership team at the school decided that they should seek external assurance around their cybersecurity posture by engaging a suitably qualified and experienced partner to perform a penetration test and cybersecurity assessment of their systems and policies.
Mr Nathan Mares, Director of IT at the time, was also in charge of maintaining risk and compliance for the school. With his years of experience in the field, he knew that the impact of a potential cyberattack could destroy the school’s good reputation.
‘Honestly, security and backups are what keep me awake at night. A cyberattack could cause significant reputational damage for a school – and no one wants to be on the front page of the Sydney Morning Herald for a data breach,’ Mr Mares says. ‘Any breach can impact enrolments and the trust of the school community. On top of that, you’ve got the business disruption. When schools are tackling a data breach, they’re not doing everything else that needs to be done.’
With this threat in mind, the search began for an expert IT partner that could provide a penetration test that was thorough, but also non-destructive, and a NIST cybersecurity assessment and report that would help the school improve their security for the future.
‘Maintaining good governance and getting some assurance around our stance on cybersecurity were two of the main drivers for the project,’ Mr Mares says. ‘We wanted to look at the policy, the resourcing and all our systems. And rather than just saying, “what’s broken right now”, we wanted to know what we needed to be doing to make sure we maintained and continued to improve our security posture in the future.’
As is often the case with schools, Mr Mares was dealing with IT infrastructure that had evolved
over time, under a mixture of different teams and leadership – and without full documentation of all the systems and processes, he wanted to be sure he had a complete analysis of where the school stood.
‘There were some legacy systems and policies that were hanging around that we didn’t have a heap of documentation for,’ Mr Mares says. ‘We needed someone with the right technical expertise to untangle that and check it was all running up to scratch.’
When the security project went to tender, the school reviewed multiple potential partners – but
Mr Mares was keeping an eye out for a partner that had a solid reputation for working with schools and had strong references.
‘NetStrategy stood out because they have a nice mix of a strong understanding in the cybersecurity space, combined with a deep understanding of schools,’ Mr Mares says. ‘It differentiates them from your average cybersecurity consulting firm. You can tell straight away they’re going to be a bit more pragmatic. They’re going to understand what’s typical in a school, and they’ve got the practical knowledge to shape their recommendations and tell you where you should be spending your time.’
Solution
NetStrategy performed a non-destructive penetration test across the school holiday period, meaning that there was no disruption for staff or students.
From there, the NIST cybersecurity framework (CSF) assessment and report were completed in close cooperation with Mr Mares and his team. The resulting report placed the school in a comfortable position to know where they stood, and how to efficiently improve their ranking.
‘We were fairly comfortable with where our NIST CSF ranking sat at the end of the audit,’ Mr Mares says. ‘On top of this, the report recommendations uncovered some more technical changes that could be made to improve our score even more – which is why you go to a school specialist like NetStrategy for projects like this.’
Benefits
With the recommendations presenting the school a clear path for improvement, Mr Mares and his team were able to quickly implement the technical changes needed to boost the school’s NIST CSF score. As a result, the school’s leadership team and school community can feel more at ease that the school is protected from cyberattacks.
While Mr Mares has since moved on to run his own consulting business, he still recommends NetStrategy as a preferred IT partner to clients.
‘NetStrategy would be one of the top providers I’d recommend to an education client looking for a cybersecurity partner, given their expertise,’ Mr Mares says. ‘Their pragmatism and experience set them apart from other providers.’
