Eight years ago, our college was under financial concern, our cybersecurity posture was poor and our vulnerabilities obvious. FE has always been an easy target; underfunded IT teams, legacy systems and competing institutional priorities create the perfect conditions for risk.
With barely any budget, the only immediate improvements we could make were replacing ageing firewalls and installing anti-ransomware software. It was far from being enough.
The most valuable thing we did initially was an honest gap analysis. We needed to know how bad things were. That became our roadmap, exposing the weaknesses we could act on and solutions we could implement when resources allowed.
Looking back, I wonder whether I should have translated cyber risk into financial risk more explicitly. Cybersecurity is not just an IT problem but a business, operational and financial risk. If I had been more forceful about a potential breach’s cost, we might have secured investment sooner.
Building the foundation
As our financial position stabilised, we made improvements. We started with perimeter security – enhancing email protection, encryption and malware detection. We eliminated remote access vectors to reduce entry points.
That was followed by web filtering to stop data exfiltration and SIEM (security information and event management) to give us visibility over what was happening across our systems.
Authentication was next. MFA (multi-factor authentication) was introduced for admins, then staff, then students. Strengthening passwords was another battle, revealing just how weak they were. We rolled out local administrator password solution (LAPS) and Azure password policies.
Network segmentation came soon afterwards. The thought of an attacker moving freely across our network kept me awake at night. We tackled it with port-based network access control (802.1x), micro-segmentation and RADIUS authentication, making lateral movement far harder.
In those early days, systems were only patched when someone logged in for maintenance. We implemented structured, automated patching for both OS and applications, eliminating one of our biggest vulnerabilities.
Regular penetration testing followed. Some reports made for uncomfortable reading, but they forced action. Importantly, leadership backed the work, meaning we could fix issues properly without cutting corners.
We also shifted towards zero-trust principles – conditional access policies, tighter firewall rules for privileged accounts and country-based blocking. We were no longer just securing the perimeter; we were securing every access point, user and system.
Maturing our approach
The biggest shift has been moving from reacting to threats to actively preventing them. Today, our strategy includes:
- Monthly vulnerability scanning to fix weaknesses before they become breaches.
- Annual penetration testing to simulate real-world attacks.
- Immutable backups that ensure ransomware cannot hold us hostage.
- Regular disaster recovery and cyber playbook exercises, so we know how to respond before an incident happens.
Cybersecurity is not just about tools but people. Engaging with Microsoft partners, Jisc and sector networks has been invaluable in strengthening our defences.
The road ahead
There are things that I would do differently if starting over. We should have implemented a more formal governance framework earlier.
User awareness training is another challenge. We have delivered cyber training, but engagement has been inconsistent. Staff and students remain the weakest link.
We also learned the hard way that security must be embedded in procurement from day one. Retrofitting security onto existing systems is painful.
Cybersecurity is not just about firewalls, passwords and patches. It is about culture, strategy and forward planning.
Lessons for the sector
- Start with brutal honesty. A gap analysis might be uncomfortable, but it gives you clarity to prioritise.
- Build gradually. Cyber resilience is not a one-time fix.
- Make the business case, not just the technical case. Cybersecurity is a financial and operational risk.
The education sector remains a prime target. Ransomware, business email compromise and social engineering attacks are not going away. FE must take cybersecurity as seriously as any other core function.
Your thoughts