Future of Cyber: Is it Safe in our Children’s Hands?

Aotearoa/New Zealand's largest state school Te Kura’s Chief Information Officer Julian Guedon, discusses pressing cyber issues in the education sector, and effective tools to prepare existing and future leaders.

Julian Guedon ended-up in IT as a developer on the so-call Y2K bug. From there, he founded a consulting company in 2003. Security and information management always crossed his path as he progressed through different roles, from senior developer, solutions architect, network security engineer, consultant, core systems lead, head of architecture and business intelligence.

Currently, he’s the CIO at Te Kura, a state-funded distance education provider that offers a wide range of personalised learning programmes and courses, from early childhood to NCEA Level 3, which are mostly delivered online.

Long-term Impacts of Cyberattacks in Education

A relatively unknown fact is that the education sector is the second-most targeted sector for ransomware and cybersecurity attacks, and in 2022, in the top ten of the sectors with the worst cybersecurity practice.

“Although Australasia in general and New Zealand in particular have been spared, other countries such as the United States experimented a massive surge (almost 50% year on year since 2020) of attacks, in particular during the COVID19 pandemic as ākonga (students) moved massively online”, Guedon says.

“One key risk to consider is not only the immediate impact of a cybersecurity breach, but the long-term effect on future citizens, as many of them will likely use key phrases such as the 'name of their primary teacher' to secure their bank accounts.”

“My industry handles a massive amount of personal information through non-secure or partially secure channels, such as email correspondence between students and teachers, with limited visibility compared to other industries such as the Financial sector for example, which tends to rely on centralised systems and CRMs”, Guedon says.

Cyber Education Role Model for Kaimahi (Staff) and Ākonga (Students) 

We asked Guedon how he thinks leaders can successfully educate those in the sector around cyber risks. His approach is to emphasise 2 key messages to kaimahi: sharing, especially data, isn’t always caring, and cybersecurity is everyone's responsibility.

He also prioritises the message on how our actions today can impact ākonga's future, and more generally the concept of digital tāonga, which means making cybersecurity a cultural element, central to every day’s actions.

“Although our ākonga are sometimes more tech-savvy than ourselves, there has traditionally been more focus on helping them identify harmful situations online (cyberbullying for example) rather than risky behaviours. Ākonga are also a target for apps and marketing content from actors that themselves can be hacked. It's about explaining the full cybercriminal ecosystem, in simple terms, understandable at all age”, Guedon says.

Leaders must prepare the next generation of workers to be digital citizens and aware of cybersecurity issues. For a young audience, there is a balance to strike between sharing too much, and letting them discover a wonderful online space.

“Similar to learning how and when to cross the street, we need to accompany first, highlight the dangers, but also let people rely less and less on us and understand the risks. For a more mature audience, we can start exploring why cyber-criminality exists but also that most dangerous situations arise from personal behaviours” Guedon says.

From a pragmatic business perspective, Guedon needs to help his organisation and teams understand the value of cybersecurity.

“My message is always about cybersecurity isn't only an IT consideration. The traditional line of defence ("our servers are well patched") is largely ineffective to situations such as employees sharing personal records through unsecure channels.”

“Secondly, I frequently make the analogy with financial risk: although there could be checks and balances performed by the Finance Department, taking bad investment decisions or allowing everyone to use a professional credit card will inevitably increase Financial risk.”

“Interestingly, board members understand that financial risk exposure is a key indicator that they need to monitor, and they understand their level of accountability in that space.”

“I hope that transposing this message to the cybersecurity space helps everyone across my organisation understand the importance of cybersecurity. Caring (as I mentioned before) and the importance of our digital tāonga is also a recurring topic we raise”, Guedon says.

Reaping the Rewards of Good Cyber Practices

Guedon is particularly proud of how much "soft" monitoring his teams have achieved, not only on network traffic but also in information access. By "soft", he means non-intrusive from a privacy standpoint, but currently quite effective.

“I am pleased to see kaimahi proactively contacting us to share their own experience facing day-to-day risks such as phishing attempts.”

“I hope they see us as supporters rather than the traditional image of the pesky technical people that only make their work more complicated”, Guedon says.

Julian Guedon will be sitting on a panel discussion on how to foster synergy between CTOs, CIOs and CISOs for secure technology innovation at CISO Auckland 2023, taking place on 21 & 22 November at Hilton Hotel.

Don’t miss your chance to attend CISO Auckland this November. Register to attend today!