TRANSCRIPT: Tales4Teaching ep. 63: The role of cybersecurity in higher education (feat. Joan Sutherland and Dushyant Sattiraju)
Transcripts are generated using a combination of speech recognition software and human transcribers, and may contain errors. Please check the corresponding audio before quoting in print.
Intro: Tales4Teaching: A podcast where we explore stories with purpose in higher eduction. We’ll share expert insights, engaging interviews and thought-provoking discussions that will inspire your teaching. On behalf of Deakin University I would like to acknowledge the Traditional Custodians of the unceded lands and waterways on which you are located. I acknowledge the Wadawurrong People of the Kulin Nation as the Traditional Owners on which this podcast was recorded. I’d like to pay my respects to the Elders past, present and future. My name is Joan Sutherland and this is Tales4Teaching, brought to you by Deakin Learning Futures.
Joan: I’m really, really excited about our guest today as he’s going to talk to us about the role of cybersecurity in higher education and he’s going to discuss the measures being taken to protect our teaching and learning community here at Deakin. Hi Dushyant. Welcome.
Dushyant Sattiraju: Hi Joan. Thank you. Thank you for having me.
Joan: Oh, no worries. I’m sure it’s a topic that everyone wants to talk about at the moment. So I suppose to get started can you tell us a little bit about yourself and your role at Deakin University in cybersecurity?
Dushyant: Sure. So my name is Dushyant. I actually have been in the university for quite some time, so I’m currently working as a Cybersecurity Operations Manager. But I came into Deakin as a student and used to work part-time and then one thing led to another and here I am 10, 11 years after still working at Deakin.
Joan: So what did you study to get into this?
Dushyant: I actually studied, I did a double degree in information systems and information technology, both specialising in cybersecurity. Back then it used to be called IT security, but they’re the same.
Joan: Now it’s got the nice name assigned. So I suppose 10 or 11 years ago and cybersecurity seems to have taken a world unto its own. Can you just explain to me what cybersecurity actually is?
Dushyant: I think cybersecurity is a very complex topic. Um, but for most people, it is, it’s essentially making sure that you do the right thing when you’re connected, when you’re online, that’s impacting everyday individuals.
Joan: I think working with applications that are in the workplace, but also being aware of cybersecurity and what their role is in that. There was a lot of cybersecurity incidents that happened last year that sort of heightened the awareness around cybersecurity. And you mentioned earlier that you studied 10, 11 years ago. So I’m intrigued about how these events that happened last year that were perpetuated in the media has actually changed the landscape of cybersecurity or if it has it all?
Dushyant: It has. I think in the past when security incidents used to first occur, like we’re going back into the days of the Enigma machine, into the bulbar, period. A lot of the security incidents used to happen closer to the technology itself. So attackers used to target organisation’s computers specifically and computer networks. What we’re now seeing is with all the security controls that have been put in place with decades of innovation and security, people are starting to target users and individuals. So it’s the human aspect that is getting more targeted. And that’s why the incidents have be more in the media because it’s impacting everyday individuals.
Joan: Individuals. And what about the role of COVID in teaching and learning? I suppose because COVID forced a lot of universities in particular to track, pivot online so using a lot of different software that we may not have been using at the time. Would that have hyped as well?
Dushyant: That definitely has. We have seen more people stay connected and more people spend more time connected. It’s essentially like driving. You would, as a community, be exposed to more road incidents if you have more people on the road for longer, technology is the same. The more people who interact with, the more being tracked with newer applications and newer technology, they will be exposed to greater risk.
Joan: So its the individual that needs to be aware around cybersecurity, what they can do individually. But how does an organisation like they Deakin University protect its users, teaching and learning teams in relation to cybersecurity so that they can focus on what they need for the teaching and learning?
Dushyant: Sure. So the, the University actually has a dedicated cybersecurity team. So my team is responsible for operationally managing cybersecurity. What that essentially means is we try and detect any threats to the organisation. We try and identify vulnerabilities that could be exploitable where the risks are and try and address those risks. And if by any chance and incident actually occurs, we would then have a response team that is dedicated to responding to those incidents. So that’s the role of my team. But I work in a broader cybersecurity team that also has other functions like awareness and communication to ensure that users within the organisation are aware of security risks and challenges. And also another team that manages compliance and governance to ensure that we are looking good from a policy perspective across the organisation. So there’s, there’s a lot of effort going, not just within my team, but across digital in Deakin University where everyone is trying to do their fair share of incorporating cybersecurity in to their day-to-day life.
Joan: to contribute to that safety for staff and students.
Joan: That’s from an organisational perspective. Why is it so important in teaching and learning?
Dushyant: It is important for two main reasons. One is teaching and learning is one of our most important services that we offer to our students and to do good for our biggest customers. So we need to ensure that that service is well guarded and well protected. Also, it’s important for teaching and learning to be able to educate the area, to be engaged with students and make sure that the students that are graduating from Deakin University are not only job aware, but we’re also aware of cybersecurity. So where they walk into a workplace and an organisation, they are already well aware of what cybersecurity is and the best way to stay secure.
Joan: I think that’s a wonderful point that you make around Deakin students graduating, being job ready and work ready and working with applications that are in that workplace but also being aware of cybersecurity and what their role is in that. What can we do from teaching a learning teams to embed that as part of the curriculum? Or is there something already out there to educate students around that as well?
Dushyant: I think I see cybersecurity as a cultural change. It’s not a checkbox exercise where you’ve actually done this and it’s done, it’s almost a way of life. I sound really nerdy, but I said, that’s the reason why I say that is everything that you do on a day-to-day basis. You’re trying to minimise the risk and you’re trying to ensure that you are not vulnerable for an attack or an incident. So be driving a car, being at securing your home. So you wanna make sure you go out just locked properly. You want to make sure your doors are locked, the windows are closed. So it’s very similar. So you know how that becomes muscle memory after a point that you don’t have to look back and check if your garage is closed, you know, that you’ve hit the button and you know that garage, could hear the garage close. It’s very similar to that with cyber. So everything that you do, we’ve gotten to a point as a society where we asked a great dependency and technology, technology is really important and paramount. So technology is gotten to a point where we have to depend on it. At that dependency is why security is important. So everything that you do. So a good example is if someone asks you to set up a password for registering to an event the first thing that you think of this, is this a unique password? Is this random enough? Or am I repeating this password? Should I be repeating this password? So all of these things should come to you naturally. And then that’s, that’s the important part.
Joan: So it sounds like it’s behaviour change basically so it actually becomes part of your daily behaviour. And I know myself what I’ll do in a password previously, a lot easier is diversifying passwords so it’s so funny how you’re mentioning how it does become part of your daily routine, how you change things over time. And I know I’ve done it as well. That’s interesting that it’s embedded within our behaviour are just how we promote different things on a daily basis. So I suppose as individuals then, you can have a unique password. That’s one way but how else can we implement strategy to minimise risk in relation to cybersecurity?
Dushyant: Sure. I think one other thing that a lot of technology companies are actually doing more proactively is telling you when something is wrong with the technology you are interacting with. So let’s say I have a mobile phone on me and I get a notification saying you have an update available and the update includes security fixes, so please install. Or do it later. The first response that most uses lean towards is do it later. I don’t want to be able to change. I don’t want to do it now. It’s going to take time. It’s too hard.
Dushyant: So yeah, so all of us do it. I’ve done it too. Like the middle of the workday, I get a notification on my phone saying an update is available. I’m like, I don’t want to not have my phone accessible. So I’ll do it I’ll do it overnight or over tomorrow and sometimes it gets pushed. So organisations are actually putting in a lot of effort to try and update technology. So it’s only our responsibility as users to be able to react to it appropriately. So if there is an issue, a security warning on your device or a notification, respond to it. That’ll be the first thing. We obviously talked about diversifying passwords. Use a password manager we promote Last Pass to the organisation. So using a password manager to do that is important. The next thing is password is ultimately not the only source of security for a lot of the applications. And multi-factor authentication is another important thing. We have in the past promoted quite extensively on how to do it. Not just at work, at Deakin or for study, but also in your personal life. So how do you ensure that here you have MFA or securing your digital assets and sometimes even physical assets. My car does not have a key anymore and it uses a phone to unlock. And if if I lose my password, I’m not only locked out, but I’m at a risk of someone else being able to login to my car app and actually drive my car. So multi-factor auth is important for me.
Joan: So in that instance, technology may not be that great then.
Dushyant: Technology is, it’s, it’s like a, it’s like a double-edged sword. So you have to careful with it and when you’re dealing with straps, so you just have to useful tool, but you have to be careful.
Joan: It’s interesting that multi-factor authentication, because I’ve noticed, like obviously we’ve had it at Deakin since I’ve been here. But also now in my outside applications, is it asking to verify it with my phone. You’ve got your password and then your phone. Like that’s common now whereas I think even a year ago I don’t think it was so common but maybe we things that happened in the media you’re more cognisant of it and more information coming from the cybersecurity team as well? Yeah.
Dushyant: Exactly. Yeah.
Joan: Okay. So you’ve talked a lot about building capability, I suppose through education, asking you to respond to updates. You get the update and respond to them, diversifying password and using things like multi-factor authentication. Is there any other tips that you could get our users in the teaching and learning space to say do this just to minimise your risk. We know it’s never fully gone, but to minimise your risk in relation to cybersecurity?
Dushyant: Sure. I’ll add two more things to that list of security teams. The one that I often get surprised by it. I’m not a very strong social media person. I’m one of those guys is barely present on any social media platform. Just about the amount of information people are willing to share sometimes surprises me. I’ve seen images of people sharing their passport and boarding pass when they’re travelling overseas. So with one picture, you have told so much you’ve told, who you’re traveling with, you’ve told where you’re traveling to you’ve told me what nationality you are. And you’ve basically told people that you’re not gonna be in the country at home. So there’s so much information that you accidentally disclosed with one image. And once once some of these things go online, they, they’re gone. So they’re protected as long as this information is it’s you. Once once it’s out of the basket, it’s out there. So what we have been saying over time, not to, not to scare people, but we’ve seen technology, AI especially be used to harvest this information and attributed to an individual. So that is, as with every breach we’ve seen, obviously OPTUS and Medibank there’s more and more private information that’s getting disclosed either voluntarily through social media when people are actually doing it themselves or involuntary. So there’s a lot of information that’s being gathered against an individual. So we would have to do what best we can to minimise that. So we can’t do much about a third party company like OPTUS being breached, but we definitely can do a lot of information that we willingly wanted to share. So that is something important to consider.
Joan: I’m intrigued what you said around the AI component. How did the artificial intelligence feed into cybersecurity?
Dushyant: Well, artificial intelligence is almost a tool that everyone is using. So we use it to protect our users, staff, and students within the organisation. The attackers use it to track. So these are just tools that everyone in the industry is using irrespective of where you are.
Joan: And what would the final tip that you had?
Dushyant: The final tip I have is about data. So we often have information that we’re wanting to create, share with other people. It’s important to understand who you’re sharing with and how broad you’re exposing that data to how broad their user group that you’re exposing that data to. So a good example is I could have a OneDrive file where I’m actually doing my assignments and research and I wanted to share with a friend who then shares it with another friend. So it’s important to be mindful of the fact that you have certain permissions that you provide to information that you’re responsible for or belongs to you.
Joan: It’s interesting point you raise. That’s one of the first things in any app that I go into is the settings to learn about it and what you can actually share, what you’re actually disclosing. And I know some people think it’s boring. But it is highly important exactly what you’re saying, being mindful of the permissions if informations gets shared and shared again.
Dushyant: Absolutely. And some applications are really good at it. They help you sort the permissions while you’re registering for the applications. Then asked you well in advance when you’re signing up to say, do you want to share your location information, with your feeds, right.
Dushyant: It’s good. It’s a really good practice. But on the contrary we’ve also seen a lot of applications that don’t do that because it does not benefit the application.
Joan: And the first thing that comes to mind for me anyway, within the work context, is sharing documents, around SharePoint and the permission files and what is sensitive and what’s not sensitive and understanding that infrastructure behind it and not just something on Teams or on Word itself.
Dushyant: So if I actually look at the incidents that we’ve had with Deakin in the last ten and incidents that I can think of, nine of them have been accidental, data leakage. So you inadvertently as a staff member or a student, have gone in and shared a particular document or file with sensitive information with a much broader audience than you originally intended to. So that’s, that’s been one of the biggest issue which is where education and awareness is really important.
Joan: So you got to the individual and then educate them and make them aware of what actually happened.
Dushyant: That’s correct.
Joan: Look Dushyant, I wanted to say thank you so much for joining me today. There are one of the biggest things I got out of the cybersecurity is we often think tech side, but it’s actually a human issue from an individual and then it’s a multi-layered issue and it’s very complex so we’re educating users from teaching and learning teams and then the broad organisations got a lot of strategies in place to help us to ensure that we’re aware of cybersecurity with graduates as well at Deakin as well as staff. So on that note is there anything that you’d like to share to finish up?
Dushyant: I think my final thoughts are like as a community we only get stronger by talking about these things and being aware so people being more workable and outspoken about issues, incidents that they’ve either encounter personally or they’ve heard or seen about so that spreads awareness because there’s also a personal element to it. So I would say talk about it and as a Deakin student or staff, if you have any questions, we’re always available to have a conversation. If you think it would benefit for individuals to actually have us come into their team meetings or have an engagement or a discussion about issues relevant within their team. So within there, Schools be more than happy to, to be interested in that.
Joan: That’s really kind to offer your services around educating more broadly on top of what’s actually there. I’d really like to thank you for your time today. I’m sure the hot topic and it will continue to be a hot topic so we might hear from you later on in the year as well. Thank you.
Dushyant: Thank you. Thanks, Joan.
Joan: Thank you.