Case Study by Kalli Taifalos, Centre Manager - Pines Learning
Pines Learning is a not for profit adult learning centre with a registered childcare service. Our centre’s student group is diverse in terms of age and needs and includes people with mental and physical illnesses and disabilities.
As a not for profit, our organisation is overseen by a voluntary board, which recently decided to embark upon a program to reduce, to the greatest extent possible, the chance of data breaches occurring.
Data security is paramount to our organisation’s reputation. It’s also imperative to protect the rights of our students because we hold a lot of personal information about them. This includes data of birth, emergency contacts, details on their health and well-being, including mental health. If that data were to fall into the wrong hands, it could be very detrimental to the students’ futures – particularly for the young children in our care.
As a not for profit organisation offering courses that are accredited and pre-accredited for state government funding – which means students can apply for funding to participate in our courses – we are also legally obliged to ensure the highest level of security is applied to all student records.
To determine whether our data management systems were secure and to identify the gaps, we engaged The Missing Link.
As a not for profit, we usually work with other not for profits, which made engaging The Missing Link an unusual decision. As such, I was concerned that the company would try to up-sell us – that they would push us to contract them to undertake extra services.
I was pleasantly surprised. The Missing Link team was very friendly, very professional. They had researched our organisation, and they understood the work we do to empower young people in our community and they acknowledged us for this. Importantly, they understood that being a not for profit, our budgets were limited and they were realistic about what we could achieve.
With this in mind, we worked with The Missing Link to scope the project, and decided to restrict it to external Penetration Testing – this was to see how easy it would be for someone outside the organisation to compromise our database. As it turned out, the data management systems we had in place were relatively strong – and so testing didn’t take as long as expected. The Missing Link recommended using the extra day budgeted for, to do some internal penetration testing.
I’m not IT savvy at all, but this didn’t matter. From the outset, The Missing Link’s team explained the process so that I understood and when things would happen and after testing was completed they gave me a verbal overview of the findings. This was to be followed up by a written report.
I have to admit while waiting for that written report I again became concerned about what they would recommend and the cost implications. However, there was nothing to be worried about. The Missing Link provided suggestions to strengthen security that we could implement instantaneously and with minimal cost. They also recommended some upgrades to infrastructure, however, these were not considered critical, and can be delayed for some point in the future.
The immediate and greatest benefit of undertaking this project was the relief it offered to our managers and the board. We’ve been reassured that the data management system we currently have in place is strong, we’ve been able to make it stronger with some small adjustments and we know there are steps we can take when we’re ready, that will provide even greater benefits.