Case Study by Peter Yeates - Information Communication Technology Services Manager, Padua College
Padua College is an independent Catholic day school for boys from years 5–12. Situated in Kedron, Queensland, the school has approximately 1,450 students and 2,500 parents and about 200 teachers, plus coaches, administrators, etc. All of them have access to various school web applications – students and teachers via uniform school-supplied devices, and parents and part-time staff using a variety of devices, old and new.
Supporting all of these users is a small information technology team, and while they all have some knowledge about security, there are no security specialists on staff.
Historically we have completed our managerial assessments of our IT services and our provision of services to internal and external customers. However, until recently, we had never undertaken penetration testing – we knew that the majority of the vendors we use do their own pen testing, so it wasn’t top of mind.
In 2020, in conjunction with the Non-State Schools Accreditation Board of Queensland (NSSAB) College accreditation process, an internal review highlighted the need for our school to review our entire catalogue of services in an effort to identify any apps that weren’t being pen tested by external providers.
We discovered that our front page portal, which is accessed by parents, students and staff, didn’t have a third-party pen testing process in place, and so we committed to engaging a service provider.
Penetration testing was an insurance policy, if you like.
We trusted our software vendors, but because we had never done any pen testing on the portal, we didn’t know whether there was anything to find.
However, we recognised that with the ever-increasing risk of cyber threats, we needed to be sure the identification data held on this portal was absolutely secure. Additionally, of course, the Government encourages organisations to implement eight essential mitigation strategies as a baseline - pen testing being one of them. So despite the significant cost attached, this was something that needed to be done.
The Selection Process
The Missing Link was recommended to me by my professional network, but we didn’t dive straight into engaging them. They were one of three companies to quote, and they were not the cheapest. However, they were the most impressive – their team members have a great number of certifications, and the company has won plenty of awards in the security space, which was reassuring. Importantly too, they came across as being very professional and systematic in their approach.
The Missing Link was professional, organised and they did everything possible to minimise disruption. This was valuable in itself because, as a school, we now need to have our systems up and running 24/7 – teachers, students, and parents want access to everything, all the time. We often joke that we have more uptime than a bank!
The preparation was very smooth - we met with the business development team to plan the event and had a comms call with the technical supervisor. They prepared a list of their requirements, which we provided, and we timetabled the testing to take place during the school holidays. We used a development staging server, so it didn’t affect our school’s day-to-day operations.
The process of planning and implementing penetration testing has raised awareness of the risks of a cyber breach and highlighted the need for the entire school community to be more careful when opening emails and clicking on links.
The testing itself was valuable in that it identified a critical issue that needed to be resolved. The Missing Link notified us of the issue in an interim report, and because it needed to be rectified by the vendor (rather than our school), they liaised directly with the vendor to have it resolved.
Like The Missing Link, the software vendor was extremely professional and responsive; the issue was resolved within 48 hours. Impressively, they called to thank Padua College for engaging The Missing Link to pen test their app in the first place – until then, they’d had no idea the issue existed.
Having worked with The Missing Link for a brief period, I put them in the category of a trusted consulting service and would have no hesitation in engaging them for further IT infrastructure and security projects.