Over the last couple of years in particular I have been thinking about cyber security in schools and what schools need to be doing in relation to keeping their users, systems and data secure. The issue I come up against is that there are a number of key variables which play on decisions reached in this area.
First there is the context a school operates in. The available budget for example will have a significant impact on what is or is not possible in terms of cyber security. And before anyone says it, I know money isnt the most important thing here, it should be student and staff online safety and the safety of their data. That said, a school is a place for learning, and would we do less learning in order to be more secure? This leads me on to my later point on risk appetite. Also, within the context will be the number of students and staff, the volume and type of data being stored, the schools approach to technology (BYOD, School issued devices or limited IT labs), etc. Each piece of the content impacts on the decisions which need to be made regarding cyber security.
This is key and I think something all schools need to discuss at a senior leadership level, with a clear statement as to risk appetite being established. Basically, this is acceptance of benefit vs. risk in terms of technology use. We might choose to allow BYOD due to it being more flexible for users and cheaper than school owned devices however it introduces lots of devices not managed by the school which comes with a cyber risk. We might choose to allow users to be able to create their own Microsoft Teams to support flexibility versus locking this down and centrally creating everything, which is less flexible but more secure. Time and time again we come up against decisions which balance benefits and risks, and our risk appetite will dictate how much risk we are generally willing to accept. A greater risk appetite will generally result in greater flexibility and agility, therefore greater ability to respond to change, whereas a lesser risk appetite will likely limit flexibility and agility, but also limit risk.
Given the above and how this impacts each school differently I decided that my approach should be to create a rough framework focusing on the things I believe all schools should do in relation to cyber security. Additionally, I also created an additional section for those schools where additional resources are available or for where additional risk factors may exist.
You can view the framework below:
Some additional points
Now since creating the framework I have had some feedback online which I thought I would address. One point raised with me was the exclusion of web filtering for safeguarding from my framework. I considered this but excluded as my focus was on cyber security and I deemed web filtering to sit better under safeguarding. That said web filtering which filters out dubious sites offering illegal streaming of sports events or movies would have a positive cyber security impact in protecting users from potential malicious code which may exist on such sites.
Change management was also raised with me; This could possibly sit under the process or document headings in that there should be a documented and auditable change management process to prevent unauthorised changes which may introduce additional risk from occurring. Such a process is very important indeed however is often lost in the need to solve problems and quickly adapt to changing situations in schools.
Asset and configuration management was another area that was suggested. This highlights the need to know what assets a school has and their setup. This is likely to be very important in the event of a cyber incident in terms of isolating the issue and in terms of the recovery process. The more we know about a schools setup the quicker decisions regarding actions can be taken.
Physical security particularly in relation to servers and storage, but also in relation to devices was also raised. The theft or loss of devices is something we need to increasingly consider. In the event of loss or theft will the data contained in the device be secure and is it possible to remotely disable or even wipe devices? Generally, though I feel this area is getting easier to address.
I don’t believe this framework is perfect however my hope is that it is at least a good starting point for schools to check their approach to cyber security and to decide on some next steps. I also hope it starts discussions in school, noting that no sooner had I posted the first page, than suggestions, such as the above, arrived in terms of how it might be improved.
I suspect I will need to revisit this framework as the cyber threats change and evolve over time but in the meantime, I think it’s a good start.