I have written repeatedly about cyber security and the fact that cyber security is an increasing risk for schools. In my view, it should be on the risk register and subject of regular discussion but why has it become so important?
Increasing amounts of data
As we become ever more digital within schools, we find ourselves gathering, but also generating, ever more data. Whether this is the simple demographic data such as name, address, DOB and gender or other data such as browsing history through school filtering solutions and device information for personal devices. We increasingly have online payment gateways for parents to purchase school lunches or uniform, or solutions which record health and allergy information. We are gathering ever more data. And with the ever more data, we are able to generate yet more data by combining it or inferring from it. So, if the data is the new gold, then schools must clearly be untapped gold mines from a cyber criminals point of view. As such cyber security is important in keeping school data safe.
Schools being hit
Looking at the newspapers and online press and it wont take you long to find a school or group of schools which have suffered from a cyber incident. The reports often indicate the need for school closures while recovery is attempted. This clearly shows that schools are being hit, and possibly even specifically targeted, and that a cyber incident has a significant impact. Given this context, that schools are suffering impact from cyber incidents makes it difficult to not consider cyber security and mitigating risk as much as possible.
Schools as soft targets
The purpose of a school is education, teaching and learning. As such its resources are focussed on this. This means schools, despite having large amounts of data, are not investing in cyber security to the same extent companies may do. This is both in terms of cyber security technologies but also, and possibly more importantly, in staffing with cyber security experience. Now I feel this isnt that surprising given the general shortage of cyber security professionals and the resultant potential wages they can demand. Schools will therefore find it difficult to match such wages. Additionally, schools will have a variety of different systems and hardware, including student and staff personal devices possibly, all connected to their network often with updates unapplied or poor general security setup. The focus of IT will largely be on enabling teaching and learning rather than maintaining a tight security perimeter. This all leads to cyber criminals seeing schools as soft targets.
Young Peoples personal data
Banks and other financial organisations are increasingly using data to identify unusual activity on an individuals account as a method of identifying and stopping fraud. The challenge with young people is that, to start with, little data exists as they setup their first account, their first loan, their first hire purchase agreement and eventual mortgage. Therefore, from a cyber criminal point of view, having access to sufficient personal data to initiate identify fraud is better with young people, where little data exists, than with older people. With young people the first transfer into a bank account in the control of a cyber criminal is more likely to get lost in the wealth of other firsts for these individuals. Again, this points to school data as a gold mine for future frauds and financial gain on the part of cyber criminals.
We also need to consider safeguarding. Students are increasingly online in schools and also at home. Schools need to keep them safe in school, and cyber security is a part of this, in ensuring their online activities are safe and secure, their devices remain secure, etc. Additionally, schools need to ensure that, through the data schools have on students, they remain safe outside of schools. We need to ensure that their data remains safe and secure such that it cannot be used to malicious ends in approaching them online.
Cyber security matters. I would even go so far as to say critical. All schools need to consider cyber security and not just as a one off but as an ongoing process. Cyber security needs to be part of school culture in the same way that safeguarding has become part of school cultures over the last 20 years (it may be longer than this, but my experience is limited to just over 20 years). We need to ensure we do all we can to keep schools, their systems, data, staff, students and wider community from cyber risks, to prepare for inevitable incidents which will happen and to make all aware. It’s a big ask I think so first step is to ensure we have at least given it some thought, started talking about it and started sharing our thinking. To that end I hope this post has been of some use.