Why cyber security matters?

I have written repeatedly about cyber security and the fact that cyber security is an increasing risk for schools. In my view, it should be on the risk register and subject of regular discussion but why has it become so important?

Increasing amounts of data

As we become ever more digital within schools, we find ourselves gathering, but also generating, ever more data.   Whether this is the simple demographic data such as name, address, DOB and gender or other data such as browsing history through school filtering solutions and device information for personal devices.   We increasingly have online payment gateways for parents to purchase school lunches or uniform, or solutions which record health and allergy information.   We are gathering ever more data.   And with the ever more data, we are able to generate yet more data by combining it or inferring from it.    So, if the data is the new gold, then schools must clearly be untapped gold mines from a cyber criminals point of view.  As such cyber security is important in keeping school data safe.

Schools being hit

Looking at the newspapers and online press and it wont take you long to find a school or group of schools which have suffered from a cyber incident.    The reports often indicate the need for school closures while recovery is attempted.    This clearly shows that schools are being hit, and possibly even specifically targeted, and that a cyber incident has a significant impact.   Given this context, that schools are suffering impact from cyber incidents makes it difficult to not consider cyber security and mitigating risk as much as possible.

Schools as soft targets

The purpose of a school is education, teaching and learning.  As such its resources are focussed on this.   This means schools, despite having large amounts of data, are not investing in cyber security to the same extent companies may do.   This is both in terms of cyber security technologies but also, and possibly more importantly, in staffing with cyber security experience.  Now I feel this isnt that surprising given the general shortage of cyber security professionals and the resultant potential wages they can demand.   Schools will therefore find it difficult to match such wages.    Additionally, schools will have a variety of different systems and hardware, including student and staff personal devices possibly, all connected to their network often with updates unapplied or poor general security setup.  The focus of IT will largely be on enabling teaching and learning rather than maintaining a tight security perimeter.     This all leads to cyber criminals seeing schools as soft targets. 

Young Peoples personal data

Banks and other financial organisations are increasingly using data to identify unusual activity on an individuals account as a method of identifying and stopping fraud.    The challenge with young people is that, to start with, little data exists as they setup their first account, their first loan, their first hire purchase agreement and eventual mortgage.    Therefore, from a cyber criminal point of view, having access to sufficient personal data to initiate identify fraud is better with young people, where little data exists, than with older people.   With young people the first transfer into a bank account in the control of a cyber criminal is more likely to get lost in the wealth of other firsts for these individuals.    Again, this points to school data as a gold mine for future frauds and financial gain on the part of cyber criminals.

Safeguarding

We also need to consider safeguarding.  Students are increasingly online in schools and also at home.    Schools need to keep them safe in school, and cyber security is a part of this, in ensuring their online activities are safe and secure, their devices remain secure, etc.   Additionally, schools need to ensure that, through the data schools have on students, they remain safe outside of schools.   We need to ensure that their data remains safe and secure such that it cannot be used to malicious ends in approaching them online.  

Conclusion

Cyber security matters.   I would even go so far as to say critical.   All schools need to consider cyber security and not just as a one off but as an ongoing process.  Cyber security needs to be part of school culture in the same way that safeguarding has become part of school cultures over the last 20 years (it may be longer than this, but my experience is limited to just over 20 years).  We need to ensure we do all we can to keep schools, their systems, data, staff, students and wider community from cyber risks, to prepare for inevitable incidents which will happen and to make all aware.   It’s a big ask I think so first step is to ensure we have at least given it some thought, started talking about it and started sharing our thinking.   To that end I hope this post has been of some use.

Author: Gary Henderson

Gary Henderson is currently the Director of IT in an Independent school in the UK. Prior to this he worked as the Head of Learning Technologies working with public and private schools across the Middle East. This includes leading the planning and development of IT within a number of new schools opening in the UAE. As a trained teacher with over 15 years working in education his experience includes UK state secondary schools, further education and higher education, as well as experience of various international schools teaching various curricula. This has led him to present at a number of educational conferences in the UK and Middle East.

Leave a comment