Yesterday I presented at the EdExec Live event in London where I discussed cyber security with a session purposely mis-titled as “Preventing cyber attacks: is your cyber security up to scratch”. The reason the sessions title didn’t really reflect the content of the session is my belief that cyber attacks are now inevitable and that the thinking behind trying to be “secure” or “up to scratch” involves a mental model which doesn’t fit our current reality and especially the reality in busy schools with limited IT resources, and even lesser resources to focus on cyber security or cyber resiliency. As such the session was aimed at trying to highlight this belief.
Now at this point you might be thinking I am showing some nihilist tendencies in the face of the growing cyber security threats and risks, however I am certainly now advocating that we consider incidents inevitable and therefore simply down tools and don’t bpther with any cyber mitigation, prevention or preparation activities.
What I am however advocating is that we accept that we can never do enough, never be up to scratch, so all we can do is to do what we can. The approach to cyber in schools needs to be to seek to take little steps rather than seeking to reach an imagined point of being cyber secure, a point that is both likely to be unreachable and also a point which is likely to constantly shift in response to new technologies, new vulnerabilities, new threat actors and new methods of attack.
I concluded the session with 6 recommendations which are outlined below:
There is no enough so do what you can
As mentioned above there is no “enough” so this kind of thinking is no longer appropriate.
Carry out regular risk assessments
We need to treat cyber like health and safety and try to identify the risks and then decide on mitigation measures where possible. If we explore and think about the risks which impact on use we are likely to be able to better prepare and respond.
Carry out a desktop exercise or “war game”
Our plans and processes often include assumptions. We need to challenge these assumptions with staff from across the school involved in desktop exercises playing out an example cyber scenario. By playing such incidents through we are likely to be better prepared when incidents happen for real.
Deliver ongoing user awareness
Users continue to be one of the most common factors in cyber incidents so the more training we can provide the better, but such training needs to be dynamic and ongoing rather than an annual refresher presentation at the start of the year. Cyber needs to come up in meetings, in briefings, it needs to be part of the schools culture and a constant point for discussion.
Address the cyber security basics
Cyber criminals will take the easy opportunities where they can and therefore it is important to cover the basics such as patching servers, keeping backups, etc. This is about increasing the friction an attacker might feel in the hope that they will move on to a easier organisation to attach.
Schools and colleges are all in this together, suffering similar challenges and issues in relation to cyber, so collectively we are so much stronger. As such, share with other schools, use groups like the ANME, and let’s make a collective effort to protect our schools from attacks and prepare for the inevitable incident.
At the end of the session, I concluded with a little question in relation to terminology. Cyber security as a term is now out of fashion due to suggesting that being “secure” is possible when most now acknowledge this is no longer possible. Cyber resiliency is now the term of choice however I feel, although better, it still suggests a “resilient” final state is possible where I believe it is now. My suggestion, which doesn’t have the same ring to it of the above, was continuous cyber improvement, however my request was for someone to come up with a better alternative that wasn’t quite so much of a mouthful.
Is your cyber up to scratch? If you think it is, I suspect you are up for a fall at some point in the future or at least that’s what probability would suggest. Are your efforts continuous, regularly reviewed and involve repeated incremental improvements? If so, I think you are most likely going about things the right way, so well done, keep at it, and try not to worry too much!
You can view the slide deck from my session here.
And for those who have followed my usual travel woes, this time I managed to get to London and back with only a 20min train delay, so unusually uneventful by my standards.