EdExec Live

Yesterday I presented at the EdExec Live event in London where I discussed cyber security with a session purposely mis-titled as “Preventing cyber attacks: is your cyber security up to scratch”.    The reason the sessions title didn’t really reflect the content of the session is my belief that cyber attacks are now inevitable and that the thinking behind trying to be “secure” or “up to scratch” involves a mental model which doesn’t fit our current reality and especially the reality in busy schools with limited IT resources, and even lesser resources to focus on cyber security or cyber resiliency.   As such the session was aimed at trying to highlight this belief.

Now at this point you might be thinking I am showing some nihilist tendencies in the face of the growing cyber security threats and risks, however I am certainly now advocating that we consider incidents inevitable and therefore simply down tools and don’t bpther with any cyber mitigation, prevention or preparation activities.

What I am however advocating is that we accept that we can never do enough, never be up to scratch, so all we can do is to do what we can.    The approach to cyber in schools needs to be to seek to take little steps rather than seeking to reach an imagined point of being cyber secure, a point that is both likely to be unreachable and also a point which is likely to constantly shift in response to new technologies, new vulnerabilities, new threat actors and new methods of attack.

I concluded the session with 6 recommendations which are outlined below:

There is no enough so do what you can

As mentioned above there is no “enough” so this kind of thinking is no longer appropriate.

Carry out regular risk assessments

We need to treat cyber like health and safety and try to identify the risks and then decide on mitigation measures where possible.    If we explore and think about the risks which impact on use we are likely to be able to better prepare and respond.

Carry out a desktop exercise or “war game”

Our plans and processes often include assumptions.   We need to challenge these assumptions with staff from across the school involved in desktop exercises playing out an example cyber scenario.   By playing such incidents through we are likely to be better prepared when incidents happen for real.

Deliver ongoing user awareness

Users continue to be one of the most common factors in cyber incidents so the more training we can provide the better, but such training needs to be dynamic and ongoing rather than an annual refresher presentation at the start of the year.    Cyber needs to come up in meetings, in briefings, it needs to be part of the schools culture and a constant point for discussion.

Address the cyber security basics

Cyber criminals will take the easy opportunities where they can and therefore it is important to cover the basics such as patching servers, keeping backups, etc.   This is about increasing the friction an attacker might feel in the hope that they will move on to a easier organisation to attach.

Reach out

Schools and colleges are all in this together, suffering similar challenges and issues in relation to cyber, so collectively we are so much stronger.   As such, share with other schools, use groups like the ANME, and let’s make a collective effort to protect our schools from attacks and prepare for the inevitable incident.

Conclusion

At the end of the session, I concluded with a little question in relation to terminology.   Cyber security as a term is now out of fashion due to suggesting that being “secure” is possible when most now acknowledge this is no longer possible.   Cyber resiliency is now the term of choice however I feel, although better, it still suggests a “resilient” final state is possible where I believe it is now.   My suggestion, which doesn’t have the same ring to it of the above, was continuous cyber improvement, however my request was for someone to come up with a better alternative that wasn’t quite so much of a mouthful.

Is your cyber up to scratch?    If you think it is, I suspect you are up for a fall at some point in the future or at least that’s what probability would suggest.   Are your efforts continuous, regularly reviewed and involve repeated incremental improvements?    If so, I think you are most likely going about things the right way, so well done, keep at it, and try not to worry too much!

You can view the slide deck from my session here.

And for those who have followed my usual travel woes, this time I managed to get to London and back with only a 20min train delay, so unusually uneventful by my standards.

Advertisement

Author: garyhenderson2014

Gary Henderson is currently the Director of IT in an Independent school in the UK. Prior to this he worked as the Head of Learning Technologies working with public and private schools across the Middle East. This includes leading the planning and development of IT within a number of new schools opening in the UAE. As a trained teacher with over 15 years working in education his experience includes UK state secondary schools, further education and higher education, as well as experience of various international schools teaching various curricula. This has led him to present at a number of educational conferences in the UK and Middle East.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: