I thought it would be useful for this weeks blog to focus on the JISC Security conference in Wales, which I am attending today (Mon 7th Nov) and tomorrow, plus which includes a third day held online.
So, lets start with my usual travel difficulties. This shouldn’t have been a difficult one as have driven to the event however my car decided to develop some engine issues, including the engine warning light deciding to stay one plus occasionally flash alarmingly at me. I noted a reduction in engine power which meant my cheeks were firmly clenched as I crossed the Prince of Wales bridge in the wind and rain; Not somewhere I would want to break down. Thankfully the car got me to my destination and can now have a rest before the return leg.
So the event itself, as I write this opening part of the blog I am sat waiting for the event to begin. I have high hopes for the conference as there are so many different talks all focussed on the very important topic of technology security in education, principally in Further Education and Higher Education. As a topic technology or cyber security is increasingly important in schools, colleges and universities as cyber criminals seem set on targeting education. One presenter at the JISC conference suggested education was the number 1 target for ransomware attacks. It makes sense sadly due to the data schools, colleges and universities hold, plus due to the fact the focus is on education with cyber security relegated to a secondary or even tertiary concern, often reserved for those working in IT roles. Given the focus of the whole conference is on security I was very hopeful that I will take away quite a bit from the two days.
One of the big take aways from Day 1 for me was a document which presented 16 questions for University Vice Chancellors to answer in relation to cyber security. The purpose of the 16 questions being to prompt discussion in relation to cyber security at the highest levels of management in universities. It was clear from conversations with a few people that although this document had been sent to all universities, it hadnt necessarily been disseminated and discussed. Looking at the 16 questions I could see how they were applicable not just to universities but also to colleges and even schools. This did make me wonder about the need to share ideas and how, at the moment, there are various organisations sharing advice on cyber security, however no-one really collating this and providing it across sectors. For example the DFE shared guidelines for schools while JISC developed and shared guidance for universities, yet both publications contained some common themes. Wouldn’t it be good if this was shared centrally but with all educational institutions regardless of stage/sector?
Another discussion that I found interesting related to how we know or can assess how we are doing in relation to cyber in our own organisations. Each school/college should be doing some form of risk assessment but it would be useful to be able to take this and assess your security against other similar institutions. In HE this could be done using the 16 questions, but would rely on universities self assessing and then sharing their findings with a body such as JISC who could then calculate the “average” preparedness for universities. This average could then be used as a benchmark with which to compare. For schools, rather than the JISC 16 questions, the DFE guidelines could be used in a similar fashion.
If there was one big take away from day 1 of the JISC event it was that universities, colleges and schools are all subject to similar risks in relation to cyber crime and cyber resilience, albeit with different resources available to address the challenges. As such there is a need to collaborate more across sectors, sharing experiences and knowledge where possible. Currently the sharing is very silo’ d, so schools and MATs share, independent schools share and universities share, but each sharing separately. There is a need, in my view, to bring this all together.