Ransomware – A criminal enterprise

A recent story of a ransomware incident impacting a hospital for sick children highlighted for me how ransomware, and by extension other cyber-crime, is often a criminal enterprise.   It is run by individuals and groups in much the same way that a conventional business or enterprise would be run, but to a criminal ends.

The story in question related to a ransomware incident which impacted on SickKids just prior to Christmas this year (you can read more here).    The incident was reported as resulting in longer patient waiting times however where this story diverges from the normal ransomware story is that a ransomware gang publicly apologised for the attack and provided resources to help the hospital in the form of a free decryptor tool.   Now it is unclear if the decryptor worked on all or some of the effected systems, or even if it was used at all, as using a file provided by a criminal operation doesn’t come without its risks.   The ransomware gang also acknowledged that the attack came from a “partner” and that they have been expelled from the ransomware gangs “affiliate program” for violating the gangs rules.

If we change the context to a simple and legal business operation a lot of the above would still make sense.   Affiliate programs, business or partnership rules, a public apology for an error plus the offer of support;   This is what you might expect from an conventional business operation, not a criminal gang.

This I believe is the big challenge for education and the wider world, that we need to accept that some see a business opportunity, an opportunity to make money off the illegal activity of cyber-crime.   While this continues to be the case criminal gangs and cyber crime will continue to exist.   And if we consider increasing technology usage and increasing data volumes being gathered in society as a whole, this opportunity can only be viewed as continually increasing.    Additionally, if we extend the business analogy these illegal gangs will likely be constantly seeking to improve, expand existing revenue streams and create new revenue streams in much the same way as a conventional, and legal business would do.

So cyber crime is likely to continue to grow as a threat and this is pretty inevitable.   What do we therefore do to try and protect ourselves?    For me it comes down to a number of things, to organisations but also to individual staff, to seeking to regularly review, test and improve defensive measures, while also preparing to deal with an incident when it should eventually arise.  It is about building awareness as to the risks and preventative measures and building a wider cyber culture in organisations.  

All of this makes me think of business competition, where two business fight it out in a given sector or product market, to see who wins.   Coke vs. Pepsi for example.  Here however one business will be legal, fighting against another illegal, criminal enterprise.    I can’t help but think that this is an inherently unfair fight but one that will continue to become more and more common!

Advertisement

JISC Security Conference Day 2

It’s been a few days since the JISC Security Conference however I am only now seeing light at the end of the tunnel, having spent the last few days catching up following my two days out at the event.   As such I thought I would share some thoughts following Day 2 of the conference.

Defend as one

During the course of the 2nd day of the conference I attended a number of sessions where various educational institutions shared their experiences of cyber incidents.   I will admit it was good to hear their experiences as generally all we get to hear of in relation to cyber incidents in schools, colleges, and universities, is the news posts which lack any of the detail as to the cause and impact of the incident, or of the resulting recovery operations.   It would be good to hear more of the details around cyber incidents in schools, etc, as there is a great opportunity for use to learn from the experiences and collectively seek to be more secure, with this being summed up by the JISC conference tag line, “Defend as one”.    I will however note the challenges in relation to this due to the sometimes sensitive nature of such information.

Cyber:  An IT issue?

Now the event itself was very useful for me as a Director of IT, being surrounded by others in similar roles however, as identified by one of the speakers, this also represents a challenge.    Technology security is not solely the responsibility of IT.    It is the responsibility of all those who use technology, who manage or are the owners of data, who lead departments and who lead or govern within educational institutions.      Equally all these people need to be onboard and considering what they might be doing in the event of a critical technology incident where they will need to try to keep operations going while the IT team focusses on the technical issue.     Yet the JISC security conference was mainly attended by IT people.   Clearly there is need for others to be more engaged, and I will certainly be looking to try and encourage other non-IT senior staff to attend events like this in the future.

Third Parties and supply chain risk

As the second day proceeded, I started to see some key themes and messages coming out, some of which aligned with some of my thinking, with one of these being the risk associated with third parties and the supply chain.   Increasingly we are using more external solutions, either online based solutions, or solutions where we have technology solutions from a third party running on our networks.   Examples might include a third party hosted web-site solution, a CCTV solution hosted on site, or a visitor management solution hosted on site.    These solutions have access to school data or may be on the school network, and as such may either represent a risk to the data should they suffer a cyber incident or could represent a risk to the school network.   If on the school network, they might introduce vulnerabilities, which we are unable to address and where instead we must wait for the supplier to identify and resolve by developing and deploying an update or patch.   So this risk highlights the need for due diligence before introducing new solutions.  This didn’t really happen during the pandemic, as we sought to act quickly to address the challenges so there is work to do in carry out the due diligence for systems now in use.   Also, due diligence at the point of purchase represents a snapshot;  Most technology solutions evolve over time, with new functionality being added or existing functionality adjusted and changed, meaning the due diligence which was originally conducted is now out of date and inaccurate.  This highlights the need for periodic review, but this is then yet another task or piece of work which needs doing, and who does this due diligence where departments across a school, college or university as sourcing their own solutions?  For me the key here is we need to look to do more in relation to examining the cyber resiliency and disaster recovery plans of the third parties we use.

Prioritisation

Another theme which came across was the extent of the cyber incidents described.   Basically, in some cases it meant going back to scratch, turning everything off and rebuilding.   But this takes significant time running into weeks and months.    This means it is key to identify the priorities for the recovery.  What systems and processes need to be recovered first?    If we don’t stop and consider this now, when things are running, we will likely find ourselves in the middle of an incident with every department and users screaming that they system or process is most important, and we will then waste significant time trying to debate and decide.    Clearly there is need to examine all the systems and technology in use and then identify a clear and documented priority order for these systems such that when an incident occurs there is a clear priority order with which to work with.

Data Governance

The issue of data governance was particularly notable in discussions related to HE, to universities and this is likely due to their size and scope when compared with schools and colleges.   That however is not to say that the same challenges don’t also exist in schools and colleges.   The key question here is about the basics of data management and knowing what data we have, why we have it, where it is and likely most importantly who is responsible for it.   And in terms of responsibility, I am not referring to IT teams being responsible as they run the systems the data is stored on, but who the owner of the data is.  For example, admissions data doesn’t belong to IT, it belongs to the admissions team, while pastoral data belongs to the pastoral team.    IT can never know the processes and uses of all the data stored by different depts on IT solutions, therefore they cannot therefore be responsible for the data management side of such data.   It is the data owners that are responsible for what data they gather, how it is stored, how long they keep it, etc.    It was key from some of the discussions that greater effort needs to be made to ensure all understand who is responsible for what data. 

Conclusion

There was a lot to think about on Day 2 and to be honest I havent as yet had a sufficient amount of time to properly stop and reflect on the day or on the wider conference as a whole.   And I suspect it will be a few weeks and maybe the end of term before this will properly happen.

That said the above represents some of my initial thoughts based on some of the copious notes I took during the course of day 2.

I will end on an important message as I see it; This can all seem like doom and gloom.  The “when” rather than “if” of a cyber incident, the size and impact of such an incident and the multiple things we need to be doing to prevent and prepare, but against the backdrop that no matter what we do it may still happen.    We cannot allow it to be all doom and gloom.   My view is therefore that we need to simply seek to continually improve, to not try and do everything, but to try and seek to be more secure today than we were yesterday.

JISC Security Conference Day 1

I thought it would be useful for this weeks blog to focus on the JISC Security conference in Wales, which I am attending today (Mon 7th Nov) and tomorrow, plus which includes a third day held online.

So, lets start with my usual travel difficulties.   This shouldn’t have been a difficult one as have driven to the event however my car decided to develop some engine issues, including the engine warning light deciding to stay one plus occasionally flash alarmingly at me.   I noted a reduction in engine power which meant my cheeks were firmly clenched as I crossed the Prince of Wales bridge in the wind and rain;  Not somewhere I would want to break down.   Thankfully the car got me to my destination and can now have a rest before the return leg.

So the event itself, as I write this opening part of the blog I am sat waiting for the event to begin.  I have high hopes for the conference as there are so many different talks all focussed on the very important topic of technology security in education, principally in Further Education and Higher Education.   As a topic technology or cyber security is increasingly important in schools, colleges and universities as cyber criminals seem set on targeting education.   One presenter at the JISC conference suggested education was the number 1 target for ransomware attacks.   It makes sense sadly due to the data schools, colleges and universities hold, plus due to the fact the focus is on education with cyber security relegated to a secondary or even tertiary concern, often reserved for those working in IT roles.   Given the focus of the whole conference is on security I was very hopeful that I will take away quite a bit from the two days.

One of the big take aways from Day 1 for me was a document which presented 16 questions for University Vice Chancellors to answer in relation to cyber security.   The purpose of the 16 questions being to prompt discussion in relation to cyber security at the highest levels of management in universities.  It was clear from conversations with a few people that although this document had been sent to all universities, it hadnt necessarily been disseminated and discussed.   Looking at the 16 questions I could see how they were applicable not just to universities but also to colleges and even schools.    This did make me wonder about the need to share ideas and how, at the moment, there are various organisations sharing advice on cyber security, however no-one really collating this and providing it across sectors.   For example the DFE shared guidelines for schools while JISC developed and shared guidance for universities, yet both publications contained some common themes.   Wouldn’t it be good if this was shared centrally but with all educational institutions regardless of stage/sector?

Another discussion that I found interesting related to how we know or can assess how we are doing in relation to cyber in our own organisations.   Each school/college should be doing some form of risk assessment but it would be useful to be able to take this and assess your security against other similar institutions.   In HE this could be done using the 16 questions, but would rely on universities self assessing and then sharing their findings with a body such as JISC who could then calculate the “average” preparedness for universities.  This average could then be used as a benchmark with which to compare.   For schools, rather than the JISC 16 questions, the DFE guidelines could be used in a similar fashion.

If there was one big take away from day 1 of the JISC event it was that universities, colleges and schools are all subject to similar risks in relation to cyber crime and cyber resilience, albeit with different resources available to address the challenges.    As such there is a need to collaborate more across sectors, sharing experiences and knowledge where possible.    Currently the sharing is very silo’ d, so schools and MATs share, independent schools share and universities share, but each sharing separately.   There is a need, in my view, to bring this all together.

Disaster Recovery Planning

Part of cyber resilience is considering what to do when the worst happens.    And that worst case scenario is sadly likely to inevitable at some point.    This worst-case scenario will take the form of a significant incident, a disaster from which the school or college needs to recover, and in planning for this a Disaster Recovery (DR) plan should have been created.   But what should such a plan look like?

I have given this quite a bit of thought.    Is this disaster recovery plan a long and detailed document or something much more simple and digestible?  

On one hand we might want the long document and all the details as in the event of a disaster we will want as much information as possible to help us with first isolating and managing the incident and then later with recovery.    The issue with this is that when the fire has been lit under the IT Services team due to an IT incident, the last thing anyone wants to do is wade through a long and complex document.   I have seen a disaster plan which included lots of Gantt charts with estimated timelines for different parts of the recovery, but how can we predict this with any accuracy against the multitude of different potential scenarios.   Additionally, the information you will actually need is likely to depend very much on the nature of the incident.

The flip side is the much more managable document which is easier to digest and look to in a crisis situation, when things are high stress but its shortness will lack some of the detail you may want.   That said, a shorter document will be easier to rehearse and prepare with when running simulated and desktop incidents such that staff remember the structure and are largely able to act without needing to refer too often to the supporting DR plan.   It is also more likely to be applicable across a wider range of scenarios.

The above however suggests only two options, being the detail or the brevity and ease of use, but my thinking on DR has led me to think we need to have both.    We need to have a brief incident plan which should be general and fit almost all possible incidents.    It should consider how an incident might be called and then which roles will need to be implemented including contact details for the various people which might fill each of the roles.   It should consider the initial steps only, getting the incident team together so they can then respond to the specific nature of the incident in hand.  It is the outline process for calling and the initial management of an incident.

Then we need to have the reference information to refer to which will aid in the identification, management and eventual recovery from an incident.   Now most of this should already exist in proper documentation of systems and setup and of processes, however this is often missed out.   When things are busy its often about setting things up, deploying technology or fixing issues, and documenting activities, configurations, etc, is often put off for another day, a day which often never happens.    I think the creation of this documentation may actually be key.

Conclusion

The specifics of a DR plan will vary with your context so I don’t think there is a single solution.   For me there are 3 keys factors.

  1. Having a basic plan which is well understood in relation to calling an “incident” and the initial phases of management of such an incident.   This needs to be clear and accessible so as to be useful in a potentially high stress situation.
  2. Having documentation for your systems and setup to aid recovery.  This is often forgotten during setup or when changes are made, however in responding to an incident detailed documentation can be key.
  3. Testing your processes to build familiarisation and to ensure processes work as intended, plus to adjust as needed.

DR planning is critical as we need to increasingly consider an incident as inevitable, so the better prepared we are the greater potential we have for minimising the impact of the incident on our school or college.

EdExec Live

Yesterday I presented at the EdExec Live event in London where I discussed cyber security with a session purposely mis-titled as “Preventing cyber attacks: is your cyber security up to scratch”.    The reason the sessions title didn’t really reflect the content of the session is my belief that cyber attacks are now inevitable and that the thinking behind trying to be “secure” or “up to scratch” involves a mental model which doesn’t fit our current reality and especially the reality in busy schools with limited IT resources, and even lesser resources to focus on cyber security or cyber resiliency.   As such the session was aimed at trying to highlight this belief.

Now at this point you might be thinking I am showing some nihilist tendencies in the face of the growing cyber security threats and risks, however I am certainly now advocating that we consider incidents inevitable and therefore simply down tools and don’t bpther with any cyber mitigation, prevention or preparation activities.

What I am however advocating is that we accept that we can never do enough, never be up to scratch, so all we can do is to do what we can.    The approach to cyber in schools needs to be to seek to take little steps rather than seeking to reach an imagined point of being cyber secure, a point that is both likely to be unreachable and also a point which is likely to constantly shift in response to new technologies, new vulnerabilities, new threat actors and new methods of attack.

I concluded the session with 6 recommendations which are outlined below:

There is no enough so do what you can

As mentioned above there is no “enough” so this kind of thinking is no longer appropriate.

Carry out regular risk assessments

We need to treat cyber like health and safety and try to identify the risks and then decide on mitigation measures where possible.    If we explore and think about the risks which impact on use we are likely to be able to better prepare and respond.

Carry out a desktop exercise or “war game”

Our plans and processes often include assumptions.   We need to challenge these assumptions with staff from across the school involved in desktop exercises playing out an example cyber scenario.   By playing such incidents through we are likely to be better prepared when incidents happen for real.

Deliver ongoing user awareness

Users continue to be one of the most common factors in cyber incidents so the more training we can provide the better, but such training needs to be dynamic and ongoing rather than an annual refresher presentation at the start of the year.    Cyber needs to come up in meetings, in briefings, it needs to be part of the schools culture and a constant point for discussion.

Address the cyber security basics

Cyber criminals will take the easy opportunities where they can and therefore it is important to cover the basics such as patching servers, keeping backups, etc.   This is about increasing the friction an attacker might feel in the hope that they will move on to a easier organisation to attach.

Reach out

Schools and colleges are all in this together, suffering similar challenges and issues in relation to cyber, so collectively we are so much stronger.   As such, share with other schools, use groups like the ANME, and let’s make a collective effort to protect our schools from attacks and prepare for the inevitable incident.

Conclusion

At the end of the session, I concluded with a little question in relation to terminology.   Cyber security as a term is now out of fashion due to suggesting that being “secure” is possible when most now acknowledge this is no longer possible.   Cyber resiliency is now the term of choice however I feel, although better, it still suggests a “resilient” final state is possible where I believe it is now.   My suggestion, which doesn’t have the same ring to it of the above, was continuous cyber improvement, however my request was for someone to come up with a better alternative that wasn’t quite so much of a mouthful.

Is your cyber up to scratch?    If you think it is, I suspect you are up for a fall at some point in the future or at least that’s what probability would suggest.   Are your efforts continuous, regularly reviewed and involve repeated incremental improvements?    If so, I think you are most likely going about things the right way, so well done, keep at it, and try not to worry too much!

You can view the slide deck from my session here.

And for those who have followed my usual travel woes, this time I managed to get to London and back with only a 20min train delay, so unusually uneventful by my standards.

Going phishing?

Phishing emails continue to be one of the most common attack vectors used by cyber criminals, in attacking individual and organisations, and in attacking schools colleges and other educational organisations.   In schools, where things are increasingly busy, it is important that staff and students have had appropriate training and other resources provided in order to build their awareness and hopefully make them better at identifying such phishing emails.   The challenge though is how do we know if our phishing awareness programme is actually working?

I was originally very reluctant to make use of phishing awareness tests, where a fake phishing email is sent out to assess how many staff would fall for a phishing email plus how many staff might report receipt of a phishing email.    I felt at the time that it was a little unethical in trying to entrap people who work for my school.    I was also worried people would feel it unfair and adding to workload at a time when everyone is already busy.      It wasn’t until an IT conference event where I got discussing the issue with someone working within the police force that my view changed.    The catalyst for this change being this point; would I rather identify how susceptible the school is to phishing emails and how good individuals are in relation to reporting malicious emails due to a real phishing email, and the likely compromise of user accounts, or would I prefer to gain this information through a safe test where I would be able to respond and do something about the findings. It didnt take me long to realise I was better off testing awareness on my own terms rather than waiting for a cyber criminal.

Since this change of views I have set about regular phishing awareness tests on small groups of users, refining the approach and the follow up messaging and training materials as a result of the findings.    Tests might be targeted on certain areas or departments based on recent events or based on trends we are seeing in the types of phishing emails being seen or reported.    Follow up training might focus on the users who were tested or might take the data from a test and share it with all staff to highlight specific concerns or areas for improvement.   In some cases individuals have felt unfairly treated or “entrapped” however generally have been more understanding when my changed reasoning has been explained to them.  The main aim is for the testing and the related awareness development programme to be dynamic in nature, constantly changing in response to the external context and the internal awareness levels and habits as identified from the test data.

Phishing awareness testing doesn’t improve cyber security or users phishing awareness however it can provide a snapshot of where we are at a particular moment of time and in relation to a specific style or type of phishing email.   This, when used in combination with dynamic training materials, can be powerful in building up user awareness of phishing emails, of how to identify them and of what to do when things go wrong and you fall for a phish.   Where phishing tests are conducted regularly, with the appropriate follow up training, communication and awareness development, it can also go to help develop a culture of cyber security and this, ultimately, is what we really need to achieve.

Thoughts on password strength

Passwords continue to be a key feature of identity management.    As such we need to continue to educate and build awareness around passwords and password management.

As such I have noted a graphic like the below (taken from Hive Systems via Tech Republic) regularly shared in relation to the time taken to crack a password based on different scenarios of password format and length.   The issue for me is that the below paints a picture, which although useful in some ways, overly simplifies the situation.

from Hive systems via TechRepublic

Statistics, statistics and more statistics

The graphic is based on the time taken to progress through all known combinations for a given password.     So, for example, to crack a password of 8 characters based on numbers-only I need to first know that the password is made of numbers-only and therefore that I am only testing these combinations.    So, I would test 1 then 2, 3, 4 and just keep going up through the options.   Now it might be fair to always test numbers-only first, expecting use of numbers-only to be common enough and therefore low hanging fruit for a cyber criminal’s point of view.   It might then equally be fair to suggest that lowercase, mixed case and numbers and mixed case with special characters might each be tested in order based on likelihood and number of combinations presented.    At this point the exercise is feeling like an exercise in obsessive compulsive disorder, in going through every possible combination in sequence, rather than an exercise in trying to quickly and efficiently crack a given password.

And to make matters worse if my password happens to be “Password” or “Password22” then I suspect it would be cracked far faster than the reported 2 mins or 3 weeks respectively.   

Human behaviours and social engineering

The issue here is, if we are truly trying to be efficient in cracking a password we would approach from a heuristic point of view and look at common human behaviours.    We would look at the need for people to remember passwords easily and therefore identify the likely tendency to pick common passwords, passwords relating to recent events or seasonal celebrations, etc.    Rather than seeking to work through every combination we would seek to work through the most common combinations and variations of these common combinations, happy in the fact that as a human set the password they may have fallen into one of these common human behaviours.    And it is at this point that the graphic no longer works for me.

We would also look towards other data as passwords are not set in isolation.   We each set our passwords against the backdrop of our everyday lives, our work, our challenges and our successes, so access to any data on these things can yield information which can be helpful in cracking a password.   And oh, does social media and a quick google search help to provide this data.  So again, the graphic starts to fail us.

What makes a strong password?

Password length definitely does help in making passwords stronger so in this feature the graphic is useful, but it isnt the single measure which I think the graphic implies it to be.    As to the mix of uppercase and special characters, etc, I think in this day and age, this makes limited, but I cant say no, impact on strength.

The factor that the graphic badly misses is the issue of how common the password is likely to be.   If it is common, so relating to a current event or a seasonal event, to the company you work for, or to something else that might be predictable based on the world we live in or you as an individual, based on what can be publicly ascertained about you, then the graphic falls flat on its face.   

So, what can we do about it?

I think sharing this graphic is useful in terms of pushing the need for longer passwords but I think we should take when sharing this graphic on its own.    I think it is useful sharing HaveIBeenPwned’s password testing functionality alongside the graphic such that individuals can use the graphic to assess the length but then use HaveIBeenPwned to assess how common a password is, in the number of times it has appeared in recorded and reported data breaches.

As is often the case, as we seek to find and communicate a message, making it as simple as possible we start to lose some of the detail, and in this case I think the importance of how common or predictable a password is, is a key detail which mustn’t be lost.

References:

Lance.W. (2022) ‘How an 8-character password could be cracked in less than an hour’, TechRepublic, 7th March 2022. Available at: How an 8-character password could be cracked in less than an hour | TechRepublic (Accessed: 12/04/2022).

Cyber and Learning

In schools we need to keep student data secure however equally we need the flexibility to use different learning platforms and tools in the search of effective learning experiences.   There is a clear tension between these two requirements, where it would be fair to consider then the opposite ends of a continuum.    On one end you could have a very secure system, similar to in highly regulated industries like a bank, but in doing so you would lose some of the flexibility needed by teachers.   Alternatively you could have a very open and flexible setup but in doing so would likely open your schools to increased cyber risk.   So how do we navigate the continuum?

The security paradigm

In my view, part of the challenge here is the security paradigm of keeping systems and data secure.    The reality is that we can only measure this after the event, so for every day we don’t suffer an incident, we have achieved this requirement, and we need to achieve this requirement indefinitely.   A single incident would therefore represent total failure.    In the complex world of IT with ever changing threats, this model doesn’t work.

I think we need to accept that if we look far enough ahead there is a certainty of an incident.    As such, we need to make sure this is understood at the senior levels of the school, and then seek to do everything reasonably possible to make sure that incident stays in the future, or failing that, limit the damage caused by an incident.   In considering probability of an incident it’s almost like the doomsday clock, ever moving slightly closer or further away from global catastrophe.

Risk Appetite.

One of the first decisions which I think schools need to identify is their risk appetite.   The more risk you are willing to tolerate, the closer the doomsday clocks hands are to midnight, but the more flexibility you have available.    The less risk you are willing to tolerate, the further away from midnight the doomsday clocks hands are, but the less flexibility you will have.    All schools will have a risk appetite somewhere between the two opposite points, but the question is where on this continuum and how much closer it is to cyber security or to flexibility and learning.

Risk Assessment

The next thing to consider is risk assessment.  How can you seek to manage and mitigate risks if you don’t know what they are?   The more flexibility you need the more risks you will likely need to document.    One of the benefits of risk assessment is to spend time considering what the risks might be, their likelihood and their potential impact.    This then gives an opportunity to prioritise resources to those risks deemed important to the school.   I think it is also worth noting that any risk assessment should be a working and living document, as the nature of schools is one of constant change.

Documenting decisions

It is important that senior staff are aware of the decision-making processes, decisions and risks and therefore it is critical that the risk appetite and risk details are shared with those staff to ensure they are appropriately informed.   This can help with identifying where there is need for additional resourcing but also to identify where risks remain due to mitigation measures being cost or otherwise resource restrictive.   If your focus is on learning, you need to ensure you clearly document the resultant risks which the added flexibility will have opened up.  

 It is also important to remember we will only be able to identify failure in the future, after an incident.   When this happens, we will want to look back to see if the incident was the result of decision, and if so why we took this decision.   Or was the incident simply something which we didn’t consider in our examination of the likely risks?  This requires the decisions around risks to be clearly documented.

Near Misses

Am also going to mention near misses, something I frequently forget to mention.   There is a lot to be gained in terms of knowledge and experience from those “almost” incidents where we come close to a cyber incident.   We need to therefore find ways to capture such incidents, to encourage users to report near misses, etc as otherwise we will have lost valuable intelligence, leaving us only with actual incidents to learn from.

Conclusion

There isnt one answer or solution for all schools in relation to navigating between cyber security and learning/flexibility, however each school will need to consider and make their own decision in this respect.     It needs to be based on context, needs, resources and a variety of other factors, and it should be a concious decision rather than something that simply happens.

On the cyber security side of things, I believe the focus has been for too long on prevention.   Schools don’t have significant cyber security resources but are an enticing target for cyber criminals, so prevention on its own isnt enough.    We need to accept that an incident will happen and therefore shift to a focus on minimization or delay, mitigating risks to delay the incident further into the future, or mitigating risks to reduce the damage when the incident finally does occur.   For this reason I increasingly like the term “cyber resilience” in preference to “cyber security”, as it hints to the need to ready to respond and recover from the inevitable cyber incident.  

Maybe we should all start including a cyber doomsday clock in regular communication with senior staff;  Is this the way forward?    

Why cyber security matters?

I have written repeatedly about cyber security and the fact that cyber security is an increasing risk for schools. In my view, it should be on the risk register and subject of regular discussion but why has it become so important?

Increasing amounts of data

As we become ever more digital within schools, we find ourselves gathering, but also generating, ever more data.   Whether this is the simple demographic data such as name, address, DOB and gender or other data such as browsing history through school filtering solutions and device information for personal devices.   We increasingly have online payment gateways for parents to purchase school lunches or uniform, or solutions which record health and allergy information.   We are gathering ever more data.   And with the ever more data, we are able to generate yet more data by combining it or inferring from it.    So, if the data is the new gold, then schools must clearly be untapped gold mines from a cyber criminals point of view.  As such cyber security is important in keeping school data safe.

Schools being hit

Looking at the newspapers and online press and it wont take you long to find a school or group of schools which have suffered from a cyber incident.    The reports often indicate the need for school closures while recovery is attempted.    This clearly shows that schools are being hit, and possibly even specifically targeted, and that a cyber incident has a significant impact.   Given this context, that schools are suffering impact from cyber incidents makes it difficult to not consider cyber security and mitigating risk as much as possible.

Schools as soft targets

The purpose of a school is education, teaching and learning.  As such its resources are focussed on this.   This means schools, despite having large amounts of data, are not investing in cyber security to the same extent companies may do.   This is both in terms of cyber security technologies but also, and possibly more importantly, in staffing with cyber security experience.  Now I feel this isnt that surprising given the general shortage of cyber security professionals and the resultant potential wages they can demand.   Schools will therefore find it difficult to match such wages.    Additionally, schools will have a variety of different systems and hardware, including student and staff personal devices possibly, all connected to their network often with updates unapplied or poor general security setup.  The focus of IT will largely be on enabling teaching and learning rather than maintaining a tight security perimeter.     This all leads to cyber criminals seeing schools as soft targets. 

Young Peoples personal data

Banks and other financial organisations are increasingly using data to identify unusual activity on an individuals account as a method of identifying and stopping fraud.    The challenge with young people is that, to start with, little data exists as they setup their first account, their first loan, their first hire purchase agreement and eventual mortgage.    Therefore, from a cyber criminal point of view, having access to sufficient personal data to initiate identify fraud is better with young people, where little data exists, than with older people.   With young people the first transfer into a bank account in the control of a cyber criminal is more likely to get lost in the wealth of other firsts for these individuals.    Again, this points to school data as a gold mine for future frauds and financial gain on the part of cyber criminals.

Safeguarding

We also need to consider safeguarding.  Students are increasingly online in schools and also at home.    Schools need to keep them safe in school, and cyber security is a part of this, in ensuring their online activities are safe and secure, their devices remain secure, etc.   Additionally, schools need to ensure that, through the data schools have on students, they remain safe outside of schools.   We need to ensure that their data remains safe and secure such that it cannot be used to malicious ends in approaching them online.  

Conclusion

Cyber security matters.   I would even go so far as to say critical.   All schools need to consider cyber security and not just as a one off but as an ongoing process.  Cyber security needs to be part of school culture in the same way that safeguarding has become part of school cultures over the last 20 years (it may be longer than this, but my experience is limited to just over 20 years).  We need to ensure we do all we can to keep schools, their systems, data, staff, students and wider community from cyber risks, to prepare for inevitable incidents which will happen and to make all aware.   It’s a big ask I think so first step is to ensure we have at least given it some thought, started talking about it and started sharing our thinking.   To that end I hope this post has been of some use.

Thoughts on Safer Internet Day

This week included Safer Internet Day, the 8th of February, with a lot of additional posts on internet safety making their way onto social media.   I think safer internet day is great to sign post resources, focus thinking and share thought and ideas regarding online safety, however equally I worry that it becomes a single shot deal.  I worry that it signifies the 1 day a year when online safety receives a focus.

I have recently tended to focus on the cyber security aspect of online safety in particular, talking to students about securing their accounts, data breaches, etc.   This has largely been due to my interest in this particular area and a feeling that this area is sometimes neglected or is believed covered through a discussion of what makes a strong password.  I think that students have found our discussions useful however I wonder about the overall impact where these discussions happen infrequently.     Students may listen intently, engage and even contribute, but once they return to their daily lessons and the daily requirements of study, homework, etc, I feel that the discussion of cyber security and the concepts raised may largely become lost in the sea of other information and priorities.   When they next pick up their device, or sign up to a new online service do they give thought to the presentation they received, or do they simply repeat their previous behaviours and sign up with little consideration for online safety?

One of the big challenges is how we fit digital citizenship, online safety and cyber security into the available time such that it occurs regularly.   With ever increasing curriculum requirements the available time is only shrinking, and I note that seldom do we see net impact of curriculum changes resulting in less things to cover.    As we use more technology in our schools, as our students use more technology in their education, but also in their day to day lives, surely, we need to spend more time discussing the risks, as well as the benefits.   Surely, we need to spend more time looking at how we manage ourselves in a digital world, how we manage our online identity and our personal data.   But where is this time coming from?

And this is the crunch;  Safer Internet day, which I have already acknowledged I like, may highlight the limitation of our current approach to online safety.    It feels tacked on, an additional item, rather than something core, something truly important.    We might run presentations or get guest speakers in, but all this really does is tick a compliance box.   To truly cover online safety we need something more embedded, something which is ongoing throughout a students time in schools or colleges, we need to develop a culture of online safety.   We ideally need everyone modelling behaviours which represent good online safety, whether this is the teachers or the students.   We also need poor behaviours to be challenged and questioned.

Developing organisational culture is a long term and slow process, which in my experience is often the sum of lots of little actions taken across an organisation, which adds up to a statement of “how we do things around here”.   As we use greater use of technology, we need to be increasingly focussed on making sure our usage of technology is “safe”.   

But technology, unlike culture, moves quickly so we have no time to waste.   I think we all need to ask ourselves, what is the online safety culture like in our school and how can we develop it, how can we make sure it equips students with the knowledge and skills they need in this increasingly digital world.

%d bloggers like this: