The subject of risk management will be one familiar to EdExec readers, but how has it changed recently? Tim Martin takes a look at which emerging trends the experts have been exploring
Given the high stakes involved in managing large financial budgets, SBMs are often expected to address risk management in a well-planned and modern manner. It’s also worth mentioning that it isn’t always sophisticated fraudulent attacks that result in schools suffering substantial monetary losses or reputational damage; evidence from KPMG suggests that even tried and tested methods present danger, as their Fraud Barometer analysis points out. ‘The motivation to deceive comes in a variety of forms. Many criminals are still prepared to rely on the traditional conman artistry of making financial gain through misplaced trust, attacking people’s vulnerabilities and sensibilities.’
Making finance staff aware of protocol, and the need to protect sensitive and confidential data, is one obvious method to discourage external threats but the emergence of new cyber-threats and tech-orientated deception mean that reacting badly to actions not perceived to be threatening can be catastrophic – in the context of information security this concept is often referred to as ‘social engineering’.
In short, this type of social engineering relies on the good faith or naivety of the subject to be duped and can involve a series of interactions with a criminal before they set up a ‘con’. For example, social engineering strategies are usually used to convince a target to open an email that contains a virus or a software package that will further expose them to fraudulent activity.
Simple steps – huge difference
Reported data breaches are also central to better understanding the frequency of cyber-attacks; SBMs can learn much from the past mistakes of their school counterparts. Tilden Watson, head of education at Zurich Municipal, says that breaches of the Data Protection Act in schools have recently ranged from unauthorised disclosures of information by staff to incidents where data was lost or stolen by hackers. “Some simple steps can make a huge difference in preventing these data breaches, including installing firewalls and regularly updating antivirus software, encrypting sensitive data, password-protecting memory sticks and laptops, encouraging users to choose strong passwords and carefully managing user/admin access,” he explains.
Likewise, Rachele Kelsall, head of education practice at Hugh J Boswell, says that cyber risks – included in the overall category of liabilities and assessing financial impacts – is the top emerging risk that the company is currently discussing with SBMs. “The cost of cyber cover isn’t massive and, if you set that against a typical premium for buildings and contents insurance, the cyber cover would be a minimal percentage of the overall premium or insurance package,” she says. “I think there’s a recognition that pretty much every business will be subjected to attempts at hacking. Some will be more successful than others but schools are particularly vulnerable because of the type of data they hold, including sensitive pupil data.”
Playing it smart
In focusing on these emerging trends, have schools been de-prioritising certain cover and/or have insurers seen a reduction of claims in one area or another? “I haven’t found it to be the case that schools have favoured one item over another and, in terms of adding something like cyber risk cover, it’s not a massive outlay,” Rachel says. She does, however, mention that schools are playing it smart where small claims are concerned and, rather than seeking relief from their insurance provider, they are putting their facilities and estate management teams to good use – letting them deal with small property damage and vandalism, for example.
Cyber risks and on-going child abuse investigations are not the sort of issues that SBMs can afford to take lightly. Evidence from our experts suggests that both basic and sophisticated fraud threats continue to be of growing concern whilst stories relating to child abuse remain in the public eye and threaten to ruin reputations. Pre-empting these risks form the very basis of a successful risk management strategy and encouraging all staff to play an active part in minimising risk is just as important.
Tips on mitigating against supplier fraud from Richard