Gary Henderson, ANME ambassador and director of IT, Millfield School, discusses the issue of preventing cyber attacks in schools
Let me start with a rather blunt but pragmatic view to the question which makes up the title of this post. The answer is ‘No! You cannot be sure your cyber security is up to scratch’.
The reality is that the cyber landscape is constantly evolving and changing, with cyber criminals seeking easier or bigger gains. Attacks are guaranteed as any internet-facing technology is a potential target, plus no matter what resources you put in place it is not possible to be sure, to be 100% sure, that you are secure. All it takes is a single school user, a misconfigured server setting or a compromised third-party processing school data, and you will find yourself in the midst of dealing with a cyber incident.
Considering users, almost all cyber incidents tend to have a user involved at some point, so user cyber security awareness continues to be key. It isn’t, however, just about the existence of awareness development programmes but about checking their effectiveness and encouraging greater reporting of concerns. The more reporting we have, the more likely we are to identify an incident early, plus the more easily it is to spot gaps in awareness or emerging issues. It’s a bit like safeguarding in that respect, that we need over reporting to ensure that when it really matters, concerns are reported, allowing IT teams to identify and respond to incidents quickly.
Looking broader we also need to increasingly adopt a different mindset, that of accepting the inevitability of cyber incident. With this we can then focus on delaying, minimising the impact of and preparing for an incident. Drawing a parallel with fire drills, cyber incident desktop exercises don’t stop a fire, but they allow us to check and practice our processes, so when a real incident occurs we are ready to safely exit the building.
So maybe the question needs to be, ‘Are you doing all you reasonably can do in relation to cyber security?’, and with this we can take a more risk management-based stance. We can look at the preventative measures, particularly the basics, we can look at user awareness, at incident preparations and incident management, we can make decisions which balance the school’s operations with cyber risk.
And this in my view as to what cyber security is all about. It isnt and cannot be about absolutes and prevention or about Anti-Virus or putting X or Y in place. Cyber security is an ongoing process, its about balancing school needs, school resources and risks. It’s about assessing the risks against the appetite for risk and taking action accordingly.
We cannot prevent attacks, they will happen. We also cannot be sure we are secure to resist an attack. But we can build, and continually review and revise, processes to ensure we do all we reasonably can to protect our schools, systems, data and users.
To find out more about how you can address the problem of cyber attacks in your school come and join Gary at his seminar at EdExec LIVE SOUTH in London on 9th June 2022.
To register your interest for free or discounted tickets email [email protected] quoting the subject line ‘I want to learn more at EdExec LIVE!’
Be the first to comment