Recent research from LGfL has revealed an urgent need for cyber-security training within schools – what is the impact of not having staff with cyber-security expertise? Gary Henderson, ANME member and director of IT at Millfield School, explores
The issue of cyber-security skills in schools is multi-faceted. There are implications in relation to the cyber-security skills of school IT staff and leadership, as well as the wider staff body. The development of these skills among our students also needs to be considered, as we attempt to prepare them for the increasingly digital world we now live in, and we also need to build awareness and skills in parents, and the wider community, as the importance of cyber-security is only growing.
From a GDPR point of view each school has a responsibility to protect the personal data they store in relation to staff, students, parents and other members of the community who interact with the school. At this level of analysis, it is the cyber-security skills of IT staff which are likely to matter the most; they must be as well-prepared as possible in the face of increasing cyber threats.
A perfect illustration of this is an article on ZDNet (Ranger. S, 2019) which indicated that education users are twice as likely to be targeted as consumer users by phishing attacks, plus ICO data for quarter two of 2019 identified that education is the third most common sector to report a data breach, reporting around 11% of all breaches reported in the quarter. Where schools fail to consider cyber-security, they are increasing the risk of a significant cyber-security event; even those schools which do identify the risk and take action are not immune to a cyber-incident – they just reduce the likelihood, and potential impact, for when, rather than if, it happens.
Cyber-security skills are key to being prepared. One of the biggest issues is that these skills do not remain static, as the threats are always evolving and, therefore, resources must be identified to support continuous cyber-security skills development among IT staff. The challenge here is that this is difficult where resources are limited plus, often, cyber-security isn’t on the radar of senior staff. It also must be acknowledged that the wider societal need for cyber-security professionals or those with these skills is also making it more difficult for educational institutions to source skilled staff.
In face of the difficulties we still need to identify a way forward. My suggestion is, first, to raise the profile of cyber-security within schools; this involves engaging senior staff as to the risks. From there, hopefully, schools can seek to allocate resources in line with their attitude to risk, whether this be in relation to staffing, finance to support the professional development of IT staff, software or hardware, or any other resource.
I believe the other key area where action can be taken is in the gathering of threat intelligence. Individually, schools are reliant on the skills of their own IT staff and on third parties – who often have their own agendas or profit margins in mind – collectively, however, schools have a much wider pool of knowledge and experience and it is pooling this knowledge and experience where I see the biggest opportunity.
One of my favourite phrases right now is, ‘the smartest person in the room, is the room’. It sums up cyber-security skills. If the IT staff in all schools seek to share their approaches to cyber-security skills’ development, cyber-security issues, their challenges and their successes, then we will have a very experienced and skilled ‘room’ and we will be all the better for it.
I believe the solution is a collective one, requiring educational institutions to work together, to share and to pool their resources, knowledge and experience.