Ian Stockbridge, ANME member and ICT manager at Concord College, discusses why you might need to channel an ‘80s film in order to stay cyber-safe in your school
Take a moment to congratulate yourselves and your teams for helping to provide education in the most challenging conditions since World War II. COVID-19 has taken the most terrible toll on friends, family and the economy globally. It can be hard to find a silver lining when something so tragic happens, but that is exactly what I would like to try to do.
Delivering education in these terrible conditions has made schools across the country look at IT in a completely different way – adopting new IT systems and practices in weeks that, in normal circumstances, would have been delayed by years of procrastination and discussion. We have delivered benefits to staff and students that will last beyond COVID-19, and I take great heart in that.
The problem with having delivered remote access and teaching is that security policies and technical measures may not have adapted at the same rate and the world of cyber-crime has been quick to take advantage of this. Ransomware attacks targeted at education, and their devastating effects over the past 24 months, have all too often made the headlines.
Society needs to holistically review cyber-security and acknowledge our dependence on technology. We all have a responsibility to better protect the systems we depend on and the government has never been more explicit on this; so far this year they have published a National Cyber Strategy and a Government Cyber Security Strategy 2022-2030.
It makes sense that we in the education sector do our part in reviewing our own cyber-defences in 2022, identifingy where improvements need to be made so that we can continue to do what we do best – help deliver education.
An Apollo 13 moment
The most crucial first step in this journey is getting support from the highest level. It should be clear to all the value IT has delivered over the last two years in the education sector. It was our Apollo 13 moment for myself and my team, delivering great success whilst facing a very real crisis.
What may not be clear to governors, trustees, and senior management is how delivering these new services may have changed an organisation’s risks. It is essential that the whole organisation has a thorough understanding of the risks related to cyber-security. Without support from the top there is no mandate to bring in new policies, and no justification for extra resources or funding. Cyber-security needs to be evaluated from a ‘not if but when’ perspective.
So let us start with questions that governors and trustees absolutely need to discuss with school leaders. The National Cyber Security Centre (NCSC) has published an excellent document that provides eight insightful questions for governors and school leaders to get the ball rolling and this should generate some probing questions for IT departments.
To really get the discussion flowing, the second vital step is where you invite governors, trustees and senior management to play a game of ‘Global Thermo Nuclear War’. All of you old enough to remember WarGames will be smiling (the younger staff might need to Google it) and thinking ‘What does this have to do with the governors, trustees and senior management?’ Well, in that film, the computer ran thousands of simulations to work out what would be the best way to ‘win a nuclear war’ without actually having one.
So why can’t we simulate having a cyber-incident without actually having one? The great news is that you can, and the process is sometimes described as ‘wargaming’ (tenuous link, but we got there in the end). Once again, the NCSC has delivered another excellent free resource for us called, rather unexcitingly, ‘exercise in a box’.
Whilst not as exciting as simulating the end of the world, it helps you simulate a series of different types of cyber-event without being under the pressure of dealing with an actual cyber-event. Ideally, you will want a representative from the board of governors or trustees, a member of senior management, your data protection officer and the IT manager to take part. If possible, get a teacher to run the event like a presenter, allowing the key stakeholders to focus on their specialist areas.
These processes will reveal one of two things:
You are totally prepared and ever-vigilant for the changing cyber-risks your school faces.
You will have identified areas that require further attention.
The idea of this first blog is to get the ball rolling and get people asking the right questions about cyber security. If you have found this helpful, I will follow up with some suggestions about what to do next.
Be the first to comment