Cyber security preparedness
Schools now need to place greater emphasis and thought into ensuring the security of their data and systems. As the number of high-profile data breaches, system vulnerabilities and error related leaks increase and as schools themselves find themselves the direct target of scams they need to establish and review their systems and processes to protect the data they hold. This needs to be accomplished while supporting the effective operation of the school; turning all the IT equipment off would be good for cyber security but not that great for organisational efficiency!
The ISBAs own IT Survey from 2018 identifies the need for consideration to be given to cyber security identifying that 2 in 3 bursars were not fully confident in data security and that less than half of IT leads were confident in school systems being able to withstand a “determined hacking attempt”. These statistics seem worrying however I personally find them worrying for a different reason. Over the last couple of years some of the largest data breaches have been experienced by well-known tech companies such as Google and Facebook, as well as by several large and well-known non-Tech companies. Each of these companies can be expected to have spent significant sums and time on cyber security, plus can be expected to have security operations centres staffed with personnel tasked with maintaining the cyber security of their respective companies. Independent, state and international schools cannot even get close to the kind of investment these organisations can bring to bear on maintaining organisational cyber security, and yet these organisations, despite their efforts, still suffered from cyber breaches. Given this how can schools and staff in schools be confident in their ability to maintain the cyber security of their data? For me the worrying statistic, inferred from the ISBA IT Survey data, is that 1 in 3 bursars and less than half of IT leads are confident in their schools cyber security, yet given the context of breaches at Facebook, Google, Westin hotels and British Airways to name but a few, I do not see how such confidence is possible, aside from being overconfident. Overconfidence for me runs the very serious risk of being the first step to a cyber incident and a very rude awakening.
So, in sticking with the ISBA’s concept of a “Bursars Six-Pack” what are my six pieces of advice in relation to being prepared:
1. Accept that it will happen
If cyber criminals can get into major tech companies or data can be leaked from them, then the same can happen to schools. We need to accept it isn’t a question of “if” a breach or leak will occur but more a case of “when” so we need to accept uncertainty and make our decisions regarding the measures we take. Having done so we need to ensure we document our decisions and their reasons.
2. Be nervous
We also need to accept that feeling of nervousness as it is simply an acceptance of the prevailing risk and uncertainty, or a “healthy” paranoia as I have referred to it in the past. We must then use this to drive us to regularly re-examine our approaches and our assumptions, and to drive forward with continual and ongoing improvement in our approaches to maintaining cyber security preparedness. I don’t believe anyone should be 100% confident in their cyber security.
3. Put user awareness first
Users are involved in most breaches or data leaks and therefore should be the first area of focus. A compliance driven approach of annual training isn’t enough so various approaches need to be combined including using phishing simulation/testing, regular just-in-time information and notices around school; In relation to notices the inside of toilet doors is one good location as it ensures a reasonably captive audience. Only via a mixed approach can a culture of cyber security be built.
4. Test your backups plans
Having a disaster recovery (DR) plan, having a secondary internet line, cloud based remote backup services or cold spare firewall is a good start but most important is testing them. Will they work when it matters and how do you know this? You need to check such disaster recovery systems and processes work and that everyone involved knows how to get them operating, and this should be done regularly. You need to simulate an incident and confirm all operates as it should and that all know what they need to do. If you don’t then you await a real incident at which point you will be rolling the dice and trusting in luck.
5. Grill your third parties
As we share more and more data with third parties we also need to ask more questions of them, especially where we are sharing significant amounts of personal data or where the data as of a sensitive nature. Do we know their approach to cyber security, and do they have independent audits, penetration tests or vulnerability testing processes which confirm their assurances? Do they have a plan for where they suffer a data breach or where they identify a vulnerability and does this plan include notifying clients? If so, within what period of time? We all need to do more to ensure that third parties provide us the assurances we need and where possible can provide independent evidence to support and confirm this.
6. Do the basics
My final point is more of a collection of points in the need to ensure we all carry out the basic approaches to cyber security. We need to patch our systems regularly, have up to date anti-virus in place, segment our networks and manage data access through a least privilege possible approach. In addition, we need to make use of multi-factor authentication (MFA) where possible and especially where highly sensitive data is involved plus need to consider how we manage mobile devices. We also need to ensure we seek third party assessments to validate our decisions and approach and to identify where improvements can be made. In my view such audits or penetration tests should be on an annual basis.
There are other approaches and activities we need to undertake. I could go on and list 8, 10, 12 or more areas but the six above are those which I believe are most important. There is no single answer to being cyber prepared as it depends on so many factors including a school’s overall appetite for risk. I am sorry if I disappointed any readers hoping to find the answer but there simply isn’t one. As a result, every schools approach is likely to differ, and this is ok as every school is different. The key is for the discussions to happen at every level of the school and across all roles with these discussions and resulting decisions documented. I personally believe some sort of IT risk assessment document can be an important tool in this. Ideally a culture of cyber security needs to be nurtured. Everyone needs to be very clear that cyber preparedness is everyone’s responsibility.
Independent School Bursars Association (ISBA). (2018). The ISBA’s IT Survey 2018, ISBA