Month: June 2021

School IT: Capex or Opex?

In schools your IT costs are one of the biggest and the pandemic has highlighted the need for investment.   But should this investment be a capital, outright purchase or are leasing options better?

I was always told that the three biggest costs for a school are staff, buildings/estates, and your IT/technology costs.    The last year and a half, and the pandemic have shown us that some schools weren’t ready in terms of technology, in terms of their infrastructure and the client end devices or at least there was a need for improvement.   I have already posted on several occasions that there is a clear need for investment.   The issue though is should this investment be in the form of outright capital-based purchasing or leasing revenue-based purchasing?

Capital

I used to believe, for big spends such as device replacement or significant infrastructure upgrades, the only way was capital.   If you own the equipment you might be able to squeeze extra years out of the kit plus a capital purchase has no leasing charges associated.  Capital purchasing was simply cheaper in the longer term, but painful in the short term due to the upfront costs.

I came to learn though that its not quite that simple.   All too often I have seen capital purchases for devices or infrastructure approved but without thinking longer term about future replacement costs.   In other words, the immediate cost was approved but without planning a replacement cycle, leading to difficult questions in the future.   Additionally, capital purchases lend themselves to scope creep.   So, the school has replaced 25 PCs; Someone will ask to keep 5, of the old machines being replaced, at the back of the maths class or 5 for English and suddenly you now have 35 PCs.    That’s 10 additional PCs which will require software and licensing costs, which will require support, and which will require eventual replacement.    The quiet years, maybe 3 or 4 years after you have replaced most of your PC fleet, are also an opportunity for spending on other projects, etc, without considered the high capital replacement cost which will recur when the fleet once again needs replacement.   This can then lead to overspend.    Now this can be avoided if you are disciplined in your capital purchasing and in your approval processes, but this requires care and discipline.

Leasing

Leasing shifts the costs to a revenue model and a “cost of doing business”.    The costs associated with your technology are therefore much more visible as these costs are spread equally across the leasing cycle.   It is therefore easier to avoid scope creep or overspending, as the technology costs are clear to see.    Sadly though, like everything, leasing does have its downsides.   These are the leasing costs, which I note continue to decline, and also the fixed nature of the cycle.   This means the option of squeezing an extra couple of years out of your devices, etc, isnt available as once the lease finishes you need to enter a new lease.   I am becoming less and less concerned by this.   Technology usage is on the increase, which increases wear are tear, plus cyber security is requiring more frequent updates leading to quicker device obsolesce.   As such I feel the days of managing to squeeze a couple of extra years out of things are quickly disappearing meaning fixed replacement cycles such as that enforced through leasing are becoming more acceptable.

Leasing is also often seen as less flexible than capital purchases as you are locking in for the lease period whereas capital spends feel more “one-off” and individual allowing for change in a year or so’s time.   This might be true up to a point, but once your requirements are beyond a significant cost level, you must be considering the hardware as being usable for 4 or more years at which point even with capital spends, once the money is spent, you need to make the purchase work and therefore don’t have the flexibility you might feel you do.  

Given the long term nature of a leasing arrangement and the resultant long term nature of the relationship with the leasing vendor, it is also important to find the right company for your leasing requirements.    That said, this is likewise important with a capital purchase, at least during any warranty and support period, albeit these periods may be less than your leasing period.

Lease-Purchase

Now there are other options in terms of leasing, such as lease-purchase whereby you pay the leasing costs spread across the period of the lease, but with a final option to purchase at the end.   I havent covered this in any detail as for me it brings the worst of both worlds.  Leasing costs and the opportunity for scope creep, etc, once the devices or hardware have been bought out at the end of the lease.

Conclusion

I don’t think there is a perfect solution.  It will depend on the items being purchased, the anticipated lifespan, school finances, organisational risk assessment and several other factors.  Sometimes you will want to purchase outright and sometimes I suspect leasing will be better.   All I can say for sure is that I am now much more likely to at least consider leasing and an opex spend.

Power Automate: Course Booking

Was doing a bit more playing with Power Automate again recently and thought I would share.

This time I was looking at finding a way where staff could book on an internal training course but where there would be a maximum number of places available.

My solution involves a Form to submit requests, a PowerAutomate to manage the requests and check if a given session has capacity and a SharePoint list to store the submitted request details for those people who successfully book a place.

So the steps:

  1. Create a form for your staff to make their training request
  2. Create a SharePoint list which will store the accepted requests;   The list should contain fields matching the questions within you form.
  3. Create the PowerAutomate to manage the submitted requests including emailing confirmations and apologies dependent on if the course is full or not.

Now I am going to detail point 3 above, as the other points are reasonably straight forward to achieve.

One of the first things we need to do is to Initialise a new variable which will be used to store the count of the number of people already booked on a course.    This should be an integer variable and set initially to 0.   Within the PowerAutomate we will change the value later based on the number of records in the SharePoint list.

Next I am using a Get Items action to get all of the items from the SharePoint list.   This will get you all the records submitted so far which is basically a list and count of the number of people already booked on the course.   

We now need to set the variable so that it stores the count of the number of records already in the SharePoint list.   To do this use a Set Variable action.    Within the value of this action we want to use an expression using the expression below:

length(body(‘GetItems‘)?[‘value’])

Note GetItems should be the name of the Get Items action mentioned earlier.    This expression will basically count the number of records in the SharePoint list as accessed via the earlier Get Items action.   

From here it is simply a case of using a Condition to check if the variable is less than or equal to you maximum number of attendees, and then send out appropriate emails either acknowledging acceptance on the course or indicated that the course is currently full.

And so, we have a basic little CPD course booking process complete with maximum number of attendees and confirmation emails.

Online Safety: Another challenge

Keeping students safe in a world of technology, and where students are spending increasing time engaging with technology, and even learning via technology, is very important.    As I have written in the past, this is also becoming increasingly difficult.   Back in March 2021 I wrote about how internet filtering, something that was easy when I started out on my teaching career, is now far from easy and verging on no longer possible (Internet Filtering, March 2021).    As such, I suggested that internet filtering can now no longer be considered as a distinct action schools should take in terms of safeguarding, instead needing to be treated as one part of a larger process encompassing a number of stakeholders and actions, all taking within a risk management, rather than compliance framework.

In June I re-emphasised the above in my post, Keeping students safe in a digital world.   This time my focus was on Virtual Private Networks (VPNs) and the implication of students being exposed to TV marketing on the use of VPNs to maintain privacy.  My concern was that this would drive some students to using free VPNs where the safety and security of data may not be as certain as the apps suggest.  It would also serve to make it more difficult for schools to monitor student online activity in the interests of safeguarding.

Since the above June post Apple have held their Developer Conference.   Apple, like a number of other device or software vendors are being very “privacy” focussed following recent high publicised incidents around the privacy of user data and some very well known services.   With this, Apple decided to announce iCloud+ and their Private Relay functionality built into the iOS and providing VPN like functionality when browsing within Safari.    This means “baked in” VPN functionality provided at the operating system level, on Apple Devices such as the iPad which are widely used in schools.   Yet another challenge for online safety. Private Relay, a great facility for privacy but yet another blow for school IT and safeguarding teams seeking to keep students safe online.   Now my hope is that there will be some ability to control this functionality using a Mobile Device Management (MDM) solution however for now this isnt possible, and I suspect it may only be possible on “supervised” devices rather than on Bring Your Own Device (BYOD) Apple devices.   Only time will tell.

I often refer to a continuum, when speaking to sixth form students, existing between individual privacy on one side and public good and safeguarding as items on the other side.    So for schools this is the privacy of the individual student versus the schools responsibility to keep students safe, and therefore to monitor and filter online activity.  Currently the pendulum continues to move further towards the individual privacy side.    I wonder if this will continue or if we will eventually see some balance restored.   I also wonder whether, given the increasing ineffectiveness of the technical measures schools can put in place, do the guidelines in relation to safeguarding students online need to be re-examined.

Reframing cyber costs in education

Schools and colleges need to focus their available funds on teaching and learning, and in the students within their care.   As such it can be difficult to justify significant spending on cyber security.   Investing in cyber security is investing in preventing the possibility, a chance, of a cyber incident occurring.   The challenge therefore is establishing a way to frame the costs in order to identify what represents good value.

Cyber security is all about risk management.   Every risk has a probability of occurring.   This might be a 1 in 100 or 1 in 1000 or 1 in 1 million.    This is where the difficulties in justifying spending on cyber security arise.    For the last 10 years an institution may not have suffered any significant incidents.   As such how can the head of their IT justify spending an additional £4000 or £5000 per annum on cyber security?    We are working from the point that it is more likely an incident wont happen that it will.   Viewed from the point of view of past experience, the institution has been fine for 10 years, with the probability of an incident assumed to remaining roughly the same, so is likely to be fine in the next 10 years, excepting for this small probability.    So, stay as is or spend £40,000 – £50,000 over 10 years to provide additional protection just in case?   Viewed from this point it may be difficult to justify the spend especially if the overall budget for the school is low.

Let’s take a more mathematical approach to the problem; If we take approximately 25,000 schools in the UK where I am aware of around 20-25 which have experienced cyber incident this year.   Let’s assume I am aware of only a small number of the schools which actually experience incidents, say 10%.   So, lefts take a probability of 250 incidents per 25,000 schools or 1 in 100.   At this point rather than looking at the chance of an incident occurring, we are assuming that an incident is guaranteed to occur within a given period.  Taking this probability, in 100 years, every school in the UK would likely have been hit.   If hit, let’s make an assumption that the cost would be £250,000 to recover (this is very much a guess figure and would be dependent very much on the size of the school, its type, complexity, infrastructure, etc).   Taking the probability of 1 hit every 100 years, with each hit costing £250,000, this means the approximate annual equivalent cost would be £2500 per annum.   The cost for the additional protection is looking a little better at this point.    All it would take is for the recovery costs to grow to £400,000 or for the probability of a hit to increase to 1 in 62.5 rather than 1 in 100 schools.   

For me the key things is to move from a position of looking at the chance on an incident happening, where we assume it is more likely an incident wont occur and moving to a position of “not if but when.”   At this point we are accepting an incident is guaranteed to occur within a given time period, but we just don’t know when.   With this viewpoint we can start to make a more reasoned judgement on costs.    We can also factor in the schools risk appetitive, with a school with a high risk appetite likely to choose to underestimate the probability of an incident while one with a low appetite for risk likely to overestimate.

We very much need to reframe how cyber risk and cyber security investment is looked at.   Hopefully the above presents at least one possible way to do this in an easy but yet meaningful way.

Keeping students safe in a digital world

It is becoming increasing challenging for schools to keep students safe in a digital world.   This is largely due to the easy with which students can make use of solutions designed with privacy in mind.  These technologies weren’t designed with the safeguarding needs of schools in mind.   As a result, I believe we need to be increasingly pragmatic about our approach.

One big factor in keeping students safe relates to whether the devices being used belong to the students and their parents or belong to the school.    Where they belong to the school there is greater potential to use technology solutions to help keep students safe, however these same solutions can easily be circumvented or removed where the devices belong to the students, e.g. where a Bring Your Own Device scheme is in place.    Personally, I suspect we will only see BYOD growing in terms of how common it is in schools.    It is also important to note that students will bring their own devices to school irrespective, likely in the form of personal mobile phones, therefore protections in place of school issued devices are rather limited in their effect given students can simply switch to their personal mobile phone should they not wish to be filtered or monitored.

The big reason for writing this post comes following reading a post where it recommended advising students to make use of VPNs in order to keep their communications safe and secure.   From a cyber security point of view I can understand this.   Using a VPN will stop someone snooping on my personal data in transit.   When thinking about it a bit more broadly however I think it would be a bad idea.   Firstly, it would hamper school filtering and monitoring, which is in place largely for safeguarding reasons.   Also, although there are very good VPNs available, these tend to be paid services.  Parents and students are unlikely to want or possibly even be able to afford to spend money on these services, which will therefore push them towards the various free VPNs which appear so readily available.   These free VPNs may either be fully malicious in nature, not being a VPN at all or may be gathering and selling user data.    Either way I am not sure if the cure, in a free VPN, is any better than the risk.

I think schools must now look to tackle safeguarding in a digital world in a more holistic way.   Its not down to the safeguarding and pastoral team to define filtering of sites, or access times for students, nor is it down to the IT dept. to make sure firewalls and filtering are in place.  It needs to be a collective approach where all involved discuss the risks and what they have in place, and what they can put in place going forward.    Within this, I continue to believe the principle focus needs to be on awareness rather than seeking technology solutions, ensuring students, teachers and parents are all aware of the benefits and risks of technology use, plus aware of how to keep themselves safe and secure online.

As privacy online continues to grow in focus, and as technology companies increasing bake privacy and security into their solutions, the act of keep students safe in a digital world will only continue to become more challenging.