Month: January 2022

A third party cyber incident

Schools make use of a variety of third-party solutions with these solutions increasingly involving both the software and the hosting of the solution; The days of all third-party solutions being hosted on school servers in a school server room are fast disappearing.    School data is more and more stored in third party solutions, with data ranging from simply a list of email usernames and passwords to much more significant and sensitive records which might include medical information, financial information, etc with the school frequently being the data controller and the third party the data processor.   As such, ultimately, the security of the data is the responsibility of the school, yet these third-party solutions are increasingly seeing data breaches.

So, what might this look like when a third party suffers a data breach, such as a ransomware cyber incident?

The first few days

It is likely the third party might first attribute issues to common or garden IT issues and outages before they realise, they are suffering a cyber incident such as ransomware.   So, to start with you might get simple “we are investigating an IT issue” messages in reply to tickets logged.   At this point it is important to realise, even if they are now aware of the cyber nature of the incident, they are likely to be limited on what they will be able to tell schools due to legal risk, cyber risk of tipping off the cyber criminals and due to fear of providing information which might later turn out to be incorrect.   There is also the need to prioritise managing the incident rather than seeking to manage communications with those schools affected.   As such for the first few days you should expect to hear little useful information, with this being potentially very frustrating.

Issue identified

There will then become a point where the issue will be identified.  So, you might be told that a ransomware incident took place on a given date and that specific actions were taken however as before you will get little other information.   If you are hoping to know what ransomware strain was used, how it entered the systems, what specific actions were taken, which schools were impacted, etc, you will be waiting a long time.   You will get enough information to be considered informed but little beyond this.

It is now a school cyber incident, and the appropriate senior staff need to be made aware, although there is relatively little detail available which can be shared.   Ideally at this point you will know what data is stored by the impacted third-party solution however if you do not, the first step will be to establish the extent and type of data potentially affected and therefore the risk to the school.   It is also at this point good to consider the comms side of things and what message you might want to send out to your various stakeholder groups dependent on the, yet undetermined, impact of the incident.    For schools it is about a reasonable measure of preparedness rather than rushing to share;   Its that balance between pushing out comms too early, where you don’t know much or where what you know may later prove to be incorrect, or leaving it too late and being accused of not sharing information early enough;  There is no “perfect” solution to this, it is simply a risk based judgement call based on the incomplete information available at the time.

At this point, now we know that there is a cyber incident and the possible data and school impact, it may be necessary to consider an initial report to regulatory authorities such as the Information Commissioners Office (ICO) as well as to the NSCS and Action Fraud, plus it may also be worth raising with insurers.   In terms of the ICO, a quick phone call for advice to their helpline is an easy step which can be taken at this point and may both yield helpful next steps as well as evidencing an attempt to take reasonable measures in response to the incident.

The first two weeks

We now move on to the forensic analysis as hopefully your third-party vendor gets an outside cyber expert to pore of their systems, the activity logs, etc to give them a clear (or as clear as possible) picture as to the events and what data might have been accessed or exfiltrated.     Again, information is likely to be slow in being shared, again due to the perceived risks to the third party.   It may be that they have nothing to offer beyond that which has already been shared.

Again, it’s back to risk-based decision making in relation to comms.   What needs to be shared, with who and when?   This will very much be determined by the nature of the incident itself with a major incident where data has been exposed needing urgent communications whereas an incident which resulted in IT outage, but no data loss may not.   My key advice here is to ensure logs of activity and decision making are kept so these can be used in later review.   Knowing who contacted who, when they contacted them and the reasoning behind decisions can be very valuable in establishing the reasonableness of actions taken should the context of the incident change or should new information become available.

Wash up

There will then be a point where the third party will consider the incident closed and where update pages, etc, put in place in relation to the incident may stop being updated or may even be removed.   At this point there should be some summary as to learnings from the incident and about future changes in processes, security measures, etc.   if you don’t receive such an “after action” report then it is important to press on this matter.   You are unlikely to receive much specific detail on the incident however you should at least receive a broad description of the issue plus some evidence of planned measures to prevent reoccurrence, and therefore some reassurance that things have been learning and that actions are being taken.

Conclusions

“Hope for the best but prepare for the worst”

For me the key thing is to prepare for these kinds of incidents in advance, and not just in terms of IT support staff, but in terms of the wider staff body.   A desktop exercise where a virtual scenario is played out is the easiest way to achieve this, with SLT and other key staff involved.  At the end of such an exercise all need to be clear that, in the event of a serious incident, although we want quick resolutions these are often impossible or inadvisable, with police, insurers, regulatory bodies and cyber security experts all likely to contribute their views on what should happen and when.   Constant phoning IT for updates is only likely to slow the process down.    We need to all be ready and aware of the likely slow nature associated with painstaking initial investigation and even more painstaking, or is that painful, recovery operations.    We also need to be clear what things may or may not be possible as we seek to return to “normal” following an IT incident.

That said, we also need to be proactive in identifying data which might potentially be impacted, preparing communications, preparing contingency measures and otherwise being as prepared to deal with the incident as best as is reasonably possible.

As technology becomes more and more important to the operation of our schools, I suspect we need to spend more and more time on preparing for the eventuality where it goes wrong, with cyber incidents being an increasingly likely source of this eventuality.

Phishing de-evolved

Phishing emails change over time as cyber criminals seek to change their approaches to improve their success rates and achieve better outcomes.    That means that the type of phishing emails schools and their staff have to contend with have changed over time.  As such I would like to share some observations on the changes I have observed.

Lets go a few years, but not too many, so maybe 6 – 10 years.   At this point I remember receiving phishing emails however finding them reasonably easy to recognise.    The below for example was an Apple based phishing email.

The identifiers are reasonably clear in the spelling and grammatical errors and in the lack of branding, not to mention the email address.   I note it conveys a sense of urgency, an important tool in a cyber criminal’s arsenal, however it relies, due to being from a known organisation, on being believable, which to most users I don’t believe it was.  That’s not to say that some people wouldn’t fall for it, as we are all susceptible to errors or momentary lapses in concentration.

Fast forward a few years and the cyber criminals got much better at making their phishing emails believable, branding their email appropriately and even copying the styles of common productivity suites and other commonly used tools.    The below are just two examples:

Although these malicious emails were successful for a while, the issue here is that they have become common and therefore users in general are more cautious around them.  Again some people will click on links, etc, but most now either ignore or treat with great care.   Now the common nature of these type of emails may be part of the story as to why I don’t believe we fall for these emails quite as often, however I also acknowledge that phishing awareness training materials have increasingly focused on these types of emails, building up an awareness of the need for care.   So where next for phishing?

More recently I believe I have seen an increase in very simple emails rather than the branded type.   The simple emails are more akin to the emails from 10yrs ago although are actually even simpler and basic.   Being simple and basic they remove the grammar and spelling errors as they contain limited text.    They also tend to be made to appear to come from known individuals such as colleagues so remove the issue of branding.    Additionally, they are, due to their simplicity, different from the big, branded phishing emails so they are less likely to set off users phishing “spider-senses”.   The below is just one example:

Here the limited information allows users themselves to mentally fill in the blanks as to why this particular colleague might be contacting them and what this might relate to, and you would be surprised just how many of us can come up with a valid reason for a random colleague, friend or other acquaintance to reach out in this way.    It goes right back to the psychology of urgency and also FOMO (Fear of missing out), using this rather than technology to seek to entrap users, a technique that cyber criminals have tended to be good at.  In the above case the telling indicators of a phishing email continue to be the email address itself, and the need to look beyond the display name, and also the unexpected nature of the email, which should also be seen as an alarm bell.

For me looking back it would appear that phishing emails evolved from basic emails to more complex and convincing branded constructions.   They are however now “de-evolving” back to simplicity, taking advantage of psychology and also of the ever busier worlds we live in, and in education, given the pandemic, I don’t believe things have ever been busier.

I also think it is important to acknowledge that first sentence of this post, regarding cyber criminals “changing their approaches” and seeking to “achieve better outcomes” would be at home in an email or document from a corporation or other organisation seeking to improve its success.   Cyber criminals are behaving in an almost business like manner and given this we can only expect their approaches to continual change and adjust as technology, user awareness and user training develops.    For the foreseeable future I suspect we will be continually engaged in a game of phishing “whack-a-mole”.

So, what do we do about this?

I continue to believe that user awareness is the key.    The more users are aware and vigilant the better.   Additionally, users need to be clear on how to report concerns or incidents, and the culture needs to be such that users feel safe in reporting when they get it wrong.   My view is we are all likely to get it wrong at some point, if we havent already!  

Cyber security and data protection awareness cant be seen as a static program, a set training package or a yearly training session.   It is dynamic, ever changing and ongoing, much in the same way the attacks are; We need to see it this way and to seek to deal with it with similarly dynamic and constantly evolving approach.

A day in the life of a Director of IT

The below post was originally shared via the Association of Network Managers in Education (ANME) on 20th December 2021

Different schools use different job titles for the work that I do, and in addition, the specific tasks and requirements differ from school to school based on size, context, budgetary constraints and a variety of other factors. As such, I thought I would share a brief outline of a day in my life.

So, it’s Thursday, December 2nd and the day kicks off for me around 8:15 am when I arrive at the office and get set up for the day. My first port of call is to get email on screen plus my collection of daily web pages including my To-Do list, our help desk and other apps I need on a daily basis. One of the first things I look at is any alerts in relation to suspicious user account activity to see if there is anything that might merit my involvement plus also to make sure anything which requires logging is logged ready to be reported to SLT.

My next activity was a quick chat with our Network Manager in relation to some Wi-Fi usage data I had been looking at. We started gathering the data and analysing it in response to some general student complaints regarding Wi-Fi connectivity, however, the data doesn’t quite support the existence of a general issue, albeit individual students may have specific issues in relation to their devices, connectivity, or services which they are trying to access. Rather than requiring general action, these issues will require contact with the students to try and identify and resolve their specific, individual issues.

At 9:00 and my first meeting of the day, with our Director of Finance. There are a number of current projects which make up the agenda for our discussion plus a discussion of cyber security issues and some recent infrastructure challenges we had been facing.

As is generally the case, the meeting is a packed one and, in this case, even runs beyond the allocated one-hour slot. Immediately following the meeting, I spend a little bit of time digesting the discussion and noting down any actions, making sure these are added to my To-Do list as appropriate.

10:30 and I am working on our annual IT Services perception survey. This is basically 3 surveys that go out to staff, senior school students and prep school students to gauge their experience and perception of IT Services and of our devices, infrastructure, etc. We have been gathering this info now for around 5 years and it is the longitudinal nature of the data, rather than the in-year data which is most useful as it highlights trends over time. I spend a little time preparing the relevant surveys and the associated communications that go with them, plus make sure to keep a number of key staff aware of the planned release of the surveys.

Following this, my next task relates to phishing awareness. We recently ran several awareness tests on small groups of staff whereby we sent a fake phishing email to them to see if they identified the email as malicious or if they fell for the bait. I now need to write up a short report on the findings from the most recent test so this can be shared with SLT for their info. This process has been useful in identifying the type of phishing emails that staff tend to fall far, which then allows us to direct awareness training to this area.

My department weekly briefing is my final task before lunch. This is a weekly document rather than a face-to-face meeting and serves to share thoughts, notices, etc with the IT Services team hopefully also serving as a record of activities, etc and as a repository of useful info. It isn’t a long task to create these each week as I tend to follow a rough template. This week’s briefing turns out to be a slightly longer one, but this is mainly due to sharing some of the positive feedback I had received in relation to the team’s recent activities.

Following lunch, I have meetings with the Head of IT at our prep school and our Director of EdTech for our senior school. I work closely with both, where their focus is very much is on what happens in the classroom and the pedagogy, my focus is a little more on the technology, infrastructure, support services and cyber security. The key thing is together we are able to provide a guiding direction in terms of technology use within the school, each able to bring our different experiences and skillset to bear in discussions. Due to this, we make up a central part of the schools IT Management group which also includes SLT members and a number of teaching staff. This week’s discussions focus on the school’s technology strategy and expanding on it so staff have a clearer understanding of it, plus on the now-launched satisfaction surveys.

The end of the day (5pm) is now fast approaching so I spend a bit of time continuing to work on my end of term report. I try to provide a termly report which contains useful data in relation to our infrastructure, systems, user support, etc. The purpose of the data is very much about transparency and making sure that the SLT is always aware of all the work going on in IT Services even when everything is working fine. It also serves to identify trends, opportunities, and concerns. I find the report particularly useful in continuing to build awareness in relation to cyber security risks. As much as possible I try to use readily available data to avoid it taking too long to process however, the reports still do take a bit of time to produce. In my view, they are however well worth the effort in avoiding IT Services disappearing behind the curtain until the next issue arises.

Reflections

Looking back, it was a reasonably busy day with a number of reports being written. I suspect this was largely due to the fact we were fast approaching the end of term but also the end of the calendar year and therefore some of these reports needed to be in before everyone broke up for the winter break. Cyber security was certainly high on my order of thinking, however, this is increasingly the case. Our technology strategy, which we recently updated, was also high on the priority list.

I suspect, although Directors of IT, or those in similar roles at other schools, are all travelling in roughly similar directions in terms of technology use within their school or schools the route taken can differ significantly. As such my day may look totally different to your day, but that’s not a problem. The key is that we each know in which direction we wish to go, and are taking the necessary steps to get there.

Pledges 2022

Once again it is time to write my pledges for the year and I note this year a number of people online suggesting they won’t be sharing any pledges this year due to current pandemic situation being stressful enough, without adding the additional pressure of trying to meet some well meaning targets set at the beginning of the year.    I can totally get this thinking;   If you look at my review of 2021 you will get a sense of how I felt I “survived” the year rather than making progress, growing or flourishing as I would have liked to.    As such I considered not sharing any pledges this year however I have decided to stick with it and share.   I share my pledges, most likely for my future self rather than for anyone else, although I hope you find some use or insight in my thoughts too.   I share these targets with clear understanding of how the last two years have been challenging, unpredictable and [forgive me for saying it] unprecedented, and the year ahead already looks like it will be no different.   But I will share my pledges nonetheless, albeit I may adjust my expectations accordingly.

So let’s get started:

Exercise and Health:

I have done very well in the last year with my exercising and general fitness and in particular with running.   My plan for this year is to try to maintain this, and to again manage 750km worth of running during the course of 2022.   Now I acknowledge this will very much be dependent on my health as illness will impact on my ability to run however, I think it’s a fair target.   I also note the maximum distance I have run to date in a single session has been 8km.   By the end of 2022 I would like to be able to complete a full 10km running session, even if this involves some periods in the session where I may slow to a walking pace.  

Another area I would like to work on this year is reducing my alcohol intake so managing a month period (so 30 or 31 days) without a beer.   I suspect this will be a challenge as for me a beer has always been key to relaxing or to helping with stress, however I am concious that reliance can have a negative impact on health.   As such I want to try to adjust what for me is a habit.

Wellbeing / Happy memories:

A key aspect when I reflect on the year past is those memories of positive or enjoyable events.   This year I want to build in more of these, so more occasions where I do something outside my normal.  This might simply be getting away for a break, or doing a new activity, or buying something memorable but the key thing is to generate positive memories which will come to mind when I look back on the year in the December 2022.     I have already started considering possible ideas here with a planned holiday already on the cards, and a possible idea to do something a bit different in Dec 2022.    That gives me at least 2 items but ideally, I want to have 6, so something to remember in each of every 2 month period.

Reading:

My reading has become a bit of a habit with 12 books minimum read per year, however it has become a habit which has lost some of the enjoyment and some of the learning, replaced by simply process.   I would like to get back to enjoying more of my reading this year and to again learning more.    As such I am only looking at reading 6 books this year but including some non-fiction in there for enjoyment and being more selective of the books I read for learning purposes.   I also need to be better at simply putting a book down where it isnt working for me.    I hope to look back in Dec 2022 and to have renewed my enjoyment in the reading I have done.

Contributing:

This is something I want to focus on this year, continuing my current contributions to Technology in Education and Education more generally but also to the IT sector as well possibly.    This will include my tweets and social media contributions, my blogs and my podcasts plus my involvement in different groups including the Association of Network Managers in Education (ANME).    I also want to try to develop new opportunities and ways for me to contribute and share with others.

Work:

Lots gets done during year and I think that can be my problem in that I don’t, at the end of the year, quite appreciate all the work and effort that has gone into all that has been achieved.   As such this year I want to take regular breaks to stop and reflect on all that is achieved and on the work required to make these achievements actually happen.   Very seldom is any task in my role achieved simply, instead they involve meetings with stakeholders, planning time, implementation, faulting finding and problem solving, adjustment and evaluation.   I need to be more appreciative of this work, albeit it sits behind projects or tasks which appear simple when written down on a bulleted list of to-do items.

I think in my work life I am also seeking some new challenges.    For this I already have some thoughts and projects which will help here including a project in relation to contributing and sharing as mentioned earlier.   This very much comes down to me making things happen and is down to a bit of creativity and innovation on my part.

Conclusion

For the last couple of years three words have been in my thinking being prioritisation, entropy and reasonableness.   When I look back from Dec 2022 on these pledges, I aim to have these words in my mind to ensure that the pledges here do not unnecessarily add stress to the days, weeks and months ahead.   If I need to prioritise other things, over the above pledges, if the world, my role, etc changes unexpectedly or if the pledges become unreasonable in the context 2022, then not meeting them is fair and totally expected.   That said, for me anyway, having the pledges provides an insight on my thinking as it is today, for me to reflect on once I reach the end of the year.   It provides an outline for a planned direction, again for reflection, even if I end up not fulfilling some of the detailed actions.    For me anyway, I think there is more benefit in writing this than there is a risk of this causing unnecessary stress for myself.   But this is an individual decision we each need to reach.

2022 is another year.    2022 is another opportunity to feel positive about my efforts.   And so with this in mind, I need to make 2022 the year I want it to be; This makes me think of Covey’s circles;  I shouldn’t allow that which I cant control or change, my circle of concern, to impact on my happiness and sense of progress.   I should however focus on that which I can control or change, my circle of influence.    And with that in mind, its onwards and upwards!