Author: Gary Henderson

Gary Henderson is currently the Director of IT in an Independent school in the UK.Prior to this he worked as the Head of Learning Technologies working with public and private schools across the Middle East.This includes leading the planning and development of IT within a number of new schools opening in the UAE.As a trained teacher with over 15 years working in education his experience includes UK state secondary schools, further education and higher education, as well as experience of various international schools teaching various curricula. This has led him to present at a number of educational conferences in the UK and Middle East.

AI in education

Last week I presented at an event for schools, speaking in relation to AI in education.   As such I thought I would share the main points from my session.    Now the session itself was broken into three main sections, being some context, the short term implications and the implications beyond the short term. 

Context

The first point I made was on the current post ChatGPT discussion in relation to AI, and how AI itself isnt new.   In fact solutions we use in everyday life, such as Siri and Alexa, such as Google Maps and search and facial recognition all make use of AI.    Although generative AI began to be so easily accessible in ChatGPT in November of 2022, AI had been around for quite a while prior to this and had already formed a big part of our lives.   I also acknowledged that independent of whether schools do anything in relation to generative AI, including ChatGPT, our students will largely already be using these solutions;  An examination of internet traffic in my own school saw an increase in student daily use between Jan and March 2023, at which point we stopped tracking the data as generative AI started to appear in many different solutions.    And this is a key point, that if schools do nothing, and leave the use of AI solutions to chance, both in the hands of their teachers and their students, AI solutions will be used whether this is appropriate, safe or not.

In looking more broadly at AI, I would suggest that it represents a continuum between extremes of narrow AI solutions, which are capable of a single activity, up to the holy grail which is AGI (Artificial general intelligence) where the AI solution is capable of the broad spectrum of human activities.   Where we are currently is heavily down the left hand, and narrow AI side of things and I suspect we will be there for a while.   Looking at the responses of 350 AI experts in relation to when there will be a 50% chance of an AGI existing, 50% said this would occur in the next 40yrs however to increase the confidence to 90% of experts, you need to look out to 100 years time.   There is little consistency in the responses other that almost all of the experts predicted AGI would occur at some point in the future.

The short term?

Coming back to the present day and the challenges of generative AI, it is also important to acknowledge the challenges in education more generally.   A 2022 Teacher Wellbeing Index showed 59% had considered leaving the education sector during the year due to mental health and wellbeing pressures while 68% said volume of workload was an issue making them consider leaving the profession.   And it is here that maybe AI can start to help in addressing some of the workload issues, and through this hopefully reducing stress and pressures on mental health.   Through the use of AI, administrative burdens such as policy and resource creation, marking, parental reports, meeting minutes and reading of minutes, and many other takes can be lightened.  Now in all cases there still needs to be a human element to review, amend and improve AI generated content, but through humans working with AI tools we should be able to accomplish things quicker and easier.  

And generative AI isnt limited to the boring and administrative tasks, but can also help with the creative tasks, which in my case, I am not particularly strong at.   Being a poet, artist, musician, videographer and similar has never been my strong suit however with AI I can create things which previously may not have been possible.  Having asked ChatGPT for a poem on the impact of AI on education, for example, I was impressed by the output.

So what are schools to do?

I think the first thing is to acknowledge that AI comes with risks and benefits and that you cannot have one without the other.   As such the first thing a school needs to do is have a discussion and establish what their risk appetite is.    Does the school want to make the most of all the benefits of AI, and therefore is willing to accept some degree of risk, or is the school risk averse and therefore not willing to risk making use of AI?    Once risk appetite has been established it is now possible to set some ground rules an guidance for staff and students and this is where schools need to put an appropriate policy in place in relation to AI use.    This policy should cover things such as the legal implications, such as GDPR and data protection related, the ethical considerations and also how risks and benefits need to be considered.  Equally any policy in relation to AI needs to be aligned with the wider school values and vision, plus needs to be regularly reviewed and updated.    Now that a policy is in place, the next step is to speak to students and staff about AI, about the risks and benefits and about the policy requirements.   Once basic awareness is in place, you can then begin exploring and experimenting with AI solutions including the many generative AI solutions which are now so freely available.

Beyond the short term

Moving beyond the now and the short term where we can clearly establish some steps which schools should be taking, we move into the more unpredictable future, where the questions are more questions for education in general, rather than things schools can easily individually action. 

One of the first challenges or questions relates to originality and we are already seeing this in the actors strikes and in a number of copyright actions being taken against Generative AI vendors.   What does it mean to be original in the world of ready access to generative AI?   The JCQ guidance for example states that “All coursework submitted must be the candidates own work” but does that mean a student cant used generative AI to help or as a starting point, or a dyslexic student cant get the help of generative AI?   And to complicate matters even further, consider what being original might mean in the time of the romans;   Basically you couldn’t write or say the same as someone else, but at that time there were less people in the world and little was written down for comparison.   Now we live in a world with more people, writing more often and in more forms than ever before and that’s even before we consider how people might now use generative AI to create yet more content, much quicker than they did before.   So what chance do you we have in being original or presenting our “own” work?   This is a big challenge for education, especially given our current system uses coursework as an easy proxy for learning.

We also need to consider how the fundamental process of education, with students going to schools, colleges and universities may need to change.   A perfect example is how students unable to study calculus at school can now meet the requirements of CalTech in relation to calculus through the use of 2 online platforms.  Basically, students can prove their master online rather than in a school, then progress onwards to CalTech.    It is likely therefore that new avenues of education progression, access to education and whole new programmes may appear as we move forward, but how will this impact the schools and colleges we have today;  It may be in the future that they look significantly different to how they look today.

And the third of my future gazing thoughts, and the most significant in my eyes, is the access to online AI based tutoring for students.  This potentially provides every student with 1:1 access to support for their learning rather than the division of a teachers time across the whole class.    Additionally, this support is available 24/7/365.   This will likely impact on the core subjects at basic learning levels initially so basic maths, English and science in the first instance before broadening out to other subjects.   It may be this online personalised education which has the biggest impact, freeing up teachers to focus on some of the areas which have long needed time in the curriculum, but long gone without;   mental health, resilience, digital citizenship among other areas.   It will allow teachers to spend more time on the things which matter most about being human, having had time freed up by AI in relation to the things an AI can do reliably well.

Conclusion

AI is here now so all schools need to act as staff and students will use the available tools as they see fit if they do not receive any training or guidelines from the school.   As such all schools, in my view, should have a policy on AI use within the school as a minimum.   In terms of the potential of AI as is now available, I referenced my own use of Canva, ChatGPT, MidJourney and DallE-2 in the creation of my presentation and presentation content.

Looking out beyond the short term, things are not quite as certain with more questions than answers.  One thing I think we can be reasonably sure of is that AI’s impact on education will only increase and it may lead to some fundamental questioning of our current educational system and approaches to education.   And at some point in the future the singularity, where AI intelligence exceeds that of humans, will likely be reached and at that point I suspect the world, and education, may look very different to today.

ISMG Cyber Summit: Reflections

I recently undertook my annual trip outside of the education bubble and into the wider tech and particularly InfoSec world, attending the ISMG cyber summit in London.   Now my trip was largely uneventful in terms of my usual transport disasters although I note that Google Maps did make its best effort to send me off on a wild goose chase between the tube station and the event venue, but for once my common sense prevailed.  

The purpose of my annual trip outside education is to sense check where we are as schools in terms of cyber security, in relation to the wider world.   It is also an opportunity to gather advice and best practice from industry.   I note those in the room with me were largely senior security staff, rather than my more broader role which encompasses security, plus they had budgets far exceeding anything any school will ever have access to for spending on technology, never mind purely on cyber security.

The day was very useful with a number of key topics coming out:

AI

Artificial intelligence was a hot topic during the course of the day particularly in relation to the increasing use of AI solutions within businesses, much in the same way we see increasing use in education.    The challenge and focus was on how we secure AI solutions against issues such as prompt-injection, poisoning of the training model and data exfiltration among other areas.    For me the key takeaway from this is that AI solutions are yet another area which organisations, including schools, need to consider and secure.  And as schools seek to use more AI solutions, including third party solutions, this risk will only increase.

Wellbeing during an incident

This particular issue resonated with me.   IT teams often work hard behind the scenes only becoming visible when there is an issue or when someone wants a new solution, new functionality, etc.   And in the event of a cyber incident the stress largely falls on them to get things up and running.  If the school, or other organisation, seldom recognises the hard work which goes into the normal working day, what hope is there during a cyber incident when they are working even harder and under significantly more stress.   As such the wellbeing, mental health and general support for IT staff, and broader with all staff, is so key.    How are we supporting wellbeing, and this has to be beyond the tick box efforts, the wellbeing working party, etc. How can we evidence we truly are cognizant and focussed on wellbeing?   Also, in the event of a high stress incident, how will we manage wellbeing?   One suggestion during the event was to have a “chief care officer” during incident response, which was an idea I liked.

Ransomware and Third parties

Two of my key concerns from an educational IT point of view have been ransomware and third-party incidents.   Both of these appeared as significant discussion points in relation to industry and enterprise organisations.     Ransomware continues to be a common attack method in general while third party data breach also continues to be common.  One particular presenter during the course of the conference talked about adding additional external solutions to monitor logs, etc, but thereby adding an additional vendor and vulnerability risk, as this third party become yet another vector through which an organisations data and systems might be comprising.  Here is one of the key challenges in our attempts to improve our security resulting in layering of solutions, where each new solution may represent an additional risk and attack vector.  This to me highlights the important of governance over security, so that decisions of risk v. benefit can be appropriately authorised and accountability made clear;  I note accountability was another discussion point from the event in relation to CISO liability however I didn’t feel this quite impacts on schools.

Conclusion

Once again, this event proved to me that the challenges that impact on education are not limited or unique to education.   They are issues which impact organisation across different sectors with only the context and resourcing varying across sectors.  In the case of education there continues to be the issue in the limited resourcing in relation to cyber security in terms of the products but also in terms of the staffing and expertise; A bank might have a while cyber team however how many schools can claim to actually have even a single cyber security focussed professional?   This, the large and varied user base, and the need for quite so many users to have access to sensitive personally identifiable information, means schools and other educational organizations will continue to be a focus for attacks for some time to come.

If I was to take anything away from the event it was that enterprises and schools all suffer the risk of a cyber incident.    All we can do is limit the impact, and delay the inevitable    A banks spending seven figures on security might sound like the way forward but the reality is that all it does is reduce the risk so spending huge amounts of money might make no difference in the long run; It is just case of when rather than if.    As such, for schools, the focus needs to continue be on doing the basics in terms of user awareness, MFA, backups, least privilege access, patching and incident planning.

Software as a service: Risks

There are many benefits of software as a service.   You don’t have the overheads or the server infrastructure, the software development and maintenance costs and a number of other costs, plus you benefit from the vendors ongoing efforts to improve their platform and add new usable functionality.  So, what possible downsides could there be?

Data Protection

Where using software as a service, the data is often still your school data with the school as the data controller.   As such the responsibility for data protection remains with the school but this isnt matched by the control the school can bring to bear.   Even after doing due diligence and reviewing terms and conditions, privacy, and data protection policies, etc, you are still reliant on the vendor doing what they say they are doing, and this isnt always the case.   And the first time you are likely to know about an issue is when something goes wrong and it is too late, such as following a data breach or following identification of data being inappropriately shared.

Which functionality

Another potential issue with software as a service is that you are reliant on the vendors direction of travel in relation to their solution aligning with school needs.    It wouldn’t be the first time that a vendor, including some large vendors who will remain nameless in this post, have decided that functionality they have provided or a solution they provide is no longer on their roadmap, and therefore will be removed.   This is ok if your school doesn’t use that functionality or solution but if you do you suddenly find yourself needing to find an alternative solution when users may be quite happy with what they have.  

When it goes down

Linked back to data protection and control, another area in relation to software as a service where a school lacks control is when things go wrong and the service either ceases to function or functions poorly or improperly.   At this stage a schools only recourse is to raise the issue with the vendor and await a response.  Sometimes this response will be quick and detailed however more than not it will be slow to arrive and lacking any detail.   Now I get some of this in terms of dealing with software or hardware issues and needing time to investigate and being unable to provide a definitive timeline, etc, however communications matters and a quick status page update or a holding email never goes amiss.   Sadly, more than not I have found myself, particularly with EdTech vendors, to be met with a wall of silence.

Exit strategies

And one big issue in my view, is often the lack of or near impossibility in some cases of an exit strategy.    Ideally a company may change its functionality significantly, might cease to be a going concern or might suffer a significant issue or data breach, all requiring the school to exit and find another vendor.  The challenge however is that some solutions such as the Management Information System or the Productivity Suite for example, are so engrained and part of the day-to-day operation of a school as to be very difficult to exit from.    The change costs are massive and the new solution, being new, is a partially unknown quantity, and hence we stay where we are, until we can’t.

Conclusion

Software as a Service is the life blood of technology in schools as schools simply cannot support and manage on-site hosting and/or in-house solutions development.    It offers so many benefits that enhance the learning experiences for students plus the efficiency of staff yet as with all things there is a balance.   Very seldom is anything positive without any downsides.

A compliance approach to AI

I was browsing the internet looking at recent news and I spotted the below at the bottom of a particular article:

This got me thinking, is this the way of things, that we will start seeing notes at the bottom of articles, blog posts, etc, stating that “this was crafted with the help of generative AI tools”.   It feels ok from a transparency point of view, in that the organisation in question is being transparent as to how the article was created but could this simply be to absolve them from any issues arising from bias or inaccuracies resulting from the use of an AI solution?    Also, what about those less scrupulous organisations;  will they bother to let us know about the use of a Generative AI (GenAI) solution or will they simply post articles quickly and easily without any due care and attention?

Taking this and considering the implications for education, what if students took the same approach and simply put in their referencing that their coursework, thesis, dissertation or other work was “written with the help of generative AI”.    Would this be acceptable?     I feel this is all falling into the trap of compliance;   The author of an article or the student, ahead of submitting their work, simply puts the statement in place so they can tick a box and say they are compliant and transparent when in fact they have told the reader or marker very little.    How much “help” did the GenAI solution provide?   Did it provide the basic outline to start with or did it write the whole thing, aside from a couple of minor sentence changes?   The extent of the “help” matters greatly!  Or does it?

I suppose the key question here is why do we need to know if GenAI was involved in the creation of a piece of content?    Is it due to the fact it may contain bias and inaccuracies?    I suspect not as I would expect a journalist or editor to take responsibility and check any GenAI content before it is published.  The same goes for a student, I would expect they have thoroughly checked the work before handing it in; it is their responsibility not that of GenAI.    Is the reason we need to know due to an uncomfortable feeling in relation to AI created content?   Consider reading two pieces of text providing a summary of a sporting event;   If you were told one was written by a human and the other by a GenAI solution, would you have a preference and where does this preference, which I suspect would be towards reading the human written work, come from?   Is the reason that we need to know that the work is the work of the student or author so we can direct or praise or complaints?   But do we acknowledge the word processing software used, the web browser used for carrying our research, the laptop the content is typed on?     Is AI a tool in the creation of the content or is it more than just a tool? If the piece of work produced with the help of GenAI, be this help little or significant, is a good piece of work does it matter? We used to focus on mental arithmetic, considering the use of a calculator to be cheating, yet now a calculator is just a tool we can use to help with maths; how is the use of GenAI any different?

I worry that the newspaper that placed this little rider at the bottom of their article is approaching the use of GenAi far too superficially without considering the wider impact.   There are many unanswered questions in relation to GenAI with a small number of them presented above.  

Or maybe I just need to accept that at least they have made an effort and a start as to how we become more transparent in the increasing use of GenAI in the creation of online content?

References:

Woman wins £2million house in competition but only receives £5,000 due to small print (msn.com)

Cyber, schools and week 1

The first week of the 2023/24 has now been completed and during this first week I have been made aware of 4 different schools having cyber incidents reported in the press.     I think this highlights the risks that schools face in relation to cyber security/resilience and possibly the fact that cyber criminals may focus more directly on schools, and education more generally, at key points of the year when they are likely to have a greater chance of their attacks succeeding, such as at the busy start of a new academic year.   So what can schools do to reduce the risk?

I cannot speak to the 4 incidents as I don’t know sufficient details as to the nature of the attacks and incidents however there are generally actions which I believe schools can take which can reduce the risk.    Given below are the 5 things I would say are the priority areas:

  • Staff Awareness Training

In the vast majority of cyber incidents a human is involved at some point, and usually towards the start of the incident.   Whether this is giving away user credentials following clicking on a link in a phishing email, using a weak password or misconfiguring a solution, our staff are both our weakest point but also our best defence if properly training.    And this training needs to go further than simply a session at the start of the year.   It may include this start of the year session but it must include advice, stories, examples and other awareness content throughout the year;  little and often.   Whether it is videos to watch, information given in morning briefings or content in newsletters or other regular documentation, awareness content should be delivered often and in different formats and medium.    I also think one way to help get the importance across is to focus broader than the benefit to the school and highlight that good cyber hygiene is important for our daily lives and our interactions with the many digital tools which we use.

  • MFA (Multi-Factor Authentication)

Phishing and credential theft resulting from phishing attacks continues to be a common attack method.    As such anything that reduces the risk of a users credentials being compromised is important.    Multi-factor or two-factor authentication is an easy method of reducing this risk.  Cyber criminals may get your password through guessing or a data breach of another service, where you have re-used your password, but without the 2nd factor, such as the app on your phone, they are unable to get into the account.   Now I have heard many raise issues about using their personal phones for this purpose and about having to install an authenticator app on their own phone.   I get this but there is no cost as we almost all have smartphones these days and the cost of not having our schools accounts secured, the risk to all staffs personal data, to student data, to parent data and to all the other data a school may hold, never mind to students coursework and other critical learning info surely outweighs the downside of having a small authenticator app installed on the personal phone you already have?   For me, all schools should have MFA enabled for any user who needs to access data from away from the schools network.   Note, if only accessing accounts from the schools network, the fact that the account can only be accessed from the network, and not from home or elsewhere, counts as a second factor.

  • Backups

We need to accept that a cyber incident will happen at some point in the future and at that point we will need to find a way to quickly and safely recover our IT systems.  Backups are key to this.    As such it is important to have backups in place and the 3-2-1 rule is a good rule of thumb;   You should be keeping 3 backups, in two different mediums (e.g HDD and Cloud or HDD and tape) with 1 being offside or immutable.   It is also important to note that your backups are of no value or use until the point when you need to recover them, so it is important for you to test that you are able to recover from your backups when you need to following an incident.   It is also important that those who would need to conduct the recovery are familiar and comfortable with the backup process such that when under high pressure following an incident they are comfortable with what they need to do.

  • Patching

If cyber criminals didn’t gain access via a compromised user account then the other way they may gain access, or maybe the 2nd stage of their attack following compromising a user account, might be to exploit a vulnerability in software.    This is all the more likely if you havent patched systems where these patches often contain fixes for known vulnerabilities which cyber criminals may already be actively exploiting.    By regularly patching software, including operating and application software, we reduce the risk of a known vulnerability existing within our network environment.   This includes the need to patch or update end point devices such as laptops, tablets and printers.   Now this can sometimes be difficult as it may result in downtime, either waiting for a server to reboot, or waiting or a device to restart, however it is important.  Being pragmatic, and given the fact it may often be impossible to patch all devices, servers and systems, the key is to identify which devices or systems are most important in terms of the operation of the school or the sensitivity of the data contained on them, and seek to do these first.    Every newly patched system represents a reduction in risk, so patching 1 server is better than worrying about which of 60 servers to patch, but patching none.   Every small step matters.

  • Least Privilege Possible

It is important to reduce the access rights of users to what they really and essentially need.    This includes things like remote desktop access.   If using Office 365 or Google Workspaces do users really need remote access?    Also you administrative credentials;  Do your IT team need high level access all of the time or can they use Privileged Identity Management (PIM) such that they only escalate their privileges when needed.   And when technicians are logging into PCs are they using credentials with Global Admin access or a separate set of credentials?   The more we can reduce the access rights provided to users the less access a cyber criminal will gain should they compromise an account.

Conclusion

We have to accept that all organisations will suffer a cyber incident at some point in time, with this being all the more the case in education where the diverse nature of users technology skills, the number of users, the diverse range of systems and the limited investment in cyber security and resiliency all come to play.   The key thing though is that we need to make it as difficult as possible for the cyber criminals and the above 5 areas to focus on will help do just that.

Am hoping the 4 schools suffering incidents in the first week just relates to the busy nature of things in the first week, and that things will settle down over the coming weeks, however I suspect these 4 schools are just the start of the list of schools which will suffer incidents in 2023/24.

First day of term: A Director of ITs view.

So, Monday this week marked the first day of the Autumn term and the new 2023/24 academic year and it was the usual very busy start to the year for myself and my team.   I suspect IT teams working in schools, colleges and universities across the world will find it the same when staff and students return.   Forgotten passwords, new devices, new requirements and services, the fog of the summer holiday period meaning people cant remember how to do or find things on the schools intranet or learning platform.   All of these issues suddenly appear on day 1 and the first week, meaning from an IT point of view it is probably the busiest period of the year.    As such I thought I would share some of myself and my teams day.

Lots of issues continue to be reported via email as email is a fire and forgot medium.   As such a fair part of my day was spent reviewing and responding to emails.   Despite my best efforts, by the end of the day my inbox contained around 300 emails yet to be reviewed or requiring action;  I try to only keep the emails in my inbox where they are unread or where they require action.    I hate to think how many emails would be in my inbox if I hadn’t allocated small amounts of time throughout the day to review and action.

Part of the schools programme at the start of the year involves a school service at a local cathedral.  This is always an amazing event and a great way to start the year.  This was due to happen on the Tuesday however over the weekend the actual programme for the service had yet to be finalised.   As such I popped down to our reprographics office to provide some support to our reprographics manager who would be responsible for trying to turn around thousands of printed programmes within the day.   As it was the finalised programme arrived just after 9am with the whole run completed by mid-afternoon thanks to the hard work of the reprographics manager.    Meanwhile my creative technologies team were in the cathedral itself getting all the audio visual equipment in place to allow for screens to help attendees see clearly what was happening even if sat at the back, to allow for recording of the whole event and to provide the necessary audio setup.    The whole event is quite a logistical endeavour however is brilliant in marking the start of a new academic year.

Back in the office and the team are hard at work supporting users including both staff and students.   A quick look at the IT ticketing system at the end of the day shows almost twice as many tickets being logged as is usual and this doesn’t include a record of the many students and staff who simply physically came to the IT office for help.   Issues ranged from new students not knowing how to log in to the Wi-Fi, students having forgotten passwords, staff and students with new devices where their old device was the one setup for MFA, and many other issues.    If variety is the spice of life, there was certainly plenty of variety in the issues, albeit there were also a fair few of the usual issues common for IT teams at the start of a new academic year.

As part of a new project this year we had a photographer in doing photos for a number of our year groups rather than my team being involved in this.    Just after lunch I popped across to see how they were getting on given they had around 700 to 800 photos to do within the day.    As it was the company confidently worked their way through the students, largely due to their experience in doing the same with other schools, and the new photos were uploaded to our school management system before the end of the first day.

I had also put aside some time on day 1 for a couple of more significant projects.    I find if I don’t allocate time to significant projects, other less pressing issues seem to deplete my available time.    One of these projects is in relation to some data analysis using PowerBi.    I continue to see PowerBi as such a powerful tool and can only see this growing over time as we gather more and more data, but need to find value in the data, where BI can help us visualise and explore the data and therefore hopefully find the value we seek.     The second project I was working on was in relation to a conference I will be speaking at later in the month where I will be discussing AI in education.   I had some rough thoughts on the content of the presentation but had put some time aside to flesh these out noting that the organiser is asking for a presentation to be provided in the next week.    I will admit I have a tendency to be working on conference presentations until minutes before I present, and I suspect this may be no different.

The day finished with a meeting discussing data and data analysis, setting things up for a meeting the following day to further explore the data and analysis requirements.

It was a long and busy day but also a productive one in many ways.   And this is all after a busy summer of IT infrastructure upgrades, client device changes and upgrades, systems development and other IT works.    The rest of the week will be similarly busy before things settle down a bit in week 2 and 3 as staff and students get into routines and as everything returns to the usual habits, ebbs and flows of a busy school.     

I hope all staff in IT roles in schools, colleges and universities survive their first days back and come out of it with minimal issues.    You all do a great job, often invisible to most users in the school, except when things go wrong.   This is the way of IT, if done correctly it is nearly transparent to the users, simply being there and adding new possibilities to teaching, learning, school administration, etc.   Without you this wouldn’t happen, so keep up the great work!

Password: getting the basics right

During the last week I had the opportunity to present a number of cyber security sessions for staff ahead of the start of the new academic year.   This is part of a programme of awareness development.   This year I have made a change in presenting the sessions as something related to our online activities in general, such as in our private lives, as opposed to something focussed on school systems and data.    I think this is an important change in that good cyber practices in staff and in students protect them in everyday interactions online, whether they relate to school accounts and data, or not.   One of the key discussion points in the session is that of passwords, which still remain the key method of confirming our identity when accessing online systems and data, whether these are the school MIS or personal email or social media accounts.

When we create our passwords for online services we are almost always presented by the need to include an uppercase character, number and a special character.    One of the things I ask in my cyber sessions is for attendees to think about a password they use and whether it includes an uppercase character;  Invariably, due to so called “password strength” requirements an uppercase character is included.   I then, however, ask if this character happens to be the first character.   Largely this is the case and unsurprisingly so given this is how we write with the capitals at the start of sentences.    I then ask about numbers, and if they have included a number in their password.  Again, invariably this is the case due to password strength requirements however, again I follow this up with a question in relation to whether this is the last character and again this stends to be true.    The point I am trying to prove in my session is that as human beings we have a tendency towards being predictable.

From a cyber crime point of view the more predictable we are the easier we are to hack.   If we use common passwords, if we use passwords linked to public information criminals can easily access and even if we use common patterns such as having the capital letter at the start and number at the end, all of this makes hacking all the easier.   The more unpredictable or random our passwords are, the more secure we will be.    This is why the NCSCs guidance on three random words works so well.   It creates a password with randomness built in;  the random part of three random words.   Yet, the resultant password is still easy for us to memorise, being that we simply need to remember three words.   The other key factor is it generally produces a password longer than we would normally create where a passwords strength, from the point of view of cracking a password leaked as part of a data breach, is directly linked to the length of the password.    The longer a password is, assuming it is random and not predictable, the stronger it is.   And this is one of the key points I make in my sessions, that the biggest indicator of password strength, again assuming the password isnt predictable, is its length.

I also note about the risks related to password re-use using the story of a staff member I knew who fell for a phishing email resulting in them disclosing their AppleID email and password.    When they came to me the first suggestion I made was to use the recovery functionality which would result in an email to the email account linked to the AppleID.   It was at this point that the staff member found they couldn’t access the personal email account they had used either.   The criminals, upon getting the AppleID credentials, had tried the password with the email account and found it worked.   They promptly then changed the passwords on the email account and AppleID thereby locking the staff member out.   This story perfectly illustrates why we shouldn’t re-use passwords, or at least where we should avoid re-use of passwords with services which are important to us or where they might hold high value or sensitive data.    It is at this point that I mention the use of Multi-Factor Authentication as a valuable tool for protecting accounts plus the use of password managers to help manage the increasing number of passwords we all now have.

Passwords continue to be key feature of our efforts to protect our online accounts, our data and our online digital footprint and profile.   Appropriate care in relation to passwords is one of the key basics we all need to get right if we are to reduce the risk of cyber incident and/or minimise the damage when an incident happens.    It isnt a fun, sexy or particularly technical method of protecting ourselves online, however it is something we all just need to consider and get right.

Review of 2022/23 in photos

As another academic year begins I thought I would have a quick look back over the photos I have taken throughout 2022/23 to see what highlights I might be able to pick out.    The below image is some of the highlights:

August 2022 saw me having a family holiday abroad which was a pleasant way to relax and prepare for the year to come.     Following the usual busy first half of the autumn term I found myself visiting Meta’s London offices for an online safety event, the first time I had ever visited their offices, before then travelling up to Birmingham for the Schools and Academies show where Abid Patel presented me with an Irn Bru Xtra just at a point where my supplies of the Bru were running low.    Timing is everything! It was a busy couple of days and a lot of travelling but worthwhile in the end.  Later that month I then led the South West ANME meeting;  I think this was the first ANME meeting I had led.   It was enjoyable to contribute to discussion and to share with other schools from across the Southwest.  It would be nice to see more school involved however the geography of the Southwest makes this challenging.

January saw myself and Ian Stockbridge begin our In Our Humble Opinion (IOHO) podcast after over a year of discussion without getting anything off the ground.   Having started the podcast the Microsoft event in Reading proved an ideal opportunity for Ian to sport his IOHO branded T-Shirt.     March saw me in London for the BETT event, however also using the opportunity for a day off to spend in London, including a quick visit to Madame Tussauds for my selfie with a Stormtrooper.   May saw a trip up to Leeds to present at an Elementary Technology event alongside Kalam from British esports, discussing esports and schools.   A great event albeit my journey up to Leeds wasnt short of my usual challenges with significant train delays. I was then involved in a similar esports session, this time with Tom from British esports, along with a cyber resiliency session at the ISC digital event in June.   It was great to present, but also to be involved in the organising of an ISC digital conference especially given the extended delay between the previous ISC event and this one.   Here’s hoping that the ISC event once again returns as an annual event.

The end of the academic year finished with the 2nd LGfL event in London and a good opportunity to catch up with some of the ANME team, among many others.   I then, as the holiday period began, took a trip with my wife to London for a few days relaxing and exploring London, including engaging in a bit of Morph hunting.   I will admit to finding wandering around London with a limited plan other than to amble around and have a few drinks, very relaxing. The weather was also surprisingly nice which makes all the difference.

To be honest, the photos above are only a small number of highlights representing a busy academic year.   Here’s to 2023/24, new challenges, new opportunities and another positive academic year.  I wander what photos I will have to look back on a year from now?

KCSiE: Filtering and Monitoring

I was recently reviewing the new Keeping Children Safe in Education (KCSiE) update including the main changes which relate to filtering and monitoring.     I noted the specific reference to the need to “regularly review their effectiveness” and also the reference to the DfEs Digital Standards in relation to Filtering and Monitoring where it mentions “Checks should be undertaken from both a safeguarding and IT perspective.”   

The safeguarding perspective

From a safeguarding point of view I suspect the key consideration is whether filtering and monitoring, and the associated processes, keep students safe online.    So are the relevant websites or categories blocked and do relevant staff get alerts and reports which help in identifying unsafe online behaviours at an early stage, whether this is attempting to access blocked sites or in accessing sites which are accessible but considered a risk or indicator, and therefore specifically monitored and reported on.

From safeguarding perspective it is very much about the processes and how we find our about students accessing content which may be of concern, or attempting to access blocked content.   From here it is about what happens next and whether the holistic process from identification via fileting and monitoring, through reporting to responding is effective.   Are our processes effective.

The IT perspective

From an IT perspective, in my view, it is simply a case of whether the filtering and monitoring works.   Now I note here that no filtering and monitoring solution is fool-proof, so I believe it is important to acknowledge that there are unknown risks including new technologies to bypass filtering, use of bring your own network (BYON), etc.    Who would have thought a year ago about the risk of AI solutions to create inappropriate content or to allow students to bypass filtering solutions?

Having acknowledged that no solution is perfect, we then get to testing if our solution works.  Now one tool I have used for this is the checking service from SWGfL which can be accessed here.   It checks against 4 basic areas to see if filtering is working as it should.    

I however wanted to go a little further.   To do this I gathered a list of sites which I deemed as appropriate for filtering, gathering sites for each of the various categories we had considered.   I then put together a simple Python script which would attempt to access each site in turn before outputting whether it was successful or not to a CSV file for review.   The idea was that this script could be executed for different users and on different devices;  E.g. on school classroom computers, on school mobile devices, for different student year groups, etc.     The resultant response, if it matches our expectations for what should be allowed or blocked, allows us to evidence checking of filtering from an IT perspective, plus allows us to identify where there might be any issues and seek to address them.     

You can see the simple script below where it tests for social media site access;  You can simply add further URLs to the list to test them:

import requests

website_url = [

              “https://www.facebook.com”,

              “https://www.twitter.com”,

              “https://www.linkedin.com”

]

f = open(“TestResults.csv”, “w”)

for url in website_url:

              try:

                           request_response = requests.head(url)

                           status_code = request_response.status_code

                           website_is_up = status_code == 200

                           print(website_is_up)

                           f.write(url + “,Accessible” + “\n”)

              except Exception:

                           print(url + ” – Site blocked!”)

                           f.write(url + “,Site blocked!” + “\n”)

f.close()

Now the above may need to be changed depending on how your filtering solution works.   I did consider looking at the URL for our blocked page however as the above worked I didn’t have to.  My approach focused on the return codes however if you do need to work with the an error page URL I suspect this article may be of some help.

Conclusion

Before I used the script for the first time I made sure the DSL was aware;  I didn’t want to cause panic in a test student account which seemed to be hitting lots of inappropriate content over a short period of time, and in sequential order.    The script then provided me with an easy way to check that what I thought was blocked, was being blocked as expected.  As it turned out there were a few anomalies, some relating to settings changes and others to changes to websites and mis-categorisation.    As such, the script proved to be a little more useful than I had initially expected as I had assumed that things worked as I believed they did.  

The script could also be used to test monitoring, by hitting monitored websites and checking to see if the relevant alerts or reported log records are created.  

Hopefully the above is helpful in providing some additional evidence from an IT perspective as to whether filtering and monitoring works as it should.

AI in Education

The other day saw me attend a meeting at the Elementary Technology offices in Leeds, meeting with a number of EdTech legends (and me!) to plan an artifical intelligence (AI) conference event due to occur in October.    The planning event was a brilliant opportunity to discuss all things AI and education with some excellent and varied discussions occurring across two days.   

In thinking about my personal use of AI it became clear to me that my own use is still short of what is possible, where there is such potential for me to make greater use of generative AI solutions in a way that will improve my productivity, my creativity and also hopefully my wellbeing through gains in efficiency.  

As I sat on the train on the way home typing this I considered how I might make better use of AI.   Now I could use it to help me write this post, however this post is very much a personal reflection, where AI cant really help although I may be able to use AI to help adjust and improve the post following initially drafting it. I could also use it to create some interesting images with me in different locations or situations, which although fun to do, is unlikely to enhance my work day significantly.   So, what can AI help me with and how may I create situations where it is easier or more convenient for me to make use of AI?

In drafting emails, policies, reports or other documents I suspect generative AI can certainly help.   Also in relation to the creation of presentations there is potential for the use of Generative AI, with Darren White demonstrating the impressive functionality in Canva in relation to creating both content and design within a presentation.   I suspect I may use this in preparing for some of the talks I am due to give in the year ahead.

The key though to achieving the benefits is in making it easier for me to use AI solutions at the point I need them.   My solution to this is to look to include ChatGPT and Bard along with some other AI tools within my “normal day” collection in MS Edge so that they are instantly opened when I begin my work day, ready to use as and when needed.    I also need to spend a bit of time investigating AI powered plug-ins which can put the functionality right in the browser ready to access.

The potential for AI is significant and the two days of discussion were definitely useful.   I now look forward to the actual conference event on the 3rd of October and to sharing thoughts and ideas with a variety of colleagues in UK schools/colleges and beyond.