End of term 1, 2021/22

And so the first term of 2021/22 has came to a close.   As such I thought I would share some short reflections on the term.   I am also going to share some reflections on the year as a whole in a later post, but for now I would like to focus on the term.

The first thing I will admit is that time has flown by.  I can’t quite believe it is now the 19th December as I sit and write this, and that the first term of 2021/22 has already came to an end.

September 2021

As the start of the new academic year approached, the pandemic impacted on my IT services team, with a bit of a “pingdemic” resulting in a number of staff self-isolating, awaiting PCR tests.   Thankfully everyone came back clear and this happened before the year began.    This year saw me join the school Executive Group meetings.    This should therefore help me in the ability to see what strategic decisions are being taken at an early stage.   It will also help in giving me a forum to raise cyber security concerns at a senior staff level.    I also contributed to The Access Group’s Access All Areas programme, delivering a talk on cyber security in schools.

September saw the first of the schools IT Management Group meetings, a meeting which I chair.   The first meeting quickly showed how busy the start of term was, as I repeatedly called a member of staff the wrong name during the meeting.  Clearly my head was a little bit turned.   I was so embarrassed by this, and disappointed in myself.

October 2021

Stepped in to run one of the schools esports sessions given the normal staff member was self isolating.   Had significant help from the technician on my team who has been great in getting everything setup and in supporting our esports provision.   It was nice to once again get in amongst students playing competitive games, something I used to do some years ago when I worked in colleges.  Following the session I have decided to explore running further sessions as part of the schools activities programme to try and support and grow our esports provision, with this hopefully starting in the new term, in January.

I also spent a reasonable amount of time this month discussing with individuals I wanted to join me on a conference panel session focussing on cyber security in schools.  This included an ethical hacker, a representative from the NCSC and also a representative from the ICO among others.   Sadly, the conference was later cancelled due to the ongoing challenges of the pandemic.

Related to the above I also spent time generating some short 4 or 5 minute videos focussing on Digital Citizenship and cyber security for use with staff and students.   I have finally learned not to spend too much time getting videos perfect and not accepting minor errors or “ums” and “ahs”;   The video just needs to be good enough.    By accepting this I am now able to produce the required videos much quicker.

November 2021

Intermittent issues with the schools core network switches were a growing issue in November.  The issue had started towards the end of September however progress to identify the issue and resolve had been slow, largely due to wanting to avoid downtime associated with more aggressive investigation of the issue.   By November, the fact that the issue hadnt been resolved, may having been starting to give some people questions as to my competence, and I will admit I was beginning to worry too, however towards the end of the month this issue was considered resolved and I think the decision making, to avoid any more substantial downtime was proven to be the correct one.    Often the only way we will know if IT decisions are correct is in the future when we look back, so decision making in the moment can be difficult and unclear.

For a while now we have been hearing of Wi-Fi issues in some school locations however the info which comes to us largely lacks the detail to allow us to investigate and diagnose the issue.   As such I decided to take a different approach and started pulling data from our Wi-Fi solution on a hourly basis, to get a more general picture of its health.   By the end of the month, we had significant volumes of data where the results, although not eliminating the existence of issues specific to a small minority of students, highlight that Wi-Fi generally functions well for the majority of students.

I visited the Schools and Academies Show in order to present at the co-located EdTech Summit event.   The show itself was a little bit like a small version of BETT.   The main benefit of the event for me was simply the ability to once again meet people in person, so gave me an opportunity to touch base with a number of ANME members among others.    Sadly, as normal, my journey wasn’t without drama as I managed to get on the wrong train at one point!   Normal service was resumed.

December 2021

A family issue took a fair part of…..no, actually, all of my focus, through a good part of December.   This included a trip to A&E followed by 8 hours there including attempting to get some sleep while sat upright on a stool.   Not the best experience.

Had also been exploring a possible Board level advisory position alongside my Director of IT position.   The university concerned was looking for someone with a focus on cyber security so this seemed like an ideal opportunity for me however upon review they sadly decided that I wasn’t quite what they were looking for.   I will admit that this disappointed me as the opportunity looked like it would be an ideal and slightly different challenge for me.   As such I need to continue looking for whatever my next challenge might be.

Conclusions

It has been a busy and challenging first term.    Combined with this I have had personal challenges to deal with plus some disappointment.    I feel this has left me feeling a bit drained and down at times with Xmas music on the radio being the last thing I needed to be hearing, despite the fact it is now almost Xmas.   Looking back, despite the challenges I have managed to progress through them and to achieve a number of things which I should be happy or even proud of.    I think I need a break and to decompress, and that will be the main focus for the Xmas period.    After this I should be ready to begin again, to begin afresh, when the spring term begins in January.

And so to all I wish a very Merry Xmas and all the best for the new year!

A cyber framework for schools

Over the last couple of years in particular I have been thinking about cyber security in schools and what schools need to be doing in relation to keeping their users, systems and data secure.   The issue I come up against is that there are a number of key variables which play on decisions reached in this area.  

Context

First there is the context a school operates in.   The available budget for example will have a significant impact on what is or is not possible in terms of cyber security.   And before anyone says it, I know money isnt the most important thing here, it should be student and staff online safety and the safety of their data.   That said, a school is a place for learning, and would we do less learning in order to be more secure?   This leads me on to my later point on risk appetite.    Also, within the context will be the number of students and staff, the volume and type of data being stored, the schools approach to technology (BYOD, School issued devices or limited IT labs), etc.   Each piece of the content impacts on the decisions which need to be made regarding cyber security.

Risk Appetite

This is key and I think something all schools need to discuss at a senior leadership level, with a clear statement as to risk appetite being established.   Basically, this is acceptance of benefit vs. risk in terms of technology use.    We might choose to allow BYOD due to it being more flexible for users and cheaper than school owned devices however it introduces lots of devices not managed by the school which comes with a cyber risk.    We might choose to allow users to be able to create their own Microsoft Teams to support flexibility versus locking this down and centrally creating everything, which is less flexible but more secure.   Time and time again we come up against decisions which balance benefits and risks, and our risk appetite will dictate how much risk we are generally willing to accept.   A greater risk appetite will generally result in greater flexibility and agility, therefore greater ability to respond to change, whereas a lesser risk appetite will likely limit flexibility and agility, but also limit risk.

Cyber Framework

Given the above and how this impacts each school differently I decided that my approach should be to create a rough framework focusing on the things I believe all schools should do in relation to cyber security.   Additionally, I also created an additional section for those schools where additional resources are available or for where additional risk factors may exist.

You can view the framework below:

Some additional points

Now since creating the framework I have had some feedback online which I thought I would address.    One point raised with me was the exclusion of web filtering for safeguarding from my framework.   I considered this but excluded as my focus was on cyber security and I deemed web filtering to sit better under safeguarding.   That said web filtering which filters out dubious sites offering illegal streaming of sports events or movies would have a positive cyber security impact in protecting users from potential malicious code which may exist on such sites. 

Change management was also raised with me;  This could possibly sit under the process or document headings in that there should be a documented and auditable change management process to prevent unauthorised changes which may introduce additional risk from occurring.   Such a process is very important indeed however is often lost in the need to solve problems and quickly adapt to changing situations in schools.

Asset and configuration management was another area that was suggested.   This highlights the need to know what assets a school has and their setup.   This is likely to be very important in the event of a cyber incident in terms of isolating the issue and in terms of the recovery process.   The more we know about a schools setup the quicker decisions regarding actions can be taken.

Physical security particularly in relation to servers and storage, but also in relation to devices was also raised.    The theft or loss of devices is something we need to increasingly consider.   In the event of loss or theft will the data contained in the device be secure and is it possible to remotely disable or even wipe devices?     Generally, though I feel this area is getting easier to address.

Conclusion

I don’t believe this framework is perfect however my hope is that it is at least a good starting point for schools to check their approach to cyber security and to decide on some next steps.   I also hope it starts discussions in school, noting that no sooner had I posted the first page, than suggestions, such as the above, arrived in terms of how it might be improved.   

I suspect I will need to revisit this framework as the cyber threats change and evolve over time but in the meantime, I think it’s a good start.

Technology and efficiency

Technology can make things easier or more efficient however as with most things, there is usually an opposing drawback or disadvantage seeking to balance things out.    

Take for example the recent plans by some Scottish schools to introduce the use of biometrics, and in particular facial recognition, to try and speed up its lunch queues (You can read more about the plan here).   Using facial recognition means that the student can be recognised as they arrive at the till allowing lunch staff to quickly scan foods items and apply to their lunch account, where the lunch account is topped up with credit by parents via an online portal.   This will likely save a few seconds in lunch staff identifying the student on their system in order to apply the costs.   A few seconds doesn’t sound like much but if you consider 600 students going to lunch each day, even a single second grows to 10mins saved per lunch period or 50mins per week or even over 3hrs per month.   The potential benefit is pretty clear, but is this enough?

Cost

The first, and likely most obvious drawback in any technology implementation is cost.  The cost of hardware, the cost of software but also the cost of planning, implementation, training and support.   In almost every technology solution there will be an additional cost to be considered and it will be necessary to examine whether this cost is worth the proposed gain of the technology solution.    And we need to be careful to ensure we look beyond the initial financial costs and consider the more long-term support, maintenance and replacement cost, the total cost of ownership.   In the case of facial recognition in school canteens, it might be easy to compare this cost against the improvements in service or even a notional cost saving in terms of time saving.

Cyber Security

The other factor which is almost always guaranteed to act in balance is that of cyber security.    Adding addition systems or solutions will likely increase the schools cyber attack surface and risk, even where appropriate risk mitigation strategies have been put into place.   It will also add complexity which again increases risk.   As such, cyber security needs to be considered in establishing whether the proposed gains are sufficient to outweigh any risks or costs.

Data Protection

Data Protection, which is linked to cyber security, is yet another factor that needs to be considered.   It is likely more data or different types of data might be stored as the result of the proposed technology change.  We need to be sure that we have processes in place for managing this, and that we continue to comply with UK GDPR or other data protection legislation.   In the case of facial recognition this is particularly important and one of the stumbling blocks impacting on the Scottish schools proposal.    We need to ensure that data gathering is proportional and reasonable to the purpose for which it is being gathered.    In the case of gathering facial recognition data of children, below the age of 18, it is questionable whether this data gathering exercise, which means gathering sensitive biometric data, plus relates to children, is proportional when the aim is to reduce queuing and waiting times at lunch.    Simply put, technology can bring about the improvement in waiting times, however in the form of facial recognition technology, it is questionable as to whether it should.

Conclusion

I often bleat on about balance.   Seldom do we make gains through technology use without there being some sort of trade off, cost or other balancing factor.    Financial cost is the most obvious of the costs however we equally need to consider the longer-term costs of support and maintenance.   Additionally, the cyber security and data protection related risks also need to be considered in detail before proceeding.   Just because technology CAN be used isnt enough;  we also need to ask whether it is right to use it, and whether it SHOULD be used.

Moving online: Some thoughts

The pandemic has forced so much of our lives to move online.   Meetings moved to Zoom, Teams or Google Meet so we could meet online.   Lessons and teaching moved online.   General working moved online.   And so did Continual Professional Development, with educational conferences and summits all moving to a virtual rather than face to face experience.   But what were the implications, benefits and drawbacks?  And what are the implications for training in schools using video content?

Benefits

The first clear benefit in moving conferences online was simply the fact that it allowed conference events to continue even where it was no longer possible to meet face to face due to the pandemic.    The last face to face conference I attended was Digifest 2020, in March, just before the 1st lockdown came into force in the UK, but since then I have attended a number of events all online.     It wasnt until the other week that I returned to a face-to-face event.   If the events hadnt moved online I would have missed out on the learning opportunities I have received through online events.

Access to events may also be a benefit in that virtual events overcome geographical boundaries where attendance would be difficult and/or costly to overcome if events are face to face only.   As such, on reflection, I may have accessed a more diverse range of opportunities because of the move to online events than I would have otherwise accessed had events remaining as they were pre-pandemic.

Drawbacks and Challenges

Motivation is one of the key challenges in my view in relation to online events.    I registered for several events over the last year, with these happily taking up allocated space on my calendar, reminding me of their existence.  Yet, when time came for a few of these events, the immediately pressing work I had to do meant that I didn’t always attend.   All I needed to do was click a link and maybe just listen in, or flick in and out of the event, but I didn’t even do this.   Had these been face to face events, this wouldn’t have happened.   I may have had to book travel or book accommodation; I may have arranged to meet people, or I may have planned activities in and around the event for before or after.   Basically, I would have had intrinsic motivation to ensure I attended to avoid financial or opportunity losses, beyond the loss of the learning opportunities presented by the event.   This intrinsic motivation just doesn’t exist to the same extent with online events.    I suspect event organisers will have plenty of data to show the drop off rate or non-attendance rate for online events is significantly higher than that for face-to-face events.

Video based training in schools

One of the key challenges for conferences is engagement.   We may create awareness or training materials but how do we ensure that teachers or other staff actually engage with the content, and watch it?    Having the content isnt enough if it isnt being watched or if it isnt then resulting in changes in teaching or other behaviours.    Personally, I don’t have an answer to this other than to suggest the below:

  1. We need to make the cost of watching low, by keeping content short and simple.   If the cost is high, it is likely staff will always prioritise other work which is immediately to hand over training materials which may have an unknown future benefit.
  2. We need to vary the content or style of materials such that they do not become boring or predictable.    Where content is always the same or presented in the same way it quickly becomes boring and predictable and therefore disengages users.
  3. We need to seek ways to engage users and make watching content worthwhile and interesting.  This could for example be through extrinsic motivation associated with prizes, electronic badges or department-based competition.
  4. We need to build in opportunities for collaboration and discussion beyond the content materials.   Content has a greater opportunity of sticking if it is internalised and discussing and debating with others is likely to be one of the best ways of helping this happen.

Conclusions

I suspect online events and online based training is very much here to stay.   If we consider it as simply another tool, I think this is a good thing, but I think we need to be careful of considering it as “the” tool.   I have long seen the enterprise world push staff towards online based training content, with staff complaining and then proceeding to find creative ways to complete the training without actually spending the relevant time or actually learning anything.   I have seen the same in some schools with data protection and even safeguarding training becoming an online tick box exercise rather than a valuable learning experience.

I am also a little concerned regarding the potentially high costs of developing lots of good training content only to receive limited engagement from busy staff.

I have a positive view regarding the potential, in an ideal world, of well-developed video and online training materials for use in schools.   I also have a realistic view to temper this, in relation to likely engagement given the busy lives of staff in schools.   Is mandating the number of hours content consumed per year per teacher a possible option?   Have seen this before, and I my view no, but let’s leave that one here for now.

For now online training and events are here to stay and for me, as long as they are part of a balanced programme of opportunities, also including face to face events, then I think this is a good thing.

What is the role of the IT Network Lead to enhance Teaching and Learning?

The below post is based on my recent presentation at the EdTech Summit in Birmingham, my first face to face conference in over 1 ½ years where I was asked to present on my role, which is effectively leading IT Services and how it fits into supporting and encouraging the use of technology in teaching and learning.

I think it is important to tackle this question by breaking it down a little;   The first thing I believe that is worth looking at is who should lead on the use of tech in relation to teaching and learning.    For me the answer to this is simply that it is unlikely that any single person will possess all the relevant skills and experience in relation to school strategy, technology, pedagogy, curriculum content, classroom management and a variety of other factors.    Leading technology in a school requires a team of people working together with the network lead, director of IT or whatever title is in your school, being one of these people.    So that maybe answer the overall question, that the IT network leads role is to work in partnership and collaboration with other tech leaders in a school to support, empower and encourage others in the use of technology within teaching and learning.

And what does effective use of tech in teaching and learning look like?    This is a really important question.   It is sometimes easy to consider tech use to be high impact, flashy, high tech, etc, but the reality of it is that good tech use should largely be transparent to the teacher and learners, being simply the natural way they do things.   So, it is important to acknowledge this and therefore accept that good technology use may be subtle and nuanced much in the same way as good teaching is, rather than something obvious that jumps out and hits you in the face.

And then there is the word “enhance”.    So, technology can bring more to the teaching and learning experience, making it better?    Am not sure how comfortable I feel with this and the possible implication than teaching without tech might be a lesser experience;  I believe great teaching can occur even without the use of tech.   Tech is simply a tool but a tool which brings with it a variety of options and a flexibility which may not have been as possible or easy to achieve without tech.    Borrowing from the SAMR model, tech could augment, an alternative word to enhance, modify or even allow the redefinition of learning.   The potential is beyond simply enhancement.   It is also worth acknowledging that we increasingly live in a technology enabled world, and therefore technology is likely to be the norm in the world beyond schools our current students will eventually be faced with.

In terms of the wider IT teams and their involvement, here I have a worry that IT teams are often the staff behind the curtain, invisible in their day-to-day efforts, until things go wrong.  This isn’t right in my view as IT teams work hard day in day out to make things work, to set things up, to manage and administrate and to ensure that technology simple appears to work.  The reality is that lots of work goes in on a day-to-day basis, even when things are working well and the technology has become almost transparent in its use in the classroom.   There needs to be greater acknowledgement of this and of IT staff’s role as partners in teaching and learning.    And this from someone who has been a teacher, a teacher and IT admin and an IT Director.

Conclusion

IT Network Lead, IT Manager, IT Director, or whatever you want to call them should be actively part of discussions regarding technology strategy.  They should be seen as partners in the process of teaching and learning using technology;   They may not necessarily bring the pedagogical knowledge or curriculum content knowledge, but they bring the technology knowledge.   And above all leading tech in a school is a team effort!

EdTech Summit 2021

It was March 2020 and I was attending the JISC DigiFest conference in Birmingham.  Little did I know that this would be the last face to face conference I would attend for over 1 ½ years, and it would November 2021 before I would once again venture to Birmingham this time for the EdTech Summit and Schools and Academies Show.   Reflecting back, it was to a year and a half of significant challenges but also massive progress in how technology is used in schools.

My trip to Birmingham this time was to present a session on the role of IT leads and IT teams in schools in supporting the use of technology to enable, enhance and even transform teaching and learning.    It was also going to be a chance to catch up with staff from other schools face to face for the first time in quite some time.    Notable in the catch ups were a group of ANME members plus Dave Leonard, Abid Patel, Osi Ejiofor and Tony Sheppard among others.

As to the event itself, a couple of messages or themes came out for me in the various talks I attended:

Investment

This was mentioned in the ministerial opening speech at the start of the schools and academies show.    Additional funding for schools.    For me some of this clearly needs to go into investment in technology to ensure we are ready for a future event like the current pandemic, but also to equip our students for the future and to allow schools to make use of technology to enhance and even reimagine the learning experiences students receive.    And linked to this point is the need for sustainability such that any technology put into schools has the required investment in the longer term to ensure the training, support and eventual replacement of hardware/software is all planned.

Collaboration

The importance and power of collaboration within schools and also between schools and other educational establishments was mentioned by a number of individuals.    I suspect the pandemic has encouraged collaboration as people share their experiences, their successes and challenges, along with their resources online for others to benefit from.   This is something we need to actively encourage and support going forward.    The best training is just in time training, and the best just in time training results from 1000’s of educators and school staff sharing and collaborating through the medium of technology.

Agility

The pandemic proved that schools, which generally are slow to change, can be more agile and change quickly to adapted to changing situations.    The pandemic forced such change.   Going forward though we need to be better at change, we need to be better at accepting “good enough” and we need to be like industry and seek greater agility.

Conclusion

As always I suffered my usual travel mishap as is customary, this time being rushing between trains following a train delay, and then managing to get on the wrong train.   This is the usual pain but on reflection the pain was worth it.   I got the chance to catch up with other IT and EdTech professionals, discussing a variety of matters, I got the opportunity to share my thoughts with an audience and to discuss my thoughts with a number of individuals following the session and I got to have a look at a variety of product offerings from various IT vendors.    I also benefited from the act of presenting which forced me to carefully think through and structure my thoughts in relation to technology and teaching and learning.  

Roll on BETT 2022;   See you there!

Is someone watching me?

The BBC recently posted an article in relation to remote workers being monitored in terms of their use of technology, when at home (You can read the article here).   Obviously, this issue has largely became pertinent given the pandemic and the various lockdowns which have resulted in individuals, including teachers, having to work from home.      The thought of your employer, school leadership or IT staff monitoring what you are doing seems “creepy”, inappropriate and an invasion of personal privacy but is it that simple?

A world of tracking

Before I look at remote working lets first consider the work devices used within a school and the monitoring that may be possible.    Within a school, especially larger schools, it is likely that school devices will have remote support software installed which allows for IT staff to remotely access a device in order to provide assistance without the need to actually visit the computer in question.   All well so far.    However, this functionality means it would be possible for IT staff to watch your screen and every action, every word typed, every social media interaction.  Now that sounds creepy already and we are only on school owned devices!

Your email and internet activity are also recorded.  For school email this likely means your emails are accessible by IT teams in terms of support but also in terms of compliance with GDPR legislation, to resolve Subject Access Requests, etc.   In terms of internet activity, although most data from and to websites are now encrypted, the timing of site visits, the sites visited, the device used, etc are all recorded.    And this happens irrespective of if you use a school or personal device connected to the internet via the schools infrastructure.

The above hints to the huge logs generated where IT systems are used, whether this be accessing the schools management system from a school PC in a classroom, or accessing MS Teams to deliver an online lesson from home.   As soon as we access the system information such as the device name, device type, username, time, IP address, etc are all logged.   And from this data further data can be generated, such as your IP address allowing for geographical information to be identified, albeit this isnt always reliable.    So, some for of tracking and/or monitoring will always be possible.

But what does it mean?

My view on this whole situation is that tracking/monitoring is unavoidable.   Data will be and must be gathered for the purposes of troubleshooting, auditing, legal compliance, etc.   So, the question becomes how do we manage the risk associated with the existence of this data?   And as to ability to access and monitor a specific user’s machine, and view their screen, again this needs to be possible to provide support so again it is about managing risk.

I think one of the key issues is that of transparency and acknowledging that data which could be used for tracking or monitoring purposes exists, and that remote access and screen viewing is also possible.   In doing so it is also important to be clear on the acceptable use of this data or these remote access solutions such as its use in trouble shooting.   In relation to remote access software, I also think it is important to have clear protocols in relation to usage and privacy, such as a requirement to request users approve before accessing a machine a user is currently using.    Access should also be limited on the basis of “least privilege” such that only those that truly need access and have a valid reason for access actually have access.

For me policy plays a key part in all of this.  In your Acceptable Usage policy should be clear indication of the creation of data and potential monitoring along with stated limitations as to where it can and cannot be used.    Additionally, I believe IT staff and those with admin access to large amounts of data, or to sensitive data, should be agreeing to a high-level access agreement which sets out additional requirements regarding their privileged access, plus sets out the higher level of penalties for misuse which comes out of increased responsibility.

Conclusion

As always, the newspaper article is a little bit sensationalist.   The reality isnt as simple.   Tracking and monitoring is possible, but the result of systems designed to support users and ensure systems which are robust and reliable, plus to ensure legal compliance, rather than for the purposes of invading individuals’ privacy.    As such the key thing is transparency and trust, with a little bit of policy thrown in just in case.

Social media: To legislate to control?

A lot has been made of online abuse and the need for social media companies to better monitor and police their platforms.  A lot has also been made of the potential need to legislate in relation to online abuse, but how easy, or not, would this be to achieve?

The internet

One of the big challenges is the internet itself and its distributed design.  It is designed such that no one user, company or even country has control.   It represents a single solution which crosses the national boundaries of most if not all countries in the world giving everyone the potential to use and impact on the internet.    This represents a particular challenge when looking at legislation.    A government might say that all platforms accessible in their country must abide by their legislation but what teeth do they have to enforce this when the company is based in another country.    And how do you stop users simply using tools such as VPNs to bypass local restrictions; Just one look online at forums related to expats living in countries with significant national filtering in place will highlight discussions of VPNs and other tools which can be used to bypass restrictions and the relevant legislation the restrictions are employed to enforce.  Or do a little digging into the ongoing piracy of video content and you will see this is a continuing problem despite efforts over a number of years to stem this issue.

Cyber security

If policing was to be properly established governments would need to be able to identify the users in country, their online identities, plus their online activities.    This has issues in relation to privacy and the safety of whistle-blowers and activists which I will cover shortly, however also represents a cyber security risk.    Such a database would be an enticing target for cyber criminals as a source of information which could be used for identity fraud and common fraud, but also in terms of blackmail or even attempts at coercion or subtle behaviour modification.   And we have already seen national identity databases in other countries fall foul of data breaches.

Anonymity

There is a genuine need for anonymity, where anonymity is often cited as one of the reasons for online abuse being so common online.   Activist and whistle-blowers rely on anonymity for their own personal safety.  Government dissidents in countries with authoritarian governments need anonymity.    There is also the concern that once a database of online user identities, tied to real world identities, plus online activity is created, albeit for good reasons, that it might not be used for less ethical or moral purposes in the future, or that its use might have inappropriate but unintentional consequences.    And this is before we consider the technical possibility of removing anonymity in the first place, something which given the internets design is fraught with difficulties including easy ways for users to bypass restrictions.

In relation to anonymity, although this feels like a key factor in online abuse, in my experience a large amount of the abuse is actually committed from users principal online accounts, those most likely to be identifiable back to a real life person.    The abuse either occurs as a result of joining a crowd, of being or feeling empowered by others to be abusive or of simply going too far spurred on by the ease and apparent lack of immediate consequence when using social media.    As such, maybe the issue of anonymity is a bit of a red herring.

Conclusion

I continue to see a lot of what occurs on social media as an amplification of the real world and society.    It is just that this amplification is that bit starker in its display of the ugliness which can occur in society.   I will however counterbalance this to some extent with how social media sometimes presents the very best we as a race have to offer.   I suspect a key reason for this amplification is that social media removes some of the risk factors and adds ease.   It is easy to be abusive to someone online especially when you know they arent likely to punch you in the face as they might do in real life.   It is also easy to be supportive, helpful and vulnerable away from the potential of embarrassment which may occur face to face.    It is however worth noting how very far we have come as a society compared with 100yrs or even 10 or 20yrs ago.    It is just that social media continues to amplify the small minority who have not progressed to same extent.

So, what are we to do about this?

I don’t have an answer other than to suggest we need to be aware of the amplification, be aware of others feelings, views, etc and be generally nicer to one another.   And I know that sounds a little soft and wishy-washy but I am not sure what more I can suggest.   Sadly, we also need to accept that the abuse emanating from the minority will likely continue, and we need to continue to take the little steps we can in challenging and sanctioning such individuals.   This will likely need to continue as little steps, one abusive user or group at a time; A leap to ban anonymity or heavily legislate social media is unlikely to be successful.

Developing User Self Sufficiency

I have previously written in relation to the large number of support calls received by IT departments in schools especially towards the start of the new academic year.   A significant portion of these calls relate to users forgetting how to do something using technology, with a number of these relating to what I would consider simple issues.    Using Windows+P for example is a common solution to the common problem of computer displays not showing on classroom projectors, instead showing only on the desktop monitor.  But should IT teams still need to deal with such simplistic issues in a world where Google can quickly serve up the answers?

Self Sufficiency vs. ease

I suspect one of the challenges here is simply ease.   With a good IT support team, a simple issue can be quickly solved with an email or a phone call, with little effort on the part of the user.   This ease of solutions, with every occurrence, reinforces that this approach is the easiest, most convenient and therefore the correct and preferable approach (for the user at least!).

A preferable solution viewed either from the long-term point of view or from that of busy IT support teams, is that users be able to fend for themselves, that they are willing and able to make use of Google to find solutions to their own problems.   Again, if this was to become the common approach, it would eventually reinforce itself as the best approach.   In doing so users would become more self-sufficient and resilient to issues, while IT support teams would be freed up to deal with the issues which are more technical in nature or cannot be solved through a simple Google search.   This always reminds me of the teaching approach used in primary schools of “C3B4ME” or see 3 before me, which encourages students to ask friends, search the internet, read books, and generally consult 3 sources before approaching the teacher in relation to a problem or challenge.

Part of the challenge in the above may relate to the cognitively demanding nature of teaching.   A teacher is considering content knowledge, pedagogical knowledge, the individual traits, and behaviours of each of their students, assessment (formative and summative), timekeeping and many more things in a lesson, so if the cognitive load can be reduced a little by fielding IT issues to IT support, I can see why this may occur.

Usability

I also think it’s important to acknowledge how system and app usability has changed over the years.   When I first started using IT most products, including productivity software and even games, came with detailed instruction manuals.   Now I will admit to not reading these and instead jumping straight it, which is how I suspect most people would have operated, but when you hit issues you had something to refer to as this was therefore you first port of call.    These days more consideration has been given to usability making the learning curve for many apps shallower than it may have been in the past.  Detailed instruction manuals are no longer provided as solutions are more “usable”.  This seems like a good thing, so why do IT support teams still get so many calls?

The general perception of usability is correct in general terms, but when looking at specific solutions in schools it may not hold.   So, a user might have been able to work out TikTok and Facebook on their own with no help but when they hit the schools management information systems (MIS) they struggle.   The MIS is then saw as highly specialised, which to an extent it is, so this merits a call to IT support rather than a look at the help tools or a Google search.

What are IT Services for?

The other question I have in relation to this issue is, if users do become more self sufficient and solve more of their own problems, what does this mean IT Services teams will be doing?   As I mentioned earlier, I believe they would simply be freed up to focus on more technical issues which can’t be easily solved through the support of Google.   I also think the extra time available would also allow them to spend more time looking at how to better use technology, rather than simply repeating the same solutions to repeatedly occurring simple issues.

Conclusion

The challenge for IT teams of encouraging user self sufficiency while still being helpful and user focussed is an ongoing and long-term challenge.   Human habit, ease and user confidence are all wrapped up in this, making the challenge very much a human rather than technological challenge.   This is an important consideration and to me highlights the need to focus on a longer-term plan and the little day to day actions, including the potential to “nudge” behaviours towards the intended outcome of improving users technological self-sufficiency.  

Ultimately IT teams in schools want to see technology used to maximum impact.   I think developing user self-sufficiency in relation to technology, and likely user confidence as associated with self-sufficiency, will help us better achieve this.

Building user awareness

When thinking about cyber security the first area I always put first is developing user awareness as to the risks and what they need to do should they make an error.  Given that most data breaches tend to have user involvement at some point in the incident, often at the beginning, it seems logical to focus first on user awareness, but how do you build user awareness in a busy school?

The old inset model (Compliance)

This is the model by which the training is put on once per year likely at the start of the year with everyone in the school forced to attend.   For me this approach is more about compliance than about improving awareness or understanding.    It makes it easy to prove that all users have been “trained” as you can point to an attendance sheet for example, however in the busy world of schools it is likely a fair part of your audience will be focussing on other tasks rather than the content being presented.   It doesn’t necessarily result in users being more informed and aware of cyber risks than they were prior to the session.  This approach also fails to take into account the constant evolution of cyber threats and the cyber threat landscape.    As such, this model of the once per year training event is no longer sufficient on its own although it still makes for a useful approach when combined with other approaches.

Regular communications and updates

My favoured model of cyber awareness development can be summarised as “little and often”.   I make use of the schools regular bulletin to share examples of phishing emails received in the school, plus tips on how to identify them.  I am increasingly making use of video to share short presentations of 3 or 4 minutes long outlining emerging risks or emerging trends.    The key for me is to make cyber security awareness content something that all users consistently come into contact with on a weekly basis.   Hopefully by doing so they will be more concious of the risks.  Basically, I am using the availability bias to hopefully develop user awareness.

I will also note one important thing here is to vary the content as if the content is always the same it may eventually become ineffective.  As such I use a mix of my own video content, NCSC and other cyber organisations video content, written content with annotated screenshots and even the odd cyber security sea shanty (See here for the cyber sea shanty if you are interested.)

Testing

One of the big things about awareness development is being able to test that it is working.    If your training is about compliance the only test you need is to check that your attendance list has everyone’s name on it but if you are truly after user awareness development you need to check that users awareness has actually developed.   An easy approach to this might be a simple short quiz including alongside new awareness content, with a focus on helping users identify what they don’t know rather than centrally providing scores.   A centralised focus on these scores once again is more about compliance rather than the actual users and user development.   An alternative approach might be regular phishing awareness tests to see whether users fall for a phishing email, or whether they report the issue.   Reducing numbers of users falling for such tests, and increasing numbers of users reporting emails to IT teams both representing improvements in user cyber awareness.

Fear of reporting

Another big challenge is trying to ensure users understand the importance of their vigilance and care in relation to cyber security, and the size of the risk both to them, to the wider staff and students and to the school/college as a whole.    The balance here though is that we need to balance this out against creating fear in users to the point that either they are reluctant to use technology or are reluctant to report concerns or issues. 

For me encouraging people to report is critical both in terms of quickly identifying any issues, but equally importantly in terms of identifying misunderstandings or near misses.   From this information we can refine training and awareness development approaches.    We can basically seek to use the ongoing reports to continually learn and develop as an organisation, in relation to cyber security.

Conclusion: Building a culture (The long road)

It still worries me that some organisations continue to treat cyber security and also data protection as a compliance issue;   For me this is a shallow approach.  The true challenge should be to develop user awareness such that we shouldn’t need to be too concerned in relation to compliance.  

Awareness development in my view isnt a single training session or even a number of training events, tests, etc over the course of a term or academic year.   It’s a longer term project.    Its about building a cyber security culture which isnt a case of days or months, but can be best measured in years.    As such the sooner we all get started with this the better.