Tag: cyber security

TEISS, Infosec summit

Last week saw me attend the TEISS European Information Security summit down in London.  This is one of my annual journeys outside of the education bubble to look at cyber security, resilience and health in the broader industry and enterprise context.   I feel it is always important to try and seek diversity and to seek to avoid falling into the issues associated with existing purely within a silo, so stepping outside of my day to day on a regularish basis is a must.

More of the same, but greater volumes and speed.

If I was to summarise one of my main takeaways from the event, it would be that a lot of what I had heard was similar to what I had heard a year before.    Cybercrime continues to grow in terms of both threat and in terms of its potential impact.    The specific threats, such as ransomware, or social engineering, haven’t really changed but the frequency and speed of attacks has increased.    One particular slide looked at national state actors showing how some countries were now down to a breakout time, from compromise to exfiltration, of under 6 minutes.   Now it isn’t likely that schools will need to face nation state actors, albeit we could end up as collateral damage, however this increase in speed for nation state actors is likely mirrored for other threat actors, including those schools may actually face.      Related to this, one presenter showed screenshots of AI powered cybercrime tools which are now available, highlighting that AI, and in particular Large Language Models, not only have the potential to increase the productivity and efficiency of users, they also have the potential to increase the productivity and efficiency of criminals.   I was aware of FraudGPT and WormGPT so this wasn’t new to me however the subsequent slide provided showed an automation and orchestration platform which criminals could use.    The combination of AI powered creation tools alongside automation tools gives me concern as it would clearly give the criminals the ability to broadly launch convincing attacks but where any compromise can be quickly leveraged before defenders have an opportunity to react.   Think PowerAutomate for criminals.    Lots more, better phishing emails, where user errors are quickly capitalised on to deliver malware, extract data or propagate further attacks.

Geo-political instability

Discussion of the impact of geo-political instability and its impact on information security was very interesting especially in considering the room full of cyber security professionals charged with protecting companies and data, including companies responsible for critical national infrastructure.   From a school point of view, this might seem to be outside of our wheelhouse however on reflection I wonder about our need to educate students in relation to this.    We have already seen that modern warfare now involves a cyber element, with the cyber element often preceding any physical engagement.   Do students need to be aware of the implications of globally connected digital services in a world of increasing conflict along national and geographic borders?   How might these issues directly impact us, but also what about where we are indirectly impacted or where the impact is subtle manipulation via social media.   I suspect there is a whole post possible on this alone.

User awareness and training

I spent a significant part of the conference watching sessions within the Culture and Education stream.    There was some good discussion in relation to culture and testing of cyber resilience, particularly the use of phishing awareness testing.   These tests are very good at giving us a snapshot or even a longitudinal view as to our general cyber resilience, however they aren’t as useful at an individual user level.    To present a staff member or student with some additional training material to undertake following them falling for a phishing test, doesn’t find them are their best in terms of their potential to learn.     One presenter presented an alternative view suggesting that all users mean to do the right thing, so therefore we should be asking what it is that makes them do the wrong thing, rather than focusing on how we change individuals behaviour.    For me this very often comes down to being time poor and therefore being in a rush or suffering workload issues so I am not sure quite what we can do about this.   In my view, the world and our roles only see us adding more tasks and activities, and very seldom do we take things away, therefore it is no wonder that we are time poor and therefore no wonder that in our hurry we fall for social engineering and for phishing emails.  That said, it is definitely worth the conversation as to what the barriers to good cyber behaviours are and then looking to see if there is any way to address them.   I suspect we wont solve the issue, but I bet there will be some possible quick wins.

Recovery over prevention

One presenter made a very interesting observation that we continue to spend too much time focussed on prevention over spending time looking at how we might respond and recover from an incident.   I can immediately see why we might focus on prevention, as if a cyber incident doesn’t happen, then things are all good.   The reality however is that cyber incidents are almost guaranteed.    And if we accept that an incident is definitely going to happen at some point in the future then we are better spending a little less time focussed on prevention and a little more on considering what we will do when an incident does happen.    This can easily be done through desktop exercises, and doing so is always preferable to actually having to work it out when the world is on fire in the midst of a real cyber incident.   And to that end I actually delivered a little exercise only the other day.

People, Processes and Technology

One of the biggest takeaways from the event was the mention of People, Processes and Technology (PPT for short, and not the Microsoft App).    Sadly all to often we focus on Technology.   How can we technically keep data secure?  How can IT deliver training to those clicking a phishing link?   What we need to do more of is to consider the people involved and their impact, as well as the processes.   If we consider people, processes and technology we likely will have the best opportunity of keeping things secure and safe.   And I note, that considering people, processes and technology isn’t just an infosec thing, it can equally be applied to school technology strategy, to use of technology in classrooms, and much more.

I suspect as we continue to make use of more technology and as technology further pervades every aspect of our lives, we need to increasingly seek to look to the human contribution and to human behaviour, rather than getting so focussed on the tech.

BETT 2025: Cyber resilience and schools

On the Friday afternoon of BETT 2025 I had the opportunity to deliver a session on cyber security for education, called “cyber resilience and schools: lets get pragmatic”.   Now I will admit I was a bit worried with it being a day three afternoon session, would anyone turn up, however the session was very well attended which was great.     One thing I will note though is that when I asked about the roles of the various people in the audience, around 95% of them were from technical IT roles.    I get why this would be the case however I worry that this is symptomatic of cyber incidents still being see as an “IT” issue rather than a school wide issue.   When an incident happens, although IT will be the people working hard to resolve it, it will be the whole school which is impacted including in relation to administrative tasks like registration and parental contact, teaching and learning, pastoral and wellbeing support and much more.    Cyber resilience, or cyber security if your prefer that term, needs to be seen as a school wide issue so my thanks and applause go to the small number of school leaders who attended my session, and I hope they found it useful.

My presentation broke down into four main areas, being the current context of schools and cyber security, the need for risk assessment, the need for incident preparation, and the basics which schools need to be doing to limit risk including reducing likelihood and impact of an incident.

In relation to the context it is pretty easy to see the impact and risk in relation to cyber and schools with one school being forced to remain shut at the start of the first week of BETT due to a cyber incident.   The ICO also acknowledged that reported incidents in 2023 had grown 55% over those in 2022.   If putting a cost figure to things, cyber crime world wide is estimated to reach $10.5 trillion dollars this year.   So cyber crime will definitely continue and will continue to hit schools.    One key challenge for schools though is the limited budget available, both financially and staff resource related, to tackle cyber risks and cyber resilience.    This highlights the challenge for schools however I noted a discussion in an industry event where they talked of whether doubling cyber related budgetary spend might half the risk;  The common consensus was probably not.    So, cries for more money, although money would help, would not solve the challenge.

It is therefore about risk management and balance.   Schools can be more secure but in doing so this might impact on flexibility, and therefore on the educational experience of students.    We need to seek to risk assess, identifying our risks, their likelihood and impact, plus the mitigation we could or have put in place, complete with any implications of such mitigation.   Once we know our risks we can plan accordingly in terms of mitigation or incident planning.

My next main point was the need to accept that cyber incidents are a “when” rather than an “if”, and based on this we need to prepare ourselves.    For me this is where desktop exercises are useful, actually working through an example incident with colleagues to identify what needs to be done, by who and when, plus to identify any assumptions which may have been made in terms of how an incident would be responded to.    Now this was one of the exercises from my session however the key value is in conducting such exercises in your own school, with a cross section of your own staff and therefore where the exercise can be tailored to the specific needs and context of the school.    It is all about thinking about the processes in a safe environment of a desktop exercise rather than in the heat of battle in the event of a real life incident.

The last section of my presentation, which may feel a little backwards in relation to having looked at risk management and incident planning first, was that of how we might pragmatically delay an incident occurring or limit its impact.    As I mentioned earlier we don’t have the resources of enterprise organizations so we cant simply throw money or resources at the problem.    For me this therefore means we need to seek to do the basics in terms of cyber resilience.    This refers to forcing MFA, patching as many servers as we can, providing users only with the access they truly need, etc.   It is these basics that will reduce the risk level for our school and college, and hopefully see criminals moving along to the next school or organisation in the hope of an easier target.   And generally the basic steps don’t cost the earth, other than some time to undertake them.

Conclusion

My summation for the session was very much about the need for cyber resilience to be seen as a school wide issue and therefore for it to be discussed at the highest levels including governors/trustees and senior leadership.    They need to have a sense on the risks being faced and guide in relation to seeking to address these risks.   They may not know the technical side however they set the risk appetite and therefore guide the spending of resources, including IT staffing, plus the balance between security and flexibility, which includes flexibility in the classroom.    They should also be central to considering the “what if” scenario and considering how the school might respond to cyber incidents such as data breaches, ransomware, etc.    It is better to prepare than to have to work out what you are going to do while in the midst of a cyber crisis.   And lastly is the basics, we simply need to do these as they are the most cost effective method to delay or limit the impact of a cyber incident.

Cyber crime isn’t going away, so we need to plan and prepare, and not just the IT staff. 

Now if you wish to review my slides or the resources, which included some cyber incident cards for a risk assessment exercise, then you can access them here via Google Drive.

TEISS 2024, Resilience, Recovery and Response

I try and take myself out of the educational bubble at least once per year.   This has been a conscious decision for a number of years as I realised the importance of diversity and therefore the limitations of only looking at IT and at cyber, data protection, etc from the stand point of people in similar educational contexts.    As such the TEISS event is one of those events I try to attend to broaden my experiences and get the views and thoughts of those who exist beyond the educational context of schools and colleges.  

This years TEISS event, where these events focus on cyber security and cyber resilience, had some predictable topics of discussion.  These obviously included Artificial Intelligence and also third party or supply chain risks.    So what were my big take aways from the event?

The cyber context

I am reasonably well aware of the cyber context and the risks which impact organisations in general including schools however the TEISS event presented a couple of key facts which I think are interesting.   That there is a cyber attack every 29 seconds in 2023 says it all, with this only likely to grow once the 2024 figures have been calculated.    This highlights the need for all organisations, including all schools and colleges to consider cyber risks and their defensive and recovery methods.    There is no excuse for having not done so.

Behaviourism

A number of presenters, and a number of those I had conversations with during the course of the conference highlighted the need to consider human behaviour as part of cyber thinking.    A cyber awareness programme isn’t so much about the programme but about bringing about behavioural change, so although having an annual training or other training programme might meet compliance requirements, does it bring about the behavioural change we seek and how do we know that this is the case.    It is about encouraging people to report issues and reinforcing such reports by making users aware of the impact where they do report concerns such as a phishing email.   If we can reinforce this view of reporting having an impact, rather than just being another thing staff are “asked” to do, then we might manage to build the cyber culture we want in organisations.   In discussion with one event attendee they raised a solution which would automatically remove phishing emails from mailboxes once it had been reported, and would then let the reporting user know as to their positive impact.   This seems like a great tool but apparently what had been a cheap tool was bought up by a bigger company and now forms a part of their free valued added tools but to a bigger more expensive product which needs to be purchased.  For schools this brings us back to limited budgets which means that key tooling for cyber security continues to be outside the budgets of those in education.

Its about people

The old Richard Branson quote in relation to looking after your staff as they will look after your customer was raised, albeit with a cyber bent, that you should look after your cyber security staff and they will look after your security rather than focussing on security.   I have to strongly agree with this and also to strongly agree with the need to look after those staff involved from an IT point of view in cyber incident response . The stress levels are high following the onset of an incident and someone needs to make sure that those leading the technical response stop and eat, sleep and take time out.    One interesting discussion which was raised however was how the CISO might do this for their team but who might do this for the CISO.    If the board and senior leaders push for updates and things to be “fixed”, while the CISO supports the team of people doing this work, who looks after the CISO?   Now in my team I feel lucky in that I feel my team would be quick to question me and challenge me to take the necessary time if needed.   This then goes to organisational culture and the culture to question at all levels.  I feel lucky to feel this would happen in my team, although I hope I never have cause to test this in a real incident, as we can only test these things in a real life situation;   Desktop exercises are all well and good but they pale when compared to the stress and challenges of a real incident.

Incomplete information and its inevitable

The inevitable nature of cyber risk is something I have talked about for some time.   You can do all you want in terms of your defences but the defenders need to get it right all of the time, while the attackers need only get it right, or get lucky once, so the probability lies with the attackers.    If we take that defence can never be 100% and therefore attackers always have a chance and will be trying from now unto an organisation ceases to exist, plus that no organisation seeks to not exist, then probability states with relative certainty that an incident will happen, just not when.      And when it happens we will see only bits of the picture initially with increasing amounts of the picture as to the impact of the incident, the ingress route, etc, appearing as time progresses, yet the expectation will be to communicate quickly as to an incident.   In relation t o comms the key message seemed to be that the worst thing to do is to state something which is later proved to be untrue, so this means it is all about saying little.     Another point which came across was related to the cadence of information, in that although we may seek to say little, we should seek to be regular in our communications even if this means saying that investigations are ongoing and that at this stage we know nothing more.   

Cyber and AI…..Or not

Within a couple of presentations the issue of language was raised.   The issue of AI being the current buzz word and being used both in terms of vendors singing about their products, but also in terms of threats and AI based threats, was mentioned.    Maybe AI has become a bit of a buzz word which needs to be included in product pitches, in conferences, etc, and maybe this doesn’t match the reality.   Another presenter raised how we use the term cyber.   Cyber bullying, cyber threats, cyber security, etc.   But isn’t it just bullying, a threat or security, albeit enabled by technology?    And does the use of the cyber word push us to think its an IT issue, an issue for IT companies and vendors rather than something which is the responsibility of a wider organisation, a school or a school community.   Maybe we need to reduce our use of the word cyber and embrace the wider links of technology enabled attacks as a subset of existing issues rather than as something unique and distinct.

Conclusion

I enjoy stepping outside of the education bubble and hearing about what cyber security looks like to those in the enterprise world where they generally have far greater resources.   It is heartening to hear that they suffer from the same problems and have the same answer, despite or in spite of their significantly greater resources.    This continues to highlight for me that “not enough money” or “not enough staff” isn’t the answer as we need to be pragmatic about cyber.   We could have  infinite staff and budget and we would still face challenges.   It continues to be about doing what we reasonably can, and preparing for the worst.   It also continues to be about getting this message across to trustee and governors, that no matter what we do the risk will continue to exist plus also that most schools or colleges which have suffered an incident have moved past it and survived.  In education with students we talk about FAIL as first attempt in learning, and maybe that’s what a cyber incident is? That said, its not a learning exercise I would care to undertake!

Desktop Cyber Exercises

I recently worked through a desktop exercise in school as part of my ongoing efforts to look to progress cyber security.    As such I thought I would share some brief thoughts I had following the exercise.

Communication, communication and more communication

I think one of the key things that sticks out to me in relation to cyber incidents is the importance of establishing how things will be communicated out to students, staff, parents, etc.    In the event of a significant IT issue it may be that your normal communication methods such as desk phones and email are out of commission, at least for a period of time.   As such you then need to look to how you communicate without these tools, whether this is using mobile phones, radios or even going for a walk to speak directly to people.   If you have school social media accounts can you use these, and where are the credentials kept so you can access them even when your main IT systems are down,  The key is the need to get information out to staff, students and parents in the immediate or near immediate term, and therefore that you have the right information, such as phone numbers, available even if IT systems are inoperable.  

Printing

We are now in a world of digital communication however in the event of an IT incident it may be necessary to revert to a previous time, and to a time of the printed sheet or document.   As such establishing some printing and copying capability in the short term is very beneficial and would support the needs of communication.    This would allow the creation of temporary registers, bulletins for noticeboards and other processes which would support the school, staff and students through the initial periods of an incident. 

Safeguarding

One of the key safeguarding duties of a school is to know which students it has on-site, now on a normal day the schools MIS will serve this purpose, but if this is not accessible then there needs to be an alternative solution to identify attendance or absence.   This might be pre-prepared emergency registers or hand written registers which are then collected and compared against a school master list.

The internet is key

More and more of the services we use rely on the internet for access, and more and more the internet is important to teaching and learning especially where using cloud productivity suites.   As such if internet access is impacted by an incident, there needs to be a way to quickly restore at least some access or to find access somewhere else such as in a neighbouring business, etc.    Restoring local access might involve bypassing filtering and monitoring solutions if identity management isnt functional, with access then limited to staff.   That said, from an impact vs. risk point of view, the impact of a lack of internet impacting on learning, especially where technology use is embedded and heavily uses productivity suites, might exceed the safeguarding risk meaning you may wish to restore access for students even where filtering is unavailable for a short period of time.   This would obviously need careful consideration and appropriate documentation of decision-making processes.

Consider the variables

In doing a desktop exercise it is worth giving some consideration to some of the variables which might have a material impact on an incident.   This might be considering when an incident might happen such as what the impact would be if it happened during exams season or during a significant event, with visitors on-site.   It is also worth considering how things would work if key members of staff, such as the headmaster, were away from school.   We need to know who fulfils the role of the missing staff member while they are away.

Slow down!

One key thing in my view, is the need to take careful decisions during an incident and to be careful of knee-jerk reactions.   This is particularly important for IT staff as a mistaken attempt to resolve the issue could make things worse, however it is also the case for the wider SLT involved in incident management.    Yes, an incident means we want to move quickly to get solutions in place so the school can continue to operate, however equally we need to avoid moving so quick we make mistakes.  It’s a balance.   It is also important to slow down to allow the appropriate bodies and support organisations to be contacted and involved, including the likes of the NCSC, Action Fraud, cyber insurance providers and insurance providers, etc.

Conclusion

The purpose of a desktop exercise is to get people discussing and thinking about what they might do in the event of a critical incident, IT or otherwise.   It is about testing the assumptions and identifying areas for improvement.    The choice is to conduct this in a safe environment or to wait until an incident hits at which point all bets are off.    My preference has always been to opt for the safer option.   As Benjamin Franklin put it, failing to plan is planning to fail.   If you havent therefore done a desktop exercise to explore what you would do in light of a cyber security incident in your school or college I therefore suggest this is something you do in the near future.

Cyber Awareness Month: Cyber threats

October is cyber awareness month and an important opportunity to discuss and highlight cyber security and cyber threats.   Now cyber security and particularly the development of a culture of positive cyber security practices is an ongoing  requirement, however cyber awareness month provides a valuable chance to highlight cyber security and ensure it is the subject of discussion.    Due to this I would briefly like to share some of my thoughts in relation to the main cyber threats as they current exist for schools and colleges.

Phishing, vishing  and other “ishing” attacks.

For me, phishing and similar attacks based on SMS, messaging services, social media, phone calls and even malicious QR codes continue to be one of the most common attacks aimed either at compromising a user account or at compromising a target machine through malware.   One of the big issues here is that we ae living in an increasingly busy world dealing with ever increasing numbers of emails, messages, etc.   And in this busyness it is “human to err”, to click a malicious link, to reply to a malicious email or provide user credentials to a convincing looking, but fake, login page.    Continued user awareness training can help in this area, making users more aware of the signs to look for in malicious messaging, but it can only go so far especially as people are becoming increasingly busy.   For me, the key is for users just to have a fraction more time to review messages before acting, giving their conscious brain just that bit more time to engage and identify the unusual features of a malicious email, message or call.    I am not talking about huge amounts of time, only fractions of a second.   That said this time needs to come from somewhere in a time bounded world so we are going to need to make some compromises to fine this time as otherwise we are only likely to see data breaches resulting from phishing and other “ishing” style attacks becoming both more common and more significant in their impact.

Third parties

We are increasingly using more and more third parties, including online tools, in our lives and in our schools, whether this is a cloud hosted MIS, a learning platform, quizzing app, website provider or a multitude of other solutions providers.   In each third party there is an additional risk.   And this risk is two-fold.    One part relates to an incident on this third party resulting in school data being breached, where the school as data controller, remains responsible.    The other part of this issue relates to the use of a third party to gain access to a schools systems, possibly through a business email compromise attack having gained access to a compromised email account within a third party, or it could involve using integration between the third parties solution and school systems.   Either way, I see third parties as the 2nd most significant risk which schools are exposed to.   Due diligence is key here in terms of ensuring appropriate checks are done on vendors in terms of their approach to security, etc, although I note these are often only superficial in nature in the information third parties may provide via their policies or via response to direct queries.   I suspect the other solution is simply least privilege and both limiting the access of third parties to school systems, plus in trying to limit the total number of third parties used.   Sadly this is often easier said than done.

Conclusion

Given the above as to the two main risks as I see them, and the acceptance that a cyber incident is a matter of a when rather than an “if” scenario, it therefore makes sense to play out the above scenarios as desktop exercise to consider how your school might respond.    Phishing can also be easily tested for through the use of a phishing test campaign, sending out a fake phishing email to see how users respond.   I would suggest in both of the above scenarios there isnt a huge amount schools can do to prevent an incident, although I will once again state the importance of doing the basics in terms of cyber such as using MFA, patching, least privilege, taking and testing backups and performing regular user awareness training.   So, if there is limited opportunities for preventative measures beyond the basis, then the key thing is to prepare for the most likely threat scenarios.   How would you respond to a compromised user account resulting in MIS data being exfiltrated for example or to a third party data solution suffering a data breach resulting in school data being leaked publicly?   Would police be involved?  What would you tell the press, parents and the wider community?   How would your school respond internally, including who would be involved in discussions around actions and who would have the authority needed to approve comms, etc, plus what roles would each person undertake?   And how might you deal with wellbeing and mental health during a high stress incident?   

It is better to consider these and other questions now, than waiting and having to answer them during an incident.    And maybe this is one aspect of cyber awareness month we neglect;  It isnt just about preventative measures and reducing the likelihood of an incident, it is also about acceptance that incidents will happen and therefore spending some time planning and preparing.

TEISS London 2023: Reflections

During September I managed to find myself in two industry level cyber/info security conferences, one of which I have already blogged about (See here).   This post focusses on the other event, being the TEISS London 2023 event which was a little more focussed on incident management rather than the previous event which was a little more generic.   So, what were my take-aways as relevant to education?

Incident Response

One of the key discussions across this particular event was in relation to the inevitable cyber incident and therefore the need to prepare.    Discussions arose around desktop exercises, the development of incident response playbooks and disaster recovery plans.    The key take-away for me was in the need to play through potential cyber incidents and to do this regularly.   We are not talking about once every few years, but as often as can be managed so that the relevant staff, both senior and IT technical, know how to respond when the inevitable issue arises.    It was also discussed, the need to carry out these desktop exercises with different groups of individuals in order to ensure that all are prepared.   Desktop exercising is definitely something I want to look towards repeating in the coming months, and building a process so that it doesn’t occur ad-hoc but more as part of  a regular process allowing for the review and improvement of the related processes with each test.

Concerning external factors

One of the presenters went into the risks associated with geopolitical issues, where issues in the geopolitical space often result in corresponding issues in the cyber arena.  From a schools point of view it is easy to wonder why this makes a difference;  Why would a nation state or similar focus on education?    I think the issue here is not so much an attacker focussing on education, but on the collateral damage which might impact education.   Now this collateral damage might be accidental however we also need to acknowledge the increasing use of cloud services;  This often means data and services hosted in various countries across the world so what is the potential risk where countries have disagreements and where some aggressive activity online results.   It is easy to say your school exists in Europe or the UK so this is unlikely however the presenter demonstrated some  aggressive cyber activity even within the UK and EU, so it therefore isnt unpredictable that this may happen again in the future.    For schools this means, as far as I am concerned, that we need to continue to do the basics plus prepare to manage an incident when it occurs.

Artificial Intelligence

AI once again factored in the discussion however at least one presenter suggested that where we are now is more akin to Machine Learning than AI.   I suspect this depends on your definition of both terms, with my definition having ML as a subset of AI.    The key message here was that the current instance of AI, generative AI, presents rather generic responses but quickly.   Its benefit, whether used for defence or attack, is its speed and ability to ingest huge amounts of data, however it is only in pairing with a human that it progresses beyond being “generic”.   In the future this may change, as we approach the “singularity” however for now and the near future AI is an assistant for us and for criminals, but doesn’t represent a significant innovative change in relation to cyber security;  good security with AI is little different to good security prior to generative AI.

Human Factors

The human factor and culture were a fair part of the discussion.    The cyber culture and “the way we do things around here” in relation to information security is key.   We need to build safe and secure practices into all we do and at all levels;  Easier to say than it is to do.    This also links to the fact that humans, and the wider user group which in schools would be students, staff, parents, visitors and contractors among others, continue to be involved in around 74% of breaches.   This means it is key that cyber security awareness training needs to hit all of these users and be regular rather than a once a year.    Additionally, if we assume we will suffer a cyber incident, how do we protect our IT staff and also those senior staff involved in incident response and management.   The stress levels will be very high, and as a result self-care may be lacking, but schools and other organisations have a duty of care for their staff, and during a cyber incident that duty of care may become all the mor important.   This is why, in my team anyway, I am introducing a role of “chief wellbeing officer” as part of our incident response plans.

Conclusion

The organisations at this particular event, similar to the previous cyber event, were generally large corporate entities yet for me the messaging may be all the more important for schools given we hold student data and student futures in our hands, and given the targeting of educational institutions.  How do we get more schools to attend these events?    I suspect events like these fall into the important but not urgent, where fixing a server issue or a device issue in a classroom is urgent and important, but then how do we ensure that school IT staff are prepared and preparing for cyber incidents?   Chicken or the egg issue maybe?   

Cyber incidents are inevitable and I have always said that “the smartest person in the room is the room” so if we can share with industry where I believe they have much more experience in this arena, then maybe we, as in schools, will be all the better for it.

ISMG Cyber Summit: Reflections

I recently undertook my annual trip outside of the education bubble and into the wider tech and particularly InfoSec world, attending the ISMG cyber summit in London.   Now my trip was largely uneventful in terms of my usual transport disasters although I note that Google Maps did make its best effort to send me off on a wild goose chase between the tube station and the event venue, but for once my common sense prevailed.  

The purpose of my annual trip outside education is to sense check where we are as schools in terms of cyber security, in relation to the wider world.   It is also an opportunity to gather advice and best practice from industry.   I note those in the room with me were largely senior security staff, rather than my more broader role which encompasses security, plus they had budgets far exceeding anything any school will ever have access to for spending on technology, never mind purely on cyber security.

The day was very useful with a number of key topics coming out:

AI

Artificial intelligence was a hot topic during the course of the day particularly in relation to the increasing use of AI solutions within businesses, much in the same way we see increasing use in education.    The challenge and focus was on how we secure AI solutions against issues such as prompt-injection, poisoning of the training model and data exfiltration among other areas.    For me the key takeaway from this is that AI solutions are yet another area which organisations, including schools, need to consider and secure.  And as schools seek to use more AI solutions, including third party solutions, this risk will only increase.

Wellbeing during an incident

This particular issue resonated with me.   IT teams often work hard behind the scenes only becoming visible when there is an issue or when someone wants a new solution, new functionality, etc.   And in the event of a cyber incident the stress largely falls on them to get things up and running.  If the school, or other organisation, seldom recognises the hard work which goes into the normal working day, what hope is there during a cyber incident when they are working even harder and under significantly more stress.   As such the wellbeing, mental health and general support for IT staff, and broader with all staff, is so key.    How are we supporting wellbeing, and this has to be beyond the tick box efforts, the wellbeing working party, etc. How can we evidence we truly are cognizant and focussed on wellbeing?   Also, in the event of a high stress incident, how will we manage wellbeing?   One suggestion during the event was to have a “chief care officer” during incident response, which was an idea I liked.

Ransomware and Third parties

Two of my key concerns from an educational IT point of view have been ransomware and third-party incidents.   Both of these appeared as significant discussion points in relation to industry and enterprise organisations.     Ransomware continues to be a common attack method in general while third party data breach also continues to be common.  One particular presenter during the course of the conference talked about adding additional external solutions to monitor logs, etc, but thereby adding an additional vendor and vulnerability risk, as this third party become yet another vector through which an organisations data and systems might be comprising.  Here is one of the key challenges in our attempts to improve our security resulting in layering of solutions, where each new solution may represent an additional risk and attack vector.  This to me highlights the important of governance over security, so that decisions of risk v. benefit can be appropriately authorised and accountability made clear;  I note accountability was another discussion point from the event in relation to CISO liability however I didn’t feel this quite impacts on schools.

Conclusion

Once again, this event proved to me that the challenges that impact on education are not limited or unique to education.   They are issues which impact organisation across different sectors with only the context and resourcing varying across sectors.  In the case of education there continues to be the issue in the limited resourcing in relation to cyber security in terms of the products but also in terms of the staffing and expertise; A bank might have a while cyber team however how many schools can claim to actually have even a single cyber security focussed professional?   This, the large and varied user base, and the need for quite so many users to have access to sensitive personally identifiable information, means schools and other educational organizations will continue to be a focus for attacks for some time to come.

If I was to take anything away from the event it was that enterprises and schools all suffer the risk of a cyber incident.    All we can do is limit the impact, and delay the inevitable    A banks spending seven figures on security might sound like the way forward but the reality is that all it does is reduce the risk so spending huge amounts of money might make no difference in the long run; It is just case of when rather than if.    As such, for schools, the focus needs to continue be on doing the basics in terms of user awareness, MFA, backups, least privilege access, patching and incident planning.

Cyber, schools and week 1

The first week of the 2023/24 has now been completed and during this first week I have been made aware of 4 different schools having cyber incidents reported in the press.     I think this highlights the risks that schools face in relation to cyber security/resilience and possibly the fact that cyber criminals may focus more directly on schools, and education more generally, at key points of the year when they are likely to have a greater chance of their attacks succeeding, such as at the busy start of a new academic year.   So what can schools do to reduce the risk?

I cannot speak to the 4 incidents as I don’t know sufficient details as to the nature of the attacks and incidents however there are generally actions which I believe schools can take which can reduce the risk.    Given below are the 5 things I would say are the priority areas:

  • Staff Awareness Training

In the vast majority of cyber incidents a human is involved at some point, and usually towards the start of the incident.   Whether this is giving away user credentials following clicking on a link in a phishing email, using a weak password or misconfiguring a solution, our staff are both our weakest point but also our best defence if properly training.    And this training needs to go further than simply a session at the start of the year.   It may include this start of the year session but it must include advice, stories, examples and other awareness content throughout the year;  little and often.   Whether it is videos to watch, information given in morning briefings or content in newsletters or other regular documentation, awareness content should be delivered often and in different formats and medium.    I also think one way to help get the importance across is to focus broader than the benefit to the school and highlight that good cyber hygiene is important for our daily lives and our interactions with the many digital tools which we use.

  • MFA (Multi-Factor Authentication)

Phishing and credential theft resulting from phishing attacks continues to be a common attack method.    As such anything that reduces the risk of a users credentials being compromised is important.    Multi-factor or two-factor authentication is an easy method of reducing this risk.  Cyber criminals may get your password through guessing or a data breach of another service, where you have re-used your password, but without the 2nd factor, such as the app on your phone, they are unable to get into the account.   Now I have heard many raise issues about using their personal phones for this purpose and about having to install an authenticator app on their own phone.   I get this but there is no cost as we almost all have smartphones these days and the cost of not having our schools accounts secured, the risk to all staffs personal data, to student data, to parent data and to all the other data a school may hold, never mind to students coursework and other critical learning info surely outweighs the downside of having a small authenticator app installed on the personal phone you already have?   For me, all schools should have MFA enabled for any user who needs to access data from away from the schools network.   Note, if only accessing accounts from the schools network, the fact that the account can only be accessed from the network, and not from home or elsewhere, counts as a second factor.

  • Backups

We need to accept that a cyber incident will happen at some point in the future and at that point we will need to find a way to quickly and safely recover our IT systems.  Backups are key to this.    As such it is important to have backups in place and the 3-2-1 rule is a good rule of thumb;   You should be keeping 3 backups, in two different mediums (e.g HDD and Cloud or HDD and tape) with 1 being offside or immutable.   It is also important to note that your backups are of no value or use until the point when you need to recover them, so it is important for you to test that you are able to recover from your backups when you need to following an incident.   It is also important that those who would need to conduct the recovery are familiar and comfortable with the backup process such that when under high pressure following an incident they are comfortable with what they need to do.

  • Patching

If cyber criminals didn’t gain access via a compromised user account then the other way they may gain access, or maybe the 2nd stage of their attack following compromising a user account, might be to exploit a vulnerability in software.    This is all the more likely if you havent patched systems where these patches often contain fixes for known vulnerabilities which cyber criminals may already be actively exploiting.    By regularly patching software, including operating and application software, we reduce the risk of a known vulnerability existing within our network environment.   This includes the need to patch or update end point devices such as laptops, tablets and printers.   Now this can sometimes be difficult as it may result in downtime, either waiting for a server to reboot, or waiting or a device to restart, however it is important.  Being pragmatic, and given the fact it may often be impossible to patch all devices, servers and systems, the key is to identify which devices or systems are most important in terms of the operation of the school or the sensitivity of the data contained on them, and seek to do these first.    Every newly patched system represents a reduction in risk, so patching 1 server is better than worrying about which of 60 servers to patch, but patching none.   Every small step matters.

  • Least Privilege Possible

It is important to reduce the access rights of users to what they really and essentially need.    This includes things like remote desktop access.   If using Office 365 or Google Workspaces do users really need remote access?    Also you administrative credentials;  Do your IT team need high level access all of the time or can they use Privileged Identity Management (PIM) such that they only escalate their privileges when needed.   And when technicians are logging into PCs are they using credentials with Global Admin access or a separate set of credentials?   The more we can reduce the access rights provided to users the less access a cyber criminal will gain should they compromise an account.

Conclusion

We have to accept that all organisations will suffer a cyber incident at some point in time, with this being all the more the case in education where the diverse nature of users technology skills, the number of users, the diverse range of systems and the limited investment in cyber security and resiliency all come to play.   The key thing though is that we need to make it as difficult as possible for the cyber criminals and the above 5 areas to focus on will help do just that.

Am hoping the 4 schools suffering incidents in the first week just relates to the busy nature of things in the first week, and that things will settle down over the coming weeks, however I suspect these 4 schools are just the start of the list of schools which will suffer incidents in 2023/24.

Password: getting the basics right

During the last week I had the opportunity to present a number of cyber security sessions for staff ahead of the start of the new academic year.   This is part of a programme of awareness development.   This year I have made a change in presenting the sessions as something related to our online activities in general, such as in our private lives, as opposed to something focussed on school systems and data.    I think this is an important change in that good cyber practices in staff and in students protect them in everyday interactions online, whether they relate to school accounts and data, or not.   One of the key discussion points in the session is that of passwords, which still remain the key method of confirming our identity when accessing online systems and data, whether these are the school MIS or personal email or social media accounts.

When we create our passwords for online services we are almost always presented by the need to include an uppercase character, number and a special character.    One of the things I ask in my cyber sessions is for attendees to think about a password they use and whether it includes an uppercase character;  Invariably, due to so called “password strength” requirements an uppercase character is included.   I then, however, ask if this character happens to be the first character.   Largely this is the case and unsurprisingly so given this is how we write with the capitals at the start of sentences.    I then ask about numbers, and if they have included a number in their password.  Again, invariably this is the case due to password strength requirements however, again I follow this up with a question in relation to whether this is the last character and again this stends to be true.    The point I am trying to prove in my session is that as human beings we have a tendency towards being predictable.

From a cyber crime point of view the more predictable we are the easier we are to hack.   If we use common passwords, if we use passwords linked to public information criminals can easily access and even if we use common patterns such as having the capital letter at the start and number at the end, all of this makes hacking all the easier.   The more unpredictable or random our passwords are, the more secure we will be.    This is why the NCSCs guidance on three random words works so well.   It creates a password with randomness built in;  the random part of three random words.   Yet, the resultant password is still easy for us to memorise, being that we simply need to remember three words.   The other key factor is it generally produces a password longer than we would normally create where a passwords strength, from the point of view of cracking a password leaked as part of a data breach, is directly linked to the length of the password.    The longer a password is, assuming it is random and not predictable, the stronger it is.   And this is one of the key points I make in my sessions, that the biggest indicator of password strength, again assuming the password isnt predictable, is its length.

I also note about the risks related to password re-use using the story of a staff member I knew who fell for a phishing email resulting in them disclosing their AppleID email and password.    When they came to me the first suggestion I made was to use the recovery functionality which would result in an email to the email account linked to the AppleID.   It was at this point that the staff member found they couldn’t access the personal email account they had used either.   The criminals, upon getting the AppleID credentials, had tried the password with the email account and found it worked.   They promptly then changed the passwords on the email account and AppleID thereby locking the staff member out.   This story perfectly illustrates why we shouldn’t re-use passwords, or at least where we should avoid re-use of passwords with services which are important to us or where they might hold high value or sensitive data.    It is at this point that I mention the use of Multi-Factor Authentication as a valuable tool for protecting accounts plus the use of password managers to help manage the increasing number of passwords we all now have.

Passwords continue to be key feature of our efforts to protect our online accounts, our data and our online digital footprint and profile.   Appropriate care in relation to passwords is one of the key basics we all need to get right if we are to reduce the risk of cyber incident and/or minimise the damage when an incident happens.    It isnt a fun, sexy or particularly technical method of protecting ourselves online, however it is something we all just need to consider and get right.

What does the future of cyber look like for schools?

The question of this post is not an easy question to answer.   On one hand, if I show an optimistic viewpoint, I may be seen as downplaying the issues and the challenges which impact schools.  On the other hand, if I am pessimistic, I may be seen as portraying a no-win scenario, a scenario so bleak that it doesn’t really bare thinking about.   So, I am going to do my best to thread the needle of this challenge and strike a balance between unrealistic optimism and nihilistic pessimism.

Increasing technology use

Schools are only going to make use of more and more technology as we seek to try and do more with less.   We seek efficiencies, we seek to solve a workload challenge, we seek to continually improve, and in all of this we will continue to make use of more and more technology.   And as we use more technology our technology footprint, our data footprint, the number of integrations and systems used, and our overall risk as related to technology use will only increase.   I find it difficult to see any other option.    My risk when I was younger and I used a standalone PC without internet connection, using a limited number of bits of software is less than today where I use multiple laptops and desktops, a mobile phone, home assistant, smart TV and other devices, complete with way more applications.   The direction of travel is undeniable.

Increasing ambient cyber risk

Additionally, the ambient risk of cyber incidents, whether the result of nation states, either directly or more commonly indirectly, whether due to the script kiddies in our schools or, and much more likely, the result of cyber criminal efforts to generate profit, the ambient risk will only continue to grow.  I have attended industry cyber conferences in consecutive years and this has been the message for a number of years, with this again likely to only continue.   And where there is an increasing technology use and the potential for criminal gains, which therefore are increasing over time it should be unsurprising that criminals will seek to grow and develop their technology focussed attacks, and therefore the general risk continues to grow.     Regulation and legislation helps little here as technology operates across national borders, so laws and penalties for mis-use just see criminal enterprises moving their efforts, resources or even themselves to nations which are more accepting of their activities or maybe even where they turn a blind eye.   This is also paired with the increasing focus on individual privacy in technology solutions even where this privacy is also applied to criminals such as those engaged in sharing child sexual abuse material.  Sadly, communications technology is easier secure or not, it cant be secure for some but not for others.

It’s all doom and gloom?

So, what are the positives in this story?   What balances out this negative picture?  It would be easy, at this point, to see only the negative, to feel hopeless in the face of ever-growing risk and ever-growing compliance requirements.      But we need to identify the benefits of the technology, the connectedness, convenience, benefits to creativity and problem solving, etc.    Today’s technology allows me to do way more than I was capable of with my standalone DX2 66Mhz PC from years gone past.   I can communicate further and faster, can create content which is more details, complex and creative, solve problems quicker and much more.

Maybe this is the issue, that when discussing cyber we focus too much on the negatives and take our eyes off the positives.   This can be very depressing indeed.    But, technology supports, encourages and enables so much of what we can now do and as with most things in life there is a balance to be struck.  Sadly, the counterbalance in this case is the cyber risk that is created.    Considering balance, we could easily seek to reduce the risk simply by using less technology but is this something we are really going to do?

So, what can we “reasonably” do?

This is the crux of the matter in how we can manage the risk, assuming that using less technology isnt an option.   The answer to this, for me, is to do the basic cyber security tasks like patching, creating and testing backups, managing and limiting user permissions, managing and limiting the data you store and how long you retain it for and developing user awareness regarding the risks.  There may be a need to prioritise here as schools may not have the resources to patch every server and every device however rather than focussing on the ideal and on what we haven’t or cannot do, we need to focus on what we have done;  Each additional device or server patched is one less vulnerable device and therefore a net reduction in the overall risk.   Every step, no matter how small, is a positive step.

It is also important to acknowledge that no matter what you do you will still suffer a cyber incident at some point in the future, so you need to prepare.   Key to this can be running a desktop exercise to check for assumptions or issues in your response plan plus to build up familiarity with the plan.   This should not be an IT only exercise as a cyber event equally is not an IT only event, it impacts the whole school.   As such stakeholder from across the school, leadership, teaching, IT should be all involved in the exercise and contributing their thoughts and ideas.    The desktop exercise is a useful tool and far less invasive than going around unplugged servers to see what people do!

Conclusion

So back to my initial question, what does the future of cyber look like for schools?    I think we will be continuing to do more and more with technology tools, being more creative, efficient, and interconnected, but this will sadly be balanced with an increasing cyber risk.   But it is a balance, and I think that is my answer, the future of cyber for schools looks like maintaining a balance.   In terms of managing this balance it will continue to be about doing all we reasonably can based on the resources we have, focusing on continually reviewing our cyber security posture and approach and making the continual little steps to reduce, or at least manage the risk.

It’s not a bleak, or an overly positive picture, but I think the above is a realistic and pragmatic picture!

Note: I avoided the overly simplistic picture of a person in a hoodie as my cyber criminal in this post;   As was pointed out to me recently, this stereotypical view, and lazy analogy is seldom helpful including in our discussions of cyber security or cyber crime!