I recently worked through a desktop exercise in school as part of my ongoing efforts to look to progress cyber security. As such I thought I would share some brief thoughts I had following the exercise.
Communication, communication and more communication
I think one of the key things that sticks out to me in relation to cyber incidents is the importance of establishing how things will be communicated out to students, staff, parents, etc. In the event of a significant IT issue it may be that your normal communication methods such as desk phones and email are out of commission, at least for a period of time. As such you then need to look to how you communicate without these tools, whether this is using mobile phones, radios or even going for a walk to speak directly to people. If you have school social media accounts can you use these, and where are the credentials kept so you can access them even when your main IT systems are down, The key is the need to get information out to staff, students and parents in the immediate or near immediate term, and therefore that you have the right information, such as phone numbers, available even if IT systems are inoperable.
Printing
We are now in a world of digital communication however in the event of an IT incident it may be necessary to revert to a previous time, and to a time of the printed sheet or document. As such establishing some printing and copying capability in the short term is very beneficial and would support the needs of communication. This would allow the creation of temporary registers, bulletins for noticeboards and other processes which would support the school, staff and students through the initial periods of an incident.
Safeguarding
One of the key safeguarding duties of a school is to know which students it has on-site, now on a normal day the schools MIS will serve this purpose, but if this is not accessible then there needs to be an alternative solution to identify attendance or absence. This might be pre-prepared emergency registers or hand written registers which are then collected and compared against a school master list.
The internet is key
More and more of the services we use rely on the internet for access, and more and more the internet is important to teaching and learning especially where using cloud productivity suites. As such if internet access is impacted by an incident, there needs to be a way to quickly restore at least some access or to find access somewhere else such as in a neighbouring business, etc. Restoring local access might involve bypassing filtering and monitoring solutions if identity management isnt functional, with access then limited to staff. That said, from an impact vs. risk point of view, the impact of a lack of internet impacting on learning, especially where technology use is embedded and heavily uses productivity suites, might exceed the safeguarding risk meaning you may wish to restore access for students even where filtering is unavailable for a short period of time. This would obviously need careful consideration and appropriate documentation of decision-making processes.
Consider the variables
In doing a desktop exercise it is worth giving some consideration to some of the variables which might have a material impact on an incident. This might be considering when an incident might happen such as what the impact would be if it happened during exams season or during a significant event, with visitors on-site. It is also worth considering how things would work if key members of staff, such as the headmaster, were away from school. We need to know who fulfils the role of the missing staff member while they are away.
Slow down!
One key thing in my view, is the need to take careful decisions during an incident and to be careful of knee-jerk reactions. This is particularly important for IT staff as a mistaken attempt to resolve the issue could make things worse, however it is also the case for the wider SLT involved in incident management. Yes, an incident means we want to move quickly to get solutions in place so the school can continue to operate, however equally we need to avoid moving so quick we make mistakes. It’s a balance. It is also important to slow down to allow the appropriate bodies and support organisations to be contacted and involved, including the likes of the NCSC, Action Fraud, cyber insurance providers and insurance providers, etc.
Conclusion
The purpose of a desktop exercise is to get people discussing and thinking about what they might do in the event of a critical incident, IT or otherwise. It is about testing the assumptions and identifying areas for improvement. The choice is to conduct this in a safe environment or to wait until an incident hits at which point all bets are off. My preference has always been to opt for the safer option. As Benjamin Franklin put it, failing to plan is planning to fail. If you havent therefore done a desktop exercise to explore what you would do in light of a cyber security incident in your school or college I therefore suggest this is something you do in the near future.
Technology and Learning