Tag: cost

Reframing cyber costs in education

Schools and colleges need to focus their available funds on teaching and learning, and in the students within their care.   As such it can be difficult to justify significant spending on cyber security.   Investing in cyber security is investing in preventing the possibility, a chance, of a cyber incident occurring.   The challenge therefore is establishing a way to frame the costs in order to identify what represents good value.

Cyber security is all about risk management.   Every risk has a probability of occurring.   This might be a 1 in 100 or 1 in 1000 or 1 in 1 million.    This is where the difficulties in justifying spending on cyber security arise.    For the last 10 years an institution may not have suffered any significant incidents.   As such how can the head of their IT justify spending an additional £4000 or £5000 per annum on cyber security?    We are working from the point that it is more likely an incident wont happen that it will.   Viewed from the point of view of past experience, the institution has been fine for 10 years, with the probability of an incident assumed to remaining roughly the same, so is likely to be fine in the next 10 years, excepting for this small probability.    So, stay as is or spend £40,000 – £50,000 over 10 years to provide additional protection just in case?   Viewed from this point it may be difficult to justify the spend especially if the overall budget for the school is low.

Let’s take a more mathematical approach to the problem; If we take approximately 25,000 schools in the UK where I am aware of around 20-25 which have experienced cyber incident this year.   Let’s assume I am aware of only a small number of the schools which actually experience incidents, say 10%.   So, lefts take a probability of 250 incidents per 25,000 schools or 1 in 100.   At this point rather than looking at the chance of an incident occurring, we are assuming that an incident is guaranteed to occur within a given period.  Taking this probability, in 100 years, every school in the UK would likely have been hit.   If hit, let’s make an assumption that the cost would be £250,000 to recover (this is very much a guess figure and would be dependent very much on the size of the school, its type, complexity, infrastructure, etc).   Taking the probability of 1 hit every 100 years, with each hit costing £250,000, this means the approximate annual equivalent cost would be £2500 per annum.   The cost for the additional protection is looking a little better at this point.    All it would take is for the recovery costs to grow to £400,000 or for the probability of a hit to increase to 1 in 62.5 rather than 1 in 100 schools.   

For me the key things is to move from a position of looking at the chance on an incident happening, where we assume it is more likely an incident wont occur and moving to a position of “not if but when.”   At this point we are accepting an incident is guaranteed to occur within a given time period, but we just don’t know when.   With this viewpoint we can start to make a more reasoned judgement on costs.    We can also factor in the schools risk appetitive, with a school with a high risk appetite likely to choose to underestimate the probability of an incident while one with a low appetite for risk likely to overestimate.

We very much need to reframe how cyber risk and cyber security investment is looked at.   Hopefully the above presents at least one possible way to do this in an easy but yet meaningful way.

EdTech and Brexit: some thoughts.

It has been reported that IT budgets will be subject to a squeeze resulting from the Brexit decision and for those who have bought IT items recently this has already become evident.   Prices of Apple devices for example have already seen an increase.   I count myself lucky that we updated our iPad fleet just before the Brexit vote as had we delayed we might now see a bill thousands of pounds more expensive than the cost we actually paid.

Revenue costs will be an issues as we may see some service costs increase during the year ahead.   An example of this might be Microsoft licensing costs.   This will be difficult to deal with as it represents a revenue item with increasing cost.   It may require an assessment of the value of services being used with services of a lesser value being abandoned in order to afford those services which are critical or of a higher value.    If Microsoft licensing costs go up which other licensed products might we no longer be able to afford?

Capital projects are likely to take a significant hit as projects may no longer fall within the originally allotted budgets.   As such some projects may now be cancelled and not progress.    This may also result in some projects which previously may have been considered no longer being considered due to cost or potential future costs.

So what can we do?

The key is that of value.    We need to ensure that all that we do has the highest possible value and return on investment.

This is easier to do where planning is for a new project, new software or new hardware.   Here, if due to the financial situation, the decision is taken to not proceed with a purchase the net effect is zero;  we don’t have the item now so not purchasing it results in no change.     The more difficult situation to manage is where we want to bring about efficiencies by looking at what we have and by removing some items.     This may be removing items to replace them with something else, such as moving from desk based printers to centralised Multi-Function Devices or it might be removing something due to the fact that the cost vs benefit does not represent sufficient benefit given the tightening financial situation.    Any removal or ceasing of support is likely to meet with a negative response from users.

The coming year is likely to be more difficult that the year that has past, a year largely prior the Brexit decision.   Overall in terms of educational technology, the recent Brexit decision will not have impacted on the impact and potential impact on technology, however the cost of this technology has almost certainly seen an increase.    As such when taking a cost vs impact viewpoint, technology may now require a greater level of justification in order to counterbalance the increased cost.