Tag: cyber

Reframing cyber costs in education

Schools and colleges need to focus their available funds on teaching and learning, and in the students within their care.   As such it can be difficult to justify significant spending on cyber security.   Investing in cyber security is investing in preventing the possibility, a chance, of a cyber incident occurring.   The challenge therefore is establishing a way to frame the costs in order to identify what represents good value.

Cyber security is all about risk management.   Every risk has a probability of occurring.   This might be a 1 in 100 or 1 in 1000 or 1 in 1 million.    This is where the difficulties in justifying spending on cyber security arise.    For the last 10 years an institution may not have suffered any significant incidents.   As such how can the head of their IT justify spending an additional £4000 or £5000 per annum on cyber security?    We are working from the point that it is more likely an incident wont happen that it will.   Viewed from the point of view of past experience, the institution has been fine for 10 years, with the probability of an incident assumed to remaining roughly the same, so is likely to be fine in the next 10 years, excepting for this small probability.    So, stay as is or spend £40,000 – £50,000 over 10 years to provide additional protection just in case?   Viewed from this point it may be difficult to justify the spend especially if the overall budget for the school is low.

Let’s take a more mathematical approach to the problem; If we take approximately 25,000 schools in the UK where I am aware of around 20-25 which have experienced cyber incident this year.   Let’s assume I am aware of only a small number of the schools which actually experience incidents, say 10%.   So, lefts take a probability of 250 incidents per 25,000 schools or 1 in 100.   At this point rather than looking at the chance of an incident occurring, we are assuming that an incident is guaranteed to occur within a given period.  Taking this probability, in 100 years, every school in the UK would likely have been hit.   If hit, let’s make an assumption that the cost would be £250,000 to recover (this is very much a guess figure and would be dependent very much on the size of the school, its type, complexity, infrastructure, etc).   Taking the probability of 1 hit every 100 years, with each hit costing £250,000, this means the approximate annual equivalent cost would be £2500 per annum.   The cost for the additional protection is looking a little better at this point.    All it would take is for the recovery costs to grow to £400,000 or for the probability of a hit to increase to 1 in 62.5 rather than 1 in 100 schools.   

For me the key things is to move from a position of looking at the chance on an incident happening, where we assume it is more likely an incident wont occur and moving to a position of “not if but when.”   At this point we are accepting an incident is guaranteed to occur within a given time period, but we just don’t know when.   With this viewpoint we can start to make a more reasoned judgement on costs.    We can also factor in the schools risk appetitive, with a school with a high risk appetite likely to choose to underestimate the probability of an incident while one with a low appetite for risk likely to overestimate.

We very much need to reframe how cyber risk and cyber security investment is looked at.   Hopefully the above presents at least one possible way to do this in an easy but yet meaningful way.

TAGs and Data Integrity

Following on from my previous post regarding Teacher Assessed Grades (TAG) and cyber security, in my first post I focused on mitigation measures around avoiding possible data loss.   In this post I would like to focus on the integrity of data rather than possible loss.

  • Accidental changes made by users with access
  • Deliberate changes made by users not authorised to make changes, such as students.

The are a couple of issues which could impact on the integrity of TAG data:

Dealing with these issues relies on a number of basic principles which ideally should already be in place.

Least Privilege Access

This refers to simply minimising the users which have access, including minimising those users who have write access over those with read only access.   By limiting the permission level provided you therefore limit the users who may accidentally or deliberately make unauthorised changes and reduce the risk as a result.

Linked to the above it is important to fully understand which users have access to which data/systems, with this being routinely reviewed and adjusted to accommodate for staffing changes, role changes, etc. 

A checking process

It is likely you will have a process for gathering the data, with this data then reviewed by Heads of Department before eventually going to Senior Leaders then the exam boards themselves.   It is also important to have a review process to check that unauthorised changes havent occurred along the way and that the integrity of data is retained across the whole process, from collection to eventually supply to the exam boards.

Audit Trails

If we assume, that there is a reasonable likelihood of an accidental or deliberate unauthorised change, the next thing we need to be able to do is to is identify such changes including the user who performed them, and the changes they made.    It is therefore important to consider if the solution we use to store our TAG data has the relevant audit capabilities, whether it is using the audit logs in your Management Information System (MIS) or version history in either Google Workspaces or Office 365.

Conclusion

Generally, when considering cyber security, the important thing is to identify the risks and then identify and employ appropriate mitigation measures.    There is seldom a “solution” in terms of a product or configuration or setup which is perfect, however there is a solution appropriate to your context, your organisations view as to risk and risk appetite.  

It is also important to note that the best approach is a layered approach.   In this and my last post I havent mentioned the use of storage arrays, mirroring of servers and other approaches aimed at either ensuring business continuity or making recovery quick and hopefully easy.    Although these options add to the complexity of the possible approaches, the key is once again to assess the risks in your school’s situation and context, and deploy the solutions which you believe best address these risks within the framework of a risk management strategy.

TAGs and Backup

As schools gather their Teacher Assessed Grades (TAGs;  We do like a good acronym in education) it got me thinking about cyber security.

The two potential key issues I see in relation to TAGs are:

  1. Loss of access: So, this could be deletion, ransomware or some other issue which means the school doesn’t have access to these important grades and therefore is unable to provide them to the relevant exam boards.
  2. Manipulation of grades:  This would be an individual, internal, or external, gaining access to the grade information and manipulating it either for someone benefit or simply to cause mischief.

For this post, lets focus on loss of access:  So, what measures can a school take?

The key mitigation measure for loss of access is backup.   We need to ensure a backup is kept separate to the main systems on which the data is stored.    So, if the data is being stored in the schools Management Information Systems (MIS) then ideally there should be an exported copy stored in Office 365.    By keeping it in a separate system, we hopefully avoid any potential issues which might result from a significant problem with the MIS followed by issues recovering the MIS from its own backup.  As our data backup is in a separate system, we would be able to deal with this scenario.

Ideally, we also want to keep copies geographically separate, so maybe stored on a separate site or using a cloud-based solution.   We may also choose to use a removable media solution to “airgap” our backup.

The key thing for me is that there is no one single solution.   You need to consider the risk, the available mitigation options, and their cost, in terms of financial costs, time, staffing, difficulty/complexity, etc. and then decide what works for your school.    For example, removable media may help in terms of air gaping our backups, but it also would incur costs in terms of time to remove, replace and store the tapes/drives in use.  If staff is limited this may therefore me a less appealing option.  It is also about avoiding reliance on a single process/solution.   So, having tape backup as a single solution is unlikely to be sufficient.   You should be layering the various backup options to arrive at a solution which is appropriate to your resources, your data, your finances, etc. while reducing the risk of any single point of failure.

The other point I think is important to make regarding backups is the need to test them.   All too often the only time backups are tested is at the point when recovery is required due to an incident.  It is at this point that we can least afford backups to fail.  As such it is important to test backups to make sure they work as they should, that you are aware of the processes and aware of any potential pitfalls.    By doing so, you can be reasonably assured that when you truly and urgently need them you will know what do to and can be confident in the likely success of recovery processes.

Coming up with your school’s solution to backup doesn’t need to be complex.   It is about considering different scenarios and the mitigation options and then identifying what is right for your school based on its needs and its appetite to risk.    As I have often commented, it is all about risk management.

Data Protection and Cyber Security in a Pandemic

In a pandemic, when trying to keep students learning and businesses operating, while schools, offices and shops are no longer able to operate as they normally would, cyber security and data protection aren’t exactly top of the list of things to consider.   They may even have fallen off the list altogether.   As such, over a year after the first lockdown I thought it appropriate to share some thoughts in relation to data protection and cyber security in schools.

During a pandemic it is critical to prioritise.   The important things come first.   So, health, safety and wellbeing are likely at the top of the list.   For businesses, during a lockdown, the ability to work remotely is critical while, when looking at educational institutions, enabling online teaching and online learning are critical, all requiring action to be taken quickly.    Back in mid-march 2020, although the writing was on the wall, we didn’t see the first UK lockdown coming and so when it did there was a rapid move to put the relevant technologies in place to enable online working, teaching and learning.

The issue with this rapid deployment of technology was that it was done based on an immediate need rather than fully thought and reasoned out.    Considerations, such as potential cyber security of data protection risks, were, due to immediate necessity, either pushed to the side or given less consideration than they would normally receive, or they are due.    So now we find ourselves a year further on, here are some of the things I think we should be looking at:

  • The big players

Schools coalesced largely around the two big players in relation to cloud based productivity solutions, being Google and Microsoft.    For me this was done for very good reasons given the functionality provided by each, however I wonder if the implications of this, such as the reliance on a single platform had been considered.   I also wonder if schools have considered what they would do in the event of a significant issue/outage within their chosen platform or if specific tools within the platform were discontinued.   I do believe that it is almost essential to select one of the two platforms, however I think it is important to consider the implications of this decision.

  • Where is my data?

During the pandemic, and in order to deliver the best learning experiences possible, teachers introduced new apps, often for specific lesson activities rather than for long term use.    I suspect that as a result of this the overall visibility in relation to the apps in use, and therefore the location of school data, may have reduced.    This is something that will need to be addressed and will likely require schools to audit the apps in use as we move forward.

  • PIA and risk assessments

Linked to the above, apps may have been introduced without an appropriate review of cyber security and data protection, including reviewing terms and conditions, privacy policies and other documentation relating to third-party apps.   This would have been done due to the need to quickly adapt to the remote learning and teaching situation we found ourselves in however as we move forward appropriate reviews and impact assessments will need to be carried out.   Additionally, changes to existing platform settings or their usage are likely to have been made to facilitate learning during a lockdown, and as such any previously conducted risk assessments or impact assessments may no longer be valid; These will therefore need to be reviewed and updated.

  • Use of personal devices

During lockdown both students and staff have often either been forced or have chosen to make use of personal devices in remote working and remote learning.    With this comes cyber risk and also data protection implications, such as the potential for school data to end up on a personal device which is shared by different members of a family.    This needs to be considered and risk assessed, and appropriate mitigation measures put in place, whether these be technical measures and/or policy measures.

  • Remote Access

Remote access to systems was key during lockdown.  How else would students and staff access the relevant systems including both teaching and learning, and administrative systems.   We now need to review this situation with a view to cyber security to limit the risk of the malicious use of remote access by external threat actors, plus also to ensure that remote access settings are appropriate to a secure IT environment.

The above 5 issues are the 5 which come most easily to my mind however I suspect I could easily continue this blog to cover 10, 15 or even more items which we now need to consider.    The pandemic and resulting lock down required us to work quickly and flexibly to identify solutions.   We now need to spend some time and reflect on the decisions made, and to check that in the longer term they continue to be the right decisions.  

As I have commented on a number of previous occasions, the issue with data protection and cyber security is that everything is ok until it isnt.   We may have put new systems in place or changed settings to support us through the pandemic.    There may be no current issue with what has been done however unless we now spend time to analyse the decisions and their potential implications, we run the risk of sleep walking into a data protection or cyber issue.   As some sense of normality hopefully returns to the world, we need to look back to the rapid change the last year has brought and assure ourselves that we are happy with what is in now in place.

Less email filtering?

Cyber security is often thought of as a defensive exercise.   It is often thought in terms of preventing threats gaining access however in considering malicious emails I wonder whether there might be a slightly different way to think about it.

My concern is this;  If in our cyber defence we do a really good job and prevent malicious emails, such as the all too common phishing email getting through, then we could potentially create a work force who are unfamiliar with phishing emails.   Our defences may create a situation such than when a phishing email eventually does get through, and this is pretty much guaranteed, the recipients are ill prepared to identify it as malicious and respond to it accordingly.   Our defences create a more vulnerable user base. I also would suggest that an expectation of 100% successful filtering if naïve; Our filtering solutions are simply not that good combined with the fact cyber criminals are constantly adjusting their approach to bypass common filtering solutions and approaches.

Now to be clear, I am not proposing no defence against malicious emails.   What I am suggesting is that having filtering which is at least slightly porous, allowing some malicious emails through may be preferable in developing users who are more aware.

I suspect some may argue that awareness is developed by training and awareness campaigns, etc, however I would suggest that these are all proxies for exposure to the real thing, and for learning to deal with the real thing. Again, I am not saying that we shouldnt have any awareness training, in fact I am a firm believe in the critical importance of awareness training, I am simply suggesting that training is not as effective as real life events.

The challenge with the above is the level of porosity.   As I suggest, not porous enough and the user base may be ill prepared however equally defences which are overly porous will simply expose users to a great volume of risk through a greater volume of malicious emails.   Once again the challenge relates to achieving balance and to managing risk.

Cyber Security ROI

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.This investment in reducing a probability is problematic.

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.    This investment in reducing a probability is problematic.

The ideal is always that no cyber incidents, where a threat succeeds on having an impact on a organisation, occur however as we project off into the future the likelihood of an incident can only increase in line with the unpredictability of future events.   Entropy is clearly at play.

In the worst-case scenario, an incident happens and there is an impact on the organisation.  In this case we know that our current solutions and the related investment have been insufficient.  I note this is not to say that we need to spend more following an incident, although I suspect this will be the trend, more that what has been spent has not delivered the outcomes we wish and helped in preventing a incident.   It may be that we need to spend on different things going forward, but the expenditure to date has been ineffective.

The issue with all of this is that our current setup is fine until it isn’t.   We can be happy with our current investment until it is revealed that it is ineffective by an incident, but we don’t want this to occur.    How do we therefore decide on an investment which is appropriate to the organisation, without waiting for incidents to prove what we have is ineffective?     And at the same time how can we avoid spending excessive amounts on cyber security, which would therefore be drawing funds away from the organisations core business, assuming the core business isnt cyber security itself?

I have always believed in taking a risk-based view.   We need to first identify the risks which we believe exist, the likelihood they will occur and the impact they would have on the organisation should they happen.   From this we can start to consider the amount of investment we might apply to mitigate measures, to cyber security, in relation to the risk.   So, a risk with a potential impact of £500,000 which is considered low likelihood might merit a £10,000 investment annually but is unlikely to merit £400,000.  If the risk impacts a business-critical system, it might merit more investment than a risk impacting on a low business value system.

The above isnt a science sadly; There is no magic Return on Investment (ROI) formula.   It is all based on subjective judgements hopefully based on experience and hopefully backed up by a third party to provide some level of assurance.    It also isnt easy.   Whatever amount you invest there will always be a probability that in the future it will be proven to have been ineffective by a single breach.   Those overseeing the cyber security must get it right all the time while the cyber criminals only need to get it right once.   This is why I continue to believe in a “healthy paranoia”.

We need to be concerned, to be paranoid, and to be constantly reviewing the risks, our organisation, the available technologies and threat trends.    We also need to be concious that we cannot know the future with any certainty and can only predict based on what we know now.   We need to communicate the decision-making processes and ensure these are understood.   In the future our decisions from today may be proved to be wrong; That’s always easy to do in hindsight but at the moment of decision making and with the information available, a decision which seemed appropriate at the time was made.   We need to balance our paranoia in the interest of our sanity and wellbeing.   We need to accept that we won’t always get it right!

Return on investment on cyber security spends, in my view, will always be difficult.    If all goes well then everything runs smoothly and no cyber incident occurs but this doesn’t prove your investment.   The future incident may have been brilliantly prevented or more likely it just hasn’t happened yet.   Sadly, the only definitive proof is when things go wrong, when an incident proves that your spend on cyber security was ineffective.    This is the kind of proof you just don’t want to see.

So, for now I will continue with the difficult decision process in relation to cyber security investment.  That fine balance between cyber security and business operations/cost.

Lateral attacks

More than ever there is a need for healthy paranoia in how we deal with all communications we receive.

Cyber Security

The other day I was looking at Facebook and a post appearing to come from one of my relatives outlining how they had made easy money based on a guide on a website they had found.   The post seemed out of character and therefore I treated it with a healthy amount of paranoia.   Having contacted my brother in law via text it became apparent he hadn’t posted the comment on social media.  He had in fact been hacked however prior to my text he was unaware.

This highlights the dangers of lateral attacks.   Rather than come straight at us the cyber criminal attempts to get to us via a trusted person or organisation.    Due to the increasing cyber risk we are all becoming more sensitive to the potential malicious approaches by strangers and how these may in fact be malicious.   The cyber criminals have therefore pivoted to trying to use one person or one organisations accounts to gain access to others.  As such they will look at the contacts of a compromised email account and then approach these contacts using the compromised account to send the emails hoping that the fact the sender is someone we are familiar with and therefore trust that we will be less suspicious and more likely to click the links or open the attachments.

Given the fact the number of breached accounts now outnumber the number of people on the planet it is no surprise that the lateral attack is becoming more common.

The fact an email comes from someone we don’t know is no longer the key indicator of a malicious email as increasing the emails may come from those we know.   More than ever there is a need for healthy paranoia in how we deal with all communications we receive.

We also need to be more vigilant of unusual activity on our own accounts which might signal an account compromise and a malicious outsider trying to quietly use our accounts for lateral attacks on our friends, colleagues and other associates.

Digital Citizenship

AI, Driverless cars, drones and the other societal changes with Tech may bring
Cyber Security, Data Protection and Big Data
Mobile Devices: To ban or not to ban?

For a while now I have been sharing various online articles which I believe relate to Digital Citizenship via twitter and also sometimes via linkedIn however it recently came to me that it might be useful to curate these tweets so that teachers looking for discussion material in relation to specific aspects of Digital Citizenship might be able to use them.

To that end I created three Wakelets based on three themes which I thought we reasonably common in relation to Digital Citizenship.

  • AI, Drones, Driverless cars and the other societal changes with Tech may bring

https://wke.lt/w/s/kJ3z2B

  • Cyber Security, Data Protection and Big Data

https://wke.lt/w/s/XFOeIs

  • To ban or not to ban?

https://wke.lt/w/s/09MVpQ

Now it may be that in future I may expand the number of themes.  I suspect this is highly likely, but for now the above are hopefully a good starting point.

In addition, for ease, I have created a separate section on my site for this curated Digital Citizenship content in case anyone wants to bookmarks it.  This section is also available via the sites menu structure.

Online compliance courses

Education and schools have to cover a number of risk areas which staff need to be aware of including safeguarding, health and safety and data protection to name but three areas.   The wider world, beyond education, has similar issues which might also include COSSH, lifting and handling and personal protective equipment (PPE).   So how do we address these issues and how do we “train” staff?

Recently I have had the opportunity to see a number of online training platforms, in different contexts, which are being used to address some of the above.   The idea is that these online platforms allow staff to receive training on the areas which relate to them, while maintaining a central record of what training has been done and also sending out notifications and reminders when training has to be renewed.    All sounding good so far?

The issue I have with this is that the focus has almost totally shifted to that of compliance rather than developing learning in relation to the risk area which is being covered.    The platform shows who has done which training courses plus ensures that people do the courses, but does this actually improve the learning related to the particular risk area?

One look at some of the online training content shows multiple ways in which content can either be quickly skipped through or missed out altogether.   I must admit my own urge, when presented with some of these online courses, is to simply get it finished as quickly as possible to allow me to get on with matters I deem to be more pressing.    In addition, the content is not particularly engaging taking the form of video lectures or large amounts of text, with only minimal interaction.   Even the attempts at testing user knowledge at the end of units or modules is superficial in nature plus very much dependent on short term memory of facts as opposed to testing more longer term, or deeper learning of the subject matter.   A user may therefore seem to be proficient in a given area such as cyber security, having completed the relevant online course however may have learned very little if anything from it.

Here we see an example of the focus shifting from developing an understanding of health and safety, for example, to ensuring all have done the health and safety online course.     We stop worrying about understanding of health and safety as we can demonstrate that all staff are deemed proficient having completed to relevant online course.   We have achieved compliance but not competence.   We are considering what we can measure, the completion of online training, as what matters as opposed to trying to measure what matters.

I think we need to take a step away from the compliance culture.  Yes, it is easier to measure an organisations health and safety awareness by the number of people who have completed the annual training, but does this mean the understanding and practice is there?    I believe it doesn’t.    And if it doesn’t why should be spend the time, money and effort on these courses.   Surely, we need to find a better way?

The key for me lies in two areas, the first being how we educate and then on how we measure that learning has taken place.    In the area of education I think it is about making use of multiple delivery methods from short online content to in person training, posters and email awareness programmes.  We also need to continually adapt and revise our approaches which brings me neatly onto measuring.   We need to find methods of measuring whether this is short tests at intervals throughout the year, playing out scenarios, audits or focus group discussions.   This can help inform us as to what has been learned and what has not, and in doing so can help us revise and redesign.   In revising and redesigning we can then seek to build better understanding in our staff.    Yes, this is all much more difficult than simply firing out an online course for staff to do however it builds deeper learning.

Deeper learning is likely to serve a staff member and the organisation much better than a tick against an online training course in the event of a cyber, health and safety, COSSH or other issue.

 

 

ISBA IT Strategy and Cyber Security Conference

The main conference venue before things began on Wednesday

On Wednesday I had the opportunity to present a session at the ISBA’s IT Strategy and Cyber Security Conference in London.   I had previously volunteered to contribute to the conference and was expecting and had planned for a small breakout session anticipating around 20 people.   On the day upon arriving at the conference I found out that my breakout session would be following Mark Steed’s keynote speech in the main conference venue and therefore with quite a few more than 20 people.

The session very much focused on my thoughts and experiences around cyber security with key messages around the extent of the risk we all face plus the opposing extremes of over confidence in security efforts or a constant need for heavy security measures at the expense of school operational efficiency.    I described my approach as being one of a “healthy” paranoia and of a robust risk assessment and risk recording process.

You can read my slides from the session here.