I recently undertook my annual trip outside of the education bubble and into the wider tech and particularly InfoSec world, attending the ISMG cyber summit in London. Now my trip was largely uneventful in terms of my usual transport disasters although I note that Google Maps did make its best effort to send me off on a wild goose chase between the tube station and the event venue, but for once my common sense prevailed.
The purpose of my annual trip outside education is to sense check where we are as schools in terms of cyber security, in relation to the wider world. It is also an opportunity to gather advice and best practice from industry. I note those in the room with me were largely senior security staff, rather than my more broader role which encompasses security, plus they had budgets far exceeding anything any school will ever have access to for spending on technology, never mind purely on cyber security.
The day was very useful with a number of key topics coming out:
AI
Artificial intelligence was a hot topic during the course of the day particularly in relation to the increasing use of AI solutions within businesses, much in the same way we see increasing use in education. The challenge and focus was on how we secure AI solutions against issues such as prompt-injection, poisoning of the training model and data exfiltration among other areas. For me the key takeaway from this is that AI solutions are yet another area which organisations, including schools, need to consider and secure. And as schools seek to use more AI solutions, including third party solutions, this risk will only increase.
Wellbeing during an incident
This particular issue resonated with me. IT teams often work hard behind the scenes only becoming visible when there is an issue or when someone wants a new solution, new functionality, etc. And in the event of a cyber incident the stress largely falls on them to get things up and running. If the school, or other organisation, seldom recognises the hard work which goes into the normal working day, what hope is there during a cyber incident when they are working even harder and under significantly more stress. As such the wellbeing, mental health and general support for IT staff, and broader with all staff, is so key. How are we supporting wellbeing, and this has to be beyond the tick box efforts, the wellbeing working party, etc. How can we evidence we truly are cognizant and focussed on wellbeing? Also, in the event of a high stress incident, how will we manage wellbeing? One suggestion during the event was to have a “chief care officer” during incident response, which was an idea I liked.
Ransomware and Third parties
Two of my key concerns from an educational IT point of view have been ransomware and third-party incidents. Both of these appeared as significant discussion points in relation to industry and enterprise organisations. Ransomware continues to be a common attack method in general while third party data breach also continues to be common. One particular presenter during the course of the conference talked about adding additional external solutions to monitor logs, etc, but thereby adding an additional vendor and vulnerability risk, as this third party become yet another vector through which an organisations data and systems might be comprising. Here is one of the key challenges in our attempts to improve our security resulting in layering of solutions, where each new solution may represent an additional risk and attack vector. This to me highlights the important of governance over security, so that decisions of risk v. benefit can be appropriately authorised and accountability made clear; I note accountability was another discussion point from the event in relation to CISO liability however I didn’t feel this quite impacts on schools.
Conclusion
Once again, this event proved to me that the challenges that impact on education are not limited or unique to education. They are issues which impact organisation across different sectors with only the context and resourcing varying across sectors. In the case of education there continues to be the issue in the limited resourcing in relation to cyber security in terms of the products but also in terms of the staffing and expertise; A bank might have a while cyber team however how many schools can claim to actually have even a single cyber security focussed professional? This, the large and varied user base, and the need for quite so many users to have access to sensitive personally identifiable information, means schools and other educational organizations will continue to be a focus for attacks for some time to come.
If I was to take anything away from the event it was that enterprises and schools all suffer the risk of a cyber incident. All we can do is limit the impact, and delay the inevitable A banks spending seven figures on security might sound like the way forward but the reality is that all it does is reduce the risk so spending huge amounts of money might make no difference in the long run; It is just case of when rather than if. As such, for schools, the focus needs to continue be on doing the basics in terms of user awareness, MFA, backups, least privilege access, patching and incident planning.
Technology and Learning
One thought on “ISMG Cyber Summit: Reflections”