During September I managed to find myself in two industry level cyber/info security conferences, one of which I have already blogged about (See here). This post focusses on the other event, being the TEISS London 2023 event which was a little more focussed on incident management rather than the previous event which was a little more generic. So, what were my take-aways as relevant to education?
Incident Response
One of the key discussions across this particular event was in relation to the inevitable cyber incident and therefore the need to prepare. Discussions arose around desktop exercises, the development of incident response playbooks and disaster recovery plans. The key take-away for me was in the need to play through potential cyber incidents and to do this regularly. We are not talking about once every few years, but as often as can be managed so that the relevant staff, both senior and IT technical, know how to respond when the inevitable issue arises. It was also discussed, the need to carry out these desktop exercises with different groups of individuals in order to ensure that all are prepared. Desktop exercising is definitely something I want to look towards repeating in the coming months, and building a process so that it doesn’t occur ad-hoc but more as part of a regular process allowing for the review and improvement of the related processes with each test.
Concerning external factors
One of the presenters went into the risks associated with geopolitical issues, where issues in the geopolitical space often result in corresponding issues in the cyber arena. From a schools point of view it is easy to wonder why this makes a difference; Why would a nation state or similar focus on education? I think the issue here is not so much an attacker focussing on education, but on the collateral damage which might impact education. Now this collateral damage might be accidental however we also need to acknowledge the increasing use of cloud services; This often means data and services hosted in various countries across the world so what is the potential risk where countries have disagreements and where some aggressive activity online results. It is easy to say your school exists in Europe or the UK so this is unlikely however the presenter demonstrated some aggressive cyber activity even within the UK and EU, so it therefore isnt unpredictable that this may happen again in the future. For schools this means, as far as I am concerned, that we need to continue to do the basics plus prepare to manage an incident when it occurs.
Artificial Intelligence
AI once again factored in the discussion however at least one presenter suggested that where we are now is more akin to Machine Learning than AI. I suspect this depends on your definition of both terms, with my definition having ML as a subset of AI. The key message here was that the current instance of AI, generative AI, presents rather generic responses but quickly. Its benefit, whether used for defence or attack, is its speed and ability to ingest huge amounts of data, however it is only in pairing with a human that it progresses beyond being “generic”. In the future this may change, as we approach the “singularity” however for now and the near future AI is an assistant for us and for criminals, but doesn’t represent a significant innovative change in relation to cyber security; good security with AI is little different to good security prior to generative AI.
Human Factors
The human factor and culture were a fair part of the discussion. The cyber culture and “the way we do things around here” in relation to information security is key. We need to build safe and secure practices into all we do and at all levels; Easier to say than it is to do. This also links to the fact that humans, and the wider user group which in schools would be students, staff, parents, visitors and contractors among others, continue to be involved in around 74% of breaches. This means it is key that cyber security awareness training needs to hit all of these users and be regular rather than a once a year. Additionally, if we assume we will suffer a cyber incident, how do we protect our IT staff and also those senior staff involved in incident response and management. The stress levels will be very high, and as a result self-care may be lacking, but schools and other organisations have a duty of care for their staff, and during a cyber incident that duty of care may become all the mor important. This is why, in my team anyway, I am introducing a role of “chief wellbeing officer” as part of our incident response plans.
Conclusion
The organisations at this particular event, similar to the previous cyber event, were generally large corporate entities yet for me the messaging may be all the more important for schools given we hold student data and student futures in our hands, and given the targeting of educational institutions. How do we get more schools to attend these events? I suspect events like these fall into the important but not urgent, where fixing a server issue or a device issue in a classroom is urgent and important, but then how do we ensure that school IT staff are prepared and preparing for cyber incidents? Chicken or the egg issue maybe?
Cyber incidents are inevitable and I have always said that “the smartest person in the room is the room” so if we can share with industry where I believe they have much more experience in this arena, then maybe we, as in schools, will be all the better for it.
Technology and Learning