Category: cyber

Thoughts on password strength

Passwords continue to be a key feature of identity management.    As such we need to continue to educate and build awareness around passwords and password management.

As such I have noted a graphic like the below (taken from Hive Systems via Tech Republic) regularly shared in relation to the time taken to crack a password based on different scenarios of password format and length.   The issue for me is that the below paints a picture, which although useful in some ways, overly simplifies the situation.

from Hive systems via TechRepublic

Statistics, statistics and more statistics

The graphic is based on the time taken to progress through all known combinations for a given password.     So, for example, to crack a password of 8 characters based on numbers-only I need to first know that the password is made of numbers-only and therefore that I am only testing these combinations.    So, I would test 1 then 2, 3, 4 and just keep going up through the options.   Now it might be fair to always test numbers-only first, expecting use of numbers-only to be common enough and therefore low hanging fruit for a cyber criminal’s point of view.   It might then equally be fair to suggest that lowercase, mixed case and numbers and mixed case with special characters might each be tested in order based on likelihood and number of combinations presented.    At this point the exercise is feeling like an exercise in obsessive compulsive disorder, in going through every possible combination in sequence, rather than an exercise in trying to quickly and efficiently crack a given password.

And to make matters worse if my password happens to be “Password” or “Password22” then I suspect it would be cracked far faster than the reported 2 mins or 3 weeks respectively.   

Human behaviours and social engineering

The issue here is, if we are truly trying to be efficient in cracking a password we would approach from a heuristic point of view and look at common human behaviours.    We would look at the need for people to remember passwords easily and therefore identify the likely tendency to pick common passwords, passwords relating to recent events or seasonal celebrations, etc.    Rather than seeking to work through every combination we would seek to work through the most common combinations and variations of these common combinations, happy in the fact that as a human set the password they may have fallen into one of these common human behaviours.    And it is at this point that the graphic no longer works for me.

We would also look towards other data as passwords are not set in isolation.   We each set our passwords against the backdrop of our everyday lives, our work, our challenges and our successes, so access to any data on these things can yield information which can be helpful in cracking a password.   And oh, does social media and a quick google search help to provide this data.  So again, the graphic starts to fail us.

What makes a strong password?

Password length definitely does help in making passwords stronger so in this feature the graphic is useful, but it isnt the single measure which I think the graphic implies it to be.    As to the mix of uppercase and special characters, etc, I think in this day and age, this makes limited, but I cant say no, impact on strength.

The factor that the graphic badly misses is the issue of how common the password is likely to be.   If it is common, so relating to a current event or a seasonal event, to the company you work for, or to something else that might be predictable based on the world we live in or you as an individual, based on what can be publicly ascertained about you, then the graphic falls flat on its face.   

So, what can we do about it?

I think sharing this graphic is useful in terms of pushing the need for longer passwords but I think we should take when sharing this graphic on its own.    I think it is useful sharing HaveIBeenPwned’s password testing functionality alongside the graphic such that individuals can use the graphic to assess the length but then use HaveIBeenPwned to assess how common a password is, in the number of times it has appeared in recorded and reported data breaches.

As is often the case, as we seek to find and communicate a message, making it as simple as possible we start to lose some of the detail, and in this case I think the importance of how common or predictable a password is, is a key detail which mustn’t be lost.

References:

Lance.W. (2022) ‘How an 8-character password could be cracked in less than an hour’, TechRepublic, 7th March 2022. Available at: How an 8-character password could be cracked in less than an hour | TechRepublic (Accessed: 12/04/2022).

Cyber and Learning

In schools we need to keep student data secure however equally we need the flexibility to use different learning platforms and tools in the search of effective learning experiences.   There is a clear tension between these two requirements, where it would be fair to consider then the opposite ends of a continuum.    On one end you could have a very secure system, similar to in highly regulated industries like a bank, but in doing so you would lose some of the flexibility needed by teachers.   Alternatively you could have a very open and flexible setup but in doing so would likely open your schools to increased cyber risk.   So how do we navigate the continuum?

The security paradigm

In my view, part of the challenge here is the security paradigm of keeping systems and data secure.    The reality is that we can only measure this after the event, so for every day we don’t suffer an incident, we have achieved this requirement, and we need to achieve this requirement indefinitely.   A single incident would therefore represent total failure.    In the complex world of IT with ever changing threats, this model doesn’t work.

I think we need to accept that if we look far enough ahead there is a certainty of an incident.    As such, we need to make sure this is understood at the senior levels of the school, and then seek to do everything reasonably possible to make sure that incident stays in the future, or failing that, limit the damage caused by an incident.   In considering probability of an incident it’s almost like the doomsday clock, ever moving slightly closer or further away from global catastrophe.

Risk Appetite.

One of the first decisions which I think schools need to identify is their risk appetite.   The more risk you are willing to tolerate, the closer the doomsday clocks hands are to midnight, but the more flexibility you have available.    The less risk you are willing to tolerate, the further away from midnight the doomsday clocks hands are, but the less flexibility you will have.    All schools will have a risk appetite somewhere between the two opposite points, but the question is where on this continuum and how much closer it is to cyber security or to flexibility and learning.

Risk Assessment

The next thing to consider is risk assessment.  How can you seek to manage and mitigate risks if you don’t know what they are?   The more flexibility you need the more risks you will likely need to document.    One of the benefits of risk assessment is to spend time considering what the risks might be, their likelihood and their potential impact.    This then gives an opportunity to prioritise resources to those risks deemed important to the school.   I think it is also worth noting that any risk assessment should be a working and living document, as the nature of schools is one of constant change.

Documenting decisions

It is important that senior staff are aware of the decision-making processes, decisions and risks and therefore it is critical that the risk appetite and risk details are shared with those staff to ensure they are appropriately informed.   This can help with identifying where there is need for additional resourcing but also to identify where risks remain due to mitigation measures being cost or otherwise resource restrictive.   If your focus is on learning, you need to ensure you clearly document the resultant risks which the added flexibility will have opened up.  

 It is also important to remember we will only be able to identify failure in the future, after an incident.   When this happens, we will want to look back to see if the incident was the result of decision, and if so why we took this decision.   Or was the incident simply something which we didn’t consider in our examination of the likely risks?  This requires the decisions around risks to be clearly documented.

Near Misses

Am also going to mention near misses, something I frequently forget to mention.   There is a lot to be gained in terms of knowledge and experience from those “almost” incidents where we come close to a cyber incident.   We need to therefore find ways to capture such incidents, to encourage users to report near misses, etc as otherwise we will have lost valuable intelligence, leaving us only with actual incidents to learn from.

Conclusion

There isnt one answer or solution for all schools in relation to navigating between cyber security and learning/flexibility, however each school will need to consider and make their own decision in this respect.     It needs to be based on context, needs, resources and a variety of other factors, and it should be a concious decision rather than something that simply happens.

On the cyber security side of things, I believe the focus has been for too long on prevention.   Schools don’t have significant cyber security resources but are an enticing target for cyber criminals, so prevention on its own isnt enough.    We need to accept that an incident will happen and therefore shift to a focus on minimization or delay, mitigating risks to delay the incident further into the future, or mitigating risks to reduce the damage when the incident finally does occur.   For this reason I increasingly like the term “cyber resilience” in preference to “cyber security”, as it hints to the need to ready to respond and recover from the inevitable cyber incident.  

Maybe we should all start including a cyber doomsday clock in regular communication with senior staff;  Is this the way forward?    

Why cyber security matters?

I have written repeatedly about cyber security and the fact that cyber security is an increasing risk for schools. In my view, it should be on the risk register and subject of regular discussion but why has it become so important?

Increasing amounts of data

As we become ever more digital within schools, we find ourselves gathering, but also generating, ever more data.   Whether this is the simple demographic data such as name, address, DOB and gender or other data such as browsing history through school filtering solutions and device information for personal devices.   We increasingly have online payment gateways for parents to purchase school lunches or uniform, or solutions which record health and allergy information.   We are gathering ever more data.   And with the ever more data, we are able to generate yet more data by combining it or inferring from it.    So, if the data is the new gold, then schools must clearly be untapped gold mines from a cyber criminals point of view.  As such cyber security is important in keeping school data safe.

Schools being hit

Looking at the newspapers and online press and it wont take you long to find a school or group of schools which have suffered from a cyber incident.    The reports often indicate the need for school closures while recovery is attempted.    This clearly shows that schools are being hit, and possibly even specifically targeted, and that a cyber incident has a significant impact.   Given this context, that schools are suffering impact from cyber incidents makes it difficult to not consider cyber security and mitigating risk as much as possible.

Schools as soft targets

The purpose of a school is education, teaching and learning.  As such its resources are focussed on this.   This means schools, despite having large amounts of data, are not investing in cyber security to the same extent companies may do.   This is both in terms of cyber security technologies but also, and possibly more importantly, in staffing with cyber security experience.  Now I feel this isnt that surprising given the general shortage of cyber security professionals and the resultant potential wages they can demand.   Schools will therefore find it difficult to match such wages.    Additionally, schools will have a variety of different systems and hardware, including student and staff personal devices possibly, all connected to their network often with updates unapplied or poor general security setup.  The focus of IT will largely be on enabling teaching and learning rather than maintaining a tight security perimeter.     This all leads to cyber criminals seeing schools as soft targets. 

Young Peoples personal data

Banks and other financial organisations are increasingly using data to identify unusual activity on an individuals account as a method of identifying and stopping fraud.    The challenge with young people is that, to start with, little data exists as they setup their first account, their first loan, their first hire purchase agreement and eventual mortgage.    Therefore, from a cyber criminal point of view, having access to sufficient personal data to initiate identify fraud is better with young people, where little data exists, than with older people.   With young people the first transfer into a bank account in the control of a cyber criminal is more likely to get lost in the wealth of other firsts for these individuals.    Again, this points to school data as a gold mine for future frauds and financial gain on the part of cyber criminals.

Safeguarding

We also need to consider safeguarding.  Students are increasingly online in schools and also at home.    Schools need to keep them safe in school, and cyber security is a part of this, in ensuring their online activities are safe and secure, their devices remain secure, etc.   Additionally, schools need to ensure that, through the data schools have on students, they remain safe outside of schools.   We need to ensure that their data remains safe and secure such that it cannot be used to malicious ends in approaching them online.  

Conclusion

Cyber security matters.   I would even go so far as to say critical.   All schools need to consider cyber security and not just as a one off but as an ongoing process.  Cyber security needs to be part of school culture in the same way that safeguarding has become part of school cultures over the last 20 years (it may be longer than this, but my experience is limited to just over 20 years).  We need to ensure we do all we can to keep schools, their systems, data, staff, students and wider community from cyber risks, to prepare for inevitable incidents which will happen and to make all aware.   It’s a big ask I think so first step is to ensure we have at least given it some thought, started talking about it and started sharing our thinking.   To that end I hope this post has been of some use.

Thoughts on Safer Internet Day

This week included Safer Internet Day, the 8th of February, with a lot of additional posts on internet safety making their way onto social media.   I think safer internet day is great to sign post resources, focus thinking and share thought and ideas regarding online safety, however equally I worry that it becomes a single shot deal.  I worry that it signifies the 1 day a year when online safety receives a focus.

I have recently tended to focus on the cyber security aspect of online safety in particular, talking to students about securing their accounts, data breaches, etc.   This has largely been due to my interest in this particular area and a feeling that this area is sometimes neglected or is believed covered through a discussion of what makes a strong password.  I think that students have found our discussions useful however I wonder about the overall impact where these discussions happen infrequently.     Students may listen intently, engage and even contribute, but once they return to their daily lessons and the daily requirements of study, homework, etc, I feel that the discussion of cyber security and the concepts raised may largely become lost in the sea of other information and priorities.   When they next pick up their device, or sign up to a new online service do they give thought to the presentation they received, or do they simply repeat their previous behaviours and sign up with little consideration for online safety?

One of the big challenges is how we fit digital citizenship, online safety and cyber security into the available time such that it occurs regularly.   With ever increasing curriculum requirements the available time is only shrinking, and I note that seldom do we see net impact of curriculum changes resulting in less things to cover.    As we use more technology in our schools, as our students use more technology in their education, but also in their day to day lives, surely, we need to spend more time discussing the risks, as well as the benefits.   Surely, we need to spend more time looking at how we manage ourselves in a digital world, how we manage our online identity and our personal data.   But where is this time coming from?

And this is the crunch;  Safer Internet day, which I have already acknowledged I like, may highlight the limitation of our current approach to online safety.    It feels tacked on, an additional item, rather than something core, something truly important.    We might run presentations or get guest speakers in, but all this really does is tick a compliance box.   To truly cover online safety we need something more embedded, something which is ongoing throughout a students time in schools or colleges, we need to develop a culture of online safety.   We ideally need everyone modelling behaviours which represent good online safety, whether this is the teachers or the students.   We also need poor behaviours to be challenged and questioned.

Developing organisational culture is a long term and slow process, which in my experience is often the sum of lots of little actions taken across an organisation, which adds up to a statement of “how we do things around here”.   As we use greater use of technology, we need to be increasingly focussed on making sure our usage of technology is “safe”.   

But technology, unlike culture, moves quickly so we have no time to waste.   I think we all need to ask ourselves, what is the online safety culture like in our school and how can we develop it, how can we make sure it equips students with the knowledge and skills they need in this increasingly digital world.

A third party cyber incident

Schools make use of a variety of third-party solutions with these solutions increasingly involving both the software and the hosting of the solution; The days of all third-party solutions being hosted on school servers in a school server room are fast disappearing.    School data is more and more stored in third party solutions, with data ranging from simply a list of email usernames and passwords to much more significant and sensitive records which might include medical information, financial information, etc with the school frequently being the data controller and the third party the data processor.   As such, ultimately, the security of the data is the responsibility of the school, yet these third-party solutions are increasingly seeing data breaches.

So, what might this look like when a third party suffers a data breach, such as a ransomware cyber incident?

The first few days

It is likely the third party might first attribute issues to common or garden IT issues and outages before they realise, they are suffering a cyber incident such as ransomware.   So, to start with you might get simple “we are investigating an IT issue” messages in reply to tickets logged.   At this point it is important to realise, even if they are now aware of the cyber nature of the incident, they are likely to be limited on what they will be able to tell schools due to legal risk, cyber risk of tipping off the cyber criminals and due to fear of providing information which might later turn out to be incorrect.   There is also the need to prioritise managing the incident rather than seeking to manage communications with those schools affected.   As such for the first few days you should expect to hear little useful information, with this being potentially very frustrating.

Issue identified

There will then become a point where the issue will be identified.  So, you might be told that a ransomware incident took place on a given date and that specific actions were taken however as before you will get little other information.   If you are hoping to know what ransomware strain was used, how it entered the systems, what specific actions were taken, which schools were impacted, etc, you will be waiting a long time.   You will get enough information to be considered informed but little beyond this.

It is now a school cyber incident, and the appropriate senior staff need to be made aware, although there is relatively little detail available which can be shared.   Ideally at this point you will know what data is stored by the impacted third-party solution however if you do not, the first step will be to establish the extent and type of data potentially affected and therefore the risk to the school.   It is also at this point good to consider the comms side of things and what message you might want to send out to your various stakeholder groups dependent on the, yet undetermined, impact of the incident.    For schools it is about a reasonable measure of preparedness rather than rushing to share;   Its that balance between pushing out comms too early, where you don’t know much or where what you know may later prove to be incorrect, or leaving it too late and being accused of not sharing information early enough;  There is no “perfect” solution to this, it is simply a risk based judgement call based on the incomplete information available at the time.

At this point, now we know that there is a cyber incident and the possible data and school impact, it may be necessary to consider an initial report to regulatory authorities such as the Information Commissioners Office (ICO) as well as to the NSCS and Action Fraud, plus it may also be worth raising with insurers.   In terms of the ICO, a quick phone call for advice to their helpline is an easy step which can be taken at this point and may both yield helpful next steps as well as evidencing an attempt to take reasonable measures in response to the incident.

The first two weeks

We now move on to the forensic analysis as hopefully your third-party vendor gets an outside cyber expert to pore of their systems, the activity logs, etc to give them a clear (or as clear as possible) picture as to the events and what data might have been accessed or exfiltrated.     Again, information is likely to be slow in being shared, again due to the perceived risks to the third party.   It may be that they have nothing to offer beyond that which has already been shared.

Again, it’s back to risk-based decision making in relation to comms.   What needs to be shared, with who and when?   This will very much be determined by the nature of the incident itself with a major incident where data has been exposed needing urgent communications whereas an incident which resulted in IT outage, but no data loss may not.   My key advice here is to ensure logs of activity and decision making are kept so these can be used in later review.   Knowing who contacted who, when they contacted them and the reasoning behind decisions can be very valuable in establishing the reasonableness of actions taken should the context of the incident change or should new information become available.

Wash up

There will then be a point where the third party will consider the incident closed and where update pages, etc, put in place in relation to the incident may stop being updated or may even be removed.   At this point there should be some summary as to learnings from the incident and about future changes in processes, security measures, etc.   if you don’t receive such an “after action” report then it is important to press on this matter.   You are unlikely to receive much specific detail on the incident however you should at least receive a broad description of the issue plus some evidence of planned measures to prevent reoccurrence, and therefore some reassurance that things have been learning and that actions are being taken.

Conclusions

“Hope for the best but prepare for the worst”

For me the key thing is to prepare for these kinds of incidents in advance, and not just in terms of IT support staff, but in terms of the wider staff body.   A desktop exercise where a virtual scenario is played out is the easiest way to achieve this, with SLT and other key staff involved.  At the end of such an exercise all need to be clear that, in the event of a serious incident, although we want quick resolutions these are often impossible or inadvisable, with police, insurers, regulatory bodies and cyber security experts all likely to contribute their views on what should happen and when.   Constant phoning IT for updates is only likely to slow the process down.    We need to all be ready and aware of the likely slow nature associated with painstaking initial investigation and even more painstaking, or is that painful, recovery operations.    We also need to be clear what things may or may not be possible as we seek to return to “normal” following an IT incident.

That said, we also need to be proactive in identifying data which might potentially be impacted, preparing communications, preparing contingency measures and otherwise being as prepared to deal with the incident as best as is reasonably possible.

As technology becomes more and more important to the operation of our schools, I suspect we need to spend more and more time on preparing for the eventuality where it goes wrong, with cyber incidents being an increasingly likely source of this eventuality.

Phishing de-evolved

Phishing emails change over time as cyber criminals seek to change their approaches to improve their success rates and achieve better outcomes.    That means that the type of phishing emails schools and their staff have to contend with have changed over time.  As such I would like to share some observations on the changes I have observed.

Lets go a few years, but not too many, so maybe 6 – 10 years.   At this point I remember receiving phishing emails however finding them reasonably easy to recognise.    The below for example was an Apple based phishing email.

The identifiers are reasonably clear in the spelling and grammatical errors and in the lack of branding, not to mention the email address.   I note it conveys a sense of urgency, an important tool in a cyber criminal’s arsenal, however it relies, due to being from a known organisation, on being believable, which to most users I don’t believe it was.  That’s not to say that some people wouldn’t fall for it, as we are all susceptible to errors or momentary lapses in concentration.

Fast forward a few years and the cyber criminals got much better at making their phishing emails believable, branding their email appropriately and even copying the styles of common productivity suites and other commonly used tools.    The below are just two examples:

Although these malicious emails were successful for a while, the issue here is that they have become common and therefore users in general are more cautious around them.  Again some people will click on links, etc, but most now either ignore or treat with great care.   Now the common nature of these type of emails may be part of the story as to why I don’t believe we fall for these emails quite as often, however I also acknowledge that phishing awareness training materials have increasingly focused on these types of emails, building up an awareness of the need for care.   So where next for phishing?

More recently I believe I have seen an increase in very simple emails rather than the branded type.   The simple emails are more akin to the emails from 10yrs ago although are actually even simpler and basic.   Being simple and basic they remove the grammar and spelling errors as they contain limited text.    They also tend to be made to appear to come from known individuals such as colleagues so remove the issue of branding.    Additionally, they are, due to their simplicity, different from the big, branded phishing emails so they are less likely to set off users phishing “spider-senses”.   The below is just one example:

Here the limited information allows users themselves to mentally fill in the blanks as to why this particular colleague might be contacting them and what this might relate to, and you would be surprised just how many of us can come up with a valid reason for a random colleague, friend or other acquaintance to reach out in this way.    It goes right back to the psychology of urgency and also FOMO (Fear of missing out), using this rather than technology to seek to entrap users, a technique that cyber criminals have tended to be good at.  In the above case the telling indicators of a phishing email continue to be the email address itself, and the need to look beyond the display name, and also the unexpected nature of the email, which should also be seen as an alarm bell.

For me looking back it would appear that phishing emails evolved from basic emails to more complex and convincing branded constructions.   They are however now “de-evolving” back to simplicity, taking advantage of psychology and also of the ever busier worlds we live in, and in education, given the pandemic, I don’t believe things have ever been busier.

I also think it is important to acknowledge that first sentence of this post, regarding cyber criminals “changing their approaches” and seeking to “achieve better outcomes” would be at home in an email or document from a corporation or other organisation seeking to improve its success.   Cyber criminals are behaving in an almost business like manner and given this we can only expect their approaches to continual change and adjust as technology, user awareness and user training develops.    For the foreseeable future I suspect we will be continually engaged in a game of phishing “whack-a-mole”.

So, what do we do about this?

I continue to believe that user awareness is the key.    The more users are aware and vigilant the better.   Additionally, users need to be clear on how to report concerns or incidents, and the culture needs to be such that users feel safe in reporting when they get it wrong.   My view is we are all likely to get it wrong at some point, if we havent already!  

Cyber security and data protection awareness cant be seen as a static program, a set training package or a yearly training session.   It is dynamic, ever changing and ongoing, much in the same way the attacks are; We need to see it this way and to seek to deal with it with similarly dynamic and constantly evolving approach.

A cyber framework for schools

Over the last couple of years in particular I have been thinking about cyber security in schools and what schools need to be doing in relation to keeping their users, systems and data secure.   The issue I come up against is that there are a number of key variables which play on decisions reached in this area.  

Context

First there is the context a school operates in.   The available budget for example will have a significant impact on what is or is not possible in terms of cyber security.   And before anyone says it, I know money isnt the most important thing here, it should be student and staff online safety and the safety of their data.   That said, a school is a place for learning, and would we do less learning in order to be more secure?   This leads me on to my later point on risk appetite.    Also, within the context will be the number of students and staff, the volume and type of data being stored, the schools approach to technology (BYOD, School issued devices or limited IT labs), etc.   Each piece of the content impacts on the decisions which need to be made regarding cyber security.

Risk Appetite

This is key and I think something all schools need to discuss at a senior leadership level, with a clear statement as to risk appetite being established.   Basically, this is acceptance of benefit vs. risk in terms of technology use.    We might choose to allow BYOD due to it being more flexible for users and cheaper than school owned devices however it introduces lots of devices not managed by the school which comes with a cyber risk.    We might choose to allow users to be able to create their own Microsoft Teams to support flexibility versus locking this down and centrally creating everything, which is less flexible but more secure.   Time and time again we come up against decisions which balance benefits and risks, and our risk appetite will dictate how much risk we are generally willing to accept.   A greater risk appetite will generally result in greater flexibility and agility, therefore greater ability to respond to change, whereas a lesser risk appetite will likely limit flexibility and agility, but also limit risk.

Cyber Framework

Given the above and how this impacts each school differently I decided that my approach should be to create a rough framework focusing on the things I believe all schools should do in relation to cyber security.   Additionally, I also created an additional section for those schools where additional resources are available or for where additional risk factors may exist.

You can view the framework below:

Some additional points

Now since creating the framework I have had some feedback online which I thought I would address.    One point raised with me was the exclusion of web filtering for safeguarding from my framework.   I considered this but excluded as my focus was on cyber security and I deemed web filtering to sit better under safeguarding.   That said web filtering which filters out dubious sites offering illegal streaming of sports events or movies would have a positive cyber security impact in protecting users from potential malicious code which may exist on such sites. 

Change management was also raised with me;  This could possibly sit under the process or document headings in that there should be a documented and auditable change management process to prevent unauthorised changes which may introduce additional risk from occurring.   Such a process is very important indeed however is often lost in the need to solve problems and quickly adapt to changing situations in schools.

Asset and configuration management was another area that was suggested.   This highlights the need to know what assets a school has and their setup.   This is likely to be very important in the event of a cyber incident in terms of isolating the issue and in terms of the recovery process.   The more we know about a schools setup the quicker decisions regarding actions can be taken.

Physical security particularly in relation to servers and storage, but also in relation to devices was also raised.    The theft or loss of devices is something we need to increasingly consider.   In the event of loss or theft will the data contained in the device be secure and is it possible to remotely disable or even wipe devices?     Generally, though I feel this area is getting easier to address.

Conclusion

I don’t believe this framework is perfect however my hope is that it is at least a good starting point for schools to check their approach to cyber security and to decide on some next steps.   I also hope it starts discussions in school, noting that no sooner had I posted the first page, than suggestions, such as the above, arrived in terms of how it might be improved.   

I suspect I will need to revisit this framework as the cyber threats change and evolve over time but in the meantime, I think it’s a good start.

Building user awareness

When thinking about cyber security the first area I always put first is developing user awareness as to the risks and what they need to do should they make an error.  Given that most data breaches tend to have user involvement at some point in the incident, often at the beginning, it seems logical to focus first on user awareness, but how do you build user awareness in a busy school?

The old inset model (Compliance)

This is the model by which the training is put on once per year likely at the start of the year with everyone in the school forced to attend.   For me this approach is more about compliance than about improving awareness or understanding.    It makes it easy to prove that all users have been “trained” as you can point to an attendance sheet for example, however in the busy world of schools it is likely a fair part of your audience will be focussing on other tasks rather than the content being presented.   It doesn’t necessarily result in users being more informed and aware of cyber risks than they were prior to the session.  This approach also fails to take into account the constant evolution of cyber threats and the cyber threat landscape.    As such, this model of the once per year training event is no longer sufficient on its own although it still makes for a useful approach when combined with other approaches.

Regular communications and updates

My favoured model of cyber awareness development can be summarised as “little and often”.   I make use of the schools regular bulletin to share examples of phishing emails received in the school, plus tips on how to identify them.  I am increasingly making use of video to share short presentations of 3 or 4 minutes long outlining emerging risks or emerging trends.    The key for me is to make cyber security awareness content something that all users consistently come into contact with on a weekly basis.   Hopefully by doing so they will be more concious of the risks.  Basically, I am using the availability bias to hopefully develop user awareness.

I will also note one important thing here is to vary the content as if the content is always the same it may eventually become ineffective.  As such I use a mix of my own video content, NCSC and other cyber organisations video content, written content with annotated screenshots and even the odd cyber security sea shanty (See here for the cyber sea shanty if you are interested.)

Testing

One of the big things about awareness development is being able to test that it is working.    If your training is about compliance the only test you need is to check that your attendance list has everyone’s name on it but if you are truly after user awareness development you need to check that users awareness has actually developed.   An easy approach to this might be a simple short quiz including alongside new awareness content, with a focus on helping users identify what they don’t know rather than centrally providing scores.   A centralised focus on these scores once again is more about compliance rather than the actual users and user development.   An alternative approach might be regular phishing awareness tests to see whether users fall for a phishing email, or whether they report the issue.   Reducing numbers of users falling for such tests, and increasing numbers of users reporting emails to IT teams both representing improvements in user cyber awareness.

Fear of reporting

Another big challenge is trying to ensure users understand the importance of their vigilance and care in relation to cyber security, and the size of the risk both to them, to the wider staff and students and to the school/college as a whole.    The balance here though is that we need to balance this out against creating fear in users to the point that either they are reluctant to use technology or are reluctant to report concerns or issues. 

For me encouraging people to report is critical both in terms of quickly identifying any issues, but equally importantly in terms of identifying misunderstandings or near misses.   From this information we can refine training and awareness development approaches.    We can basically seek to use the ongoing reports to continually learn and develop as an organisation, in relation to cyber security.

Conclusion: Building a culture (The long road)

It still worries me that some organisations continue to treat cyber security and also data protection as a compliance issue;   For me this is a shallow approach.  The true challenge should be to develop user awareness such that we shouldn’t need to be too concerned in relation to compliance.  

Awareness development in my view isnt a single training session or even a number of training events, tests, etc over the course of a term or academic year.   It’s a longer term project.    Its about building a cyber security culture which isnt a case of days or months, but can be best measured in years.    As such the sooner we all get started with this the better.

Some cyber thoughts

I once again have recently read of a group of schools suffering from a ransomware incident.   It is sad that this has happened and even more so as we head to the release of exam results over the next few days.   So, what can schools do to try and stay safe?

Somewhat clichéd, I know!

Accept you can never do enough

I think this is very important.   Although IT teams will seek to keep things as secure as possible given the available resources, including budget, etc, it only takes a single moment where a user isnt focussing and falls for a phishing email.   Equally, if you are being targeted by a skilled and determined cybercriminal, it is likely they will succeed in gaining entry to your network.    A favourite phrase of mine is that the school/organisation needs to get it right in relation to cyber security every single day whereas a cyber-criminal only needs to get it right once.    This needs to be understood particularly at governor and senior management level.    We need to approach cyber from a risk management point of view, concious that risk will always exist and therefore all we can do is to seek to be aware of the risks and to reduce them where possible.

Staff awareness training

I am putting staff awareness training near the top of my list of things to consider given almost every incident or breach has human involvement near the beginning, with this often being weak credentials or a user falling for a social engineering attack such as a phishing email.    As such one of the key defensive measures is to engage all staff and make them aware of their responsibility for cyber security, the risks and what they can do to limit these risks.    It is very much about making everyone that little bit more aware and cautious but not making them so scared or frightened that they then don’t report issues or concerns.   

The slot in inset training or at the start of the year is insufficient.   The awareness training needs to be throughout the year and delivered on an ongoing basis.  I find short 3 to 5min videos are ideal for this as they take limited amount of time and due to the limited time need to be quite focussed on a single risk or behaviour.   But even this then needs to be augmented possibly with tips and tricks in regular emails or in any briefing/newsletter the school might produce.   I find using real life examples, including phishing emails actually received, also helps as it adds context.   It is also critical to ensure that all users know what to do where things go wrong, such as where they spot unusual activity on their account or where they believe they may have given their credentials away following a phishing email.

The basics: least privilege, Backups, email filtering, warnings, etc

Am not going to cover the “basics” in any great detail as am going to take them as read.    Schools should however be ensuring access to systems is provided on a least privilege basis, thereby ensuring only those who really need access to specific data have access.  Backups are also key especially against ransomware, so having off-site or disconnected/cold backups in particular where there is no or limited potential for a cyber criminal to access and corrupt backups should they gain access to the school network.   Email filtering is another basic to consider, hopefully reducing the amount of spam and phishing emails which make it through, and also protecting users against malicious links or attachments.   Linked to email, is the adding of alerts to prompt users when accessing emails, such that they can see where users are external or providing prompts ahead of allowing attachments to be sent. These little prompts might just reduce the number of accidental data protection incidents which may arise.  

The above are just some of the basics which come immediately to my mind;  They are far from extensive but just hopefully give an ideas of some of the things we should be making sure we are doing to protect school systems and data.

Move to the cloud

There was previously a concern regarding the security of the cloud and a false belief that keeping data on premise was more secure.   Now I will admit that there may be some data which is better on premise, however for the majority of data, I believe the cloud is the best place.    In our schools we cannot match the tools and expertise which cloud providers have to protect the data they store.  For example, the benefits that Advanced Threat Protection brings where you are storing data in Office 365.  Equally the benefits in terms of eDiscovery tools in the cloud in relation to Subject Access Requests is another reason why the cloud is preferable that trying to store your data on site.

Incident preparation

As I said at the outset, we need to accept that we can never do enough, meaning an incident is inevitable.   With this in mind it is critical to prepare for these inevitable incidents.  This means at the very least running through desktop scenarios and examining the actions and processes which you will need to put in place.   This will hopefully mean that when an incident occurs you are more prepared and staff know what to do.   In particular it is important to test your backup recovery processes.  Having backups is only worthwhile if you can get them back when needed so we need to ensure we are able to do this when it counts.

Culture

Cyber security needs to simply be something we all do in schools.    It needs to be something all staff are aware of in terms of their responsibility for cyber security, what they should and should not be doing and also, and possibly most importantly, what they should do when things go wrong.   It is also very important to create a culture where concerns, accidents or issues are reported quickly without fear of blame.     Creating the correct culture is far from easy and also takes significant time but with time and effort we can get to a point where staff talk about cyber concerns and issues, where cyber becomes a normal part of discourse in the staff room and around school, and where all are engaged with how they fit in, in terms of securing school data and systems.

Conclusion

The cyber security future for schools is in some ways certain and in others uncertain.  It is certain we will continue to see increasing levels of threat.   It is uncertain how these threats will evolve as cybercriminals seek to respond to the measures schools take to protect their data and systems.   We need to accept this and do all we possibly, but more importantly reasonably, can to secure school data and systems.   We need to be regularly reviewing our cyber security measures, practices and training and adjusting them to respond to changes in cyber threats, our schools processes and systems and the general environment we operate in.   

The importance of “reasonableness” mentioned above cannot be understated as the IT teams of schools need to be able to sleep at night rather than to be constantly worrying about cyber threats.     With this I would like to share a phrase I have used in the past which sums up my view on cyber security in schools:  The need for a “healthy paranoia”.

Reframing cyber costs in education

Schools and colleges need to focus their available funds on teaching and learning, and in the students within their care.   As such it can be difficult to justify significant spending on cyber security.   Investing in cyber security is investing in preventing the possibility, a chance, of a cyber incident occurring.   The challenge therefore is establishing a way to frame the costs in order to identify what represents good value.

Cyber security is all about risk management.   Every risk has a probability of occurring.   This might be a 1 in 100 or 1 in 1000 or 1 in 1 million.    This is where the difficulties in justifying spending on cyber security arise.    For the last 10 years an institution may not have suffered any significant incidents.   As such how can the head of their IT justify spending an additional £4000 or £5000 per annum on cyber security?    We are working from the point that it is more likely an incident wont happen that it will.   Viewed from the point of view of past experience, the institution has been fine for 10 years, with the probability of an incident assumed to remaining roughly the same, so is likely to be fine in the next 10 years, excepting for this small probability.    So, stay as is or spend £40,000 – £50,000 over 10 years to provide additional protection just in case?   Viewed from this point it may be difficult to justify the spend especially if the overall budget for the school is low.

Let’s take a more mathematical approach to the problem; If we take approximately 25,000 schools in the UK where I am aware of around 20-25 which have experienced cyber incident this year.   Let’s assume I am aware of only a small number of the schools which actually experience incidents, say 10%.   So, lefts take a probability of 250 incidents per 25,000 schools or 1 in 100.   At this point rather than looking at the chance of an incident occurring, we are assuming that an incident is guaranteed to occur within a given period.  Taking this probability, in 100 years, every school in the UK would likely have been hit.   If hit, let’s make an assumption that the cost would be £250,000 to recover (this is very much a guess figure and would be dependent very much on the size of the school, its type, complexity, infrastructure, etc).   Taking the probability of 1 hit every 100 years, with each hit costing £250,000, this means the approximate annual equivalent cost would be £2500 per annum.   The cost for the additional protection is looking a little better at this point.    All it would take is for the recovery costs to grow to £400,000 or for the probability of a hit to increase to 1 in 62.5 rather than 1 in 100 schools.   

For me the key things is to move from a position of looking at the chance on an incident happening, where we assume it is more likely an incident wont occur and moving to a position of “not if but when.”   At this point we are accepting an incident is guaranteed to occur within a given time period, but we just don’t know when.   With this viewpoint we can start to make a more reasoned judgement on costs.    We can also factor in the schools risk appetitive, with a school with a high risk appetite likely to choose to underestimate the probability of an incident while one with a low appetite for risk likely to overestimate.

We very much need to reframe how cyber risk and cyber security investment is looked at.   Hopefully the above presents at least one possible way to do this in an easy but yet meaningful way.