The question of this post is not an easy question to answer. On one hand, if I show an optimistic viewpoint, I may be seen as downplaying the issues and the challenges which impact schools. On the other hand, if I am pessimistic, I may be seen as portraying a no-win scenario, a scenario so bleak that it doesn’t really bare thinking about. So, I am going to do my best to thread the needle of this challenge and strike a balance between unrealistic optimism and nihilistic pessimism.
Increasing technology use
Schools are only going to make use of more and more technology as we seek to try and do more with less. We seek efficiencies, we seek to solve a workload challenge, we seek to continually improve, and in all of this we will continue to make use of more and more technology. And as we use more technology our technology footprint, our data footprint, the number of integrations and systems used, and our overall risk as related to technology use will only increase. I find it difficult to see any other option. My risk when I was younger and I used a standalone PC without internet connection, using a limited number of bits of software is less than today where I use multiple laptops and desktops, a mobile phone, home assistant, smart TV and other devices, complete with way more applications. The direction of travel is undeniable.
Increasing ambient cyber risk
Additionally, the ambient risk of cyber incidents, whether the result of nation states, either directly or more commonly indirectly, whether due to the script kiddies in our schools or, and much more likely, the result of cyber criminal efforts to generate profit, the ambient risk will only continue to grow. I have attended industry cyber conferences in consecutive years and this has been the message for a number of years, with this again likely to only continue. And where there is an increasing technology use and the potential for criminal gains, which therefore are increasing over time it should be unsurprising that criminals will seek to grow and develop their technology focussed attacks, and therefore the general risk continues to grow. Regulation and legislation helps little here as technology operates across national borders, so laws and penalties for mis-use just see criminal enterprises moving their efforts, resources or even themselves to nations which are more accepting of their activities or maybe even where they turn a blind eye. This is also paired with the increasing focus on individual privacy in technology solutions even where this privacy is also applied to criminals such as those engaged in sharing child sexual abuse material. Sadly, communications technology is easier secure or not, it cant be secure for some but not for others.
It’s all doom and gloom?
So, what are the positives in this story? What balances out this negative picture? It would be easy, at this point, to see only the negative, to feel hopeless in the face of ever-growing risk and ever-growing compliance requirements. But we need to identify the benefits of the technology, the connectedness, convenience, benefits to creativity and problem solving, etc. Today’s technology allows me to do way more than I was capable of with my standalone DX2 66Mhz PC from years gone past. I can communicate further and faster, can create content which is more details, complex and creative, solve problems quicker and much more.
Maybe this is the issue, that when discussing cyber we focus too much on the negatives and take our eyes off the positives. This can be very depressing indeed. But, technology supports, encourages and enables so much of what we can now do and as with most things in life there is a balance to be struck. Sadly, the counterbalance in this case is the cyber risk that is created. Considering balance, we could easily seek to reduce the risk simply by using less technology but is this something we are really going to do?
So, what can we “reasonably” do?
This is the crux of the matter in how we can manage the risk, assuming that using less technology isnt an option. The answer to this, for me, is to do the basic cyber security tasks like patching, creating and testing backups, managing and limiting user permissions, managing and limiting the data you store and how long you retain it for and developing user awareness regarding the risks. There may be a need to prioritise here as schools may not have the resources to patch every server and every device however rather than focussing on the ideal and on what we haven’t or cannot do, we need to focus on what we have done; Each additional device or server patched is one less vulnerable device and therefore a net reduction in the overall risk. Every step, no matter how small, is a positive step.
It is also important to acknowledge that no matter what you do you will still suffer a cyber incident at some point in the future, so you need to prepare. Key to this can be running a desktop exercise to check for assumptions or issues in your response plan plus to build up familiarity with the plan. This should not be an IT only exercise as a cyber event equally is not an IT only event, it impacts the whole school. As such stakeholder from across the school, leadership, teaching, IT should be all involved in the exercise and contributing their thoughts and ideas. The desktop exercise is a useful tool and far less invasive than going around unplugged servers to see what people do!
Conclusion
So back to my initial question, what does the future of cyber look like for schools? I think we will be continuing to do more and more with technology tools, being more creative, efficient, and interconnected, but this will sadly be balanced with an increasing cyber risk. But it is a balance, and I think that is my answer, the future of cyber for schools looks like maintaining a balance. In terms of managing this balance it will continue to be about doing all we reasonably can based on the resources we have, focusing on continually reviewing our cyber security posture and approach and making the continual little steps to reduce, or at least manage the risk.
It’s not a bleak, or an overly positive picture, but I think the above is a realistic and pragmatic picture!
Note: I avoided the overly simplistic picture of a person in a hoodie as my cyber criminal in this post; As was pointed out to me recently, this stereotypical view, and lazy analogy is seldom helpful including in our discussions of cyber security or cyber crime!
Technology and Learning