Cyber resilience is an issue impacting all organisations, be they schools, charity groups or enterprise organisations. It is with that in mind I attended the TEISS London 2025 event, an event focusing on cyber resilience and specifically, as per the conferences title, on resilience, response and recovery. It is always interesting listening to industry speakers talking of cyber security, plus hearing the thoughts from the NCSC among others. So, what were my take aways
Third party risk
Third party risk has been something I have been concerned with for a while. This includes companies which a school might use to provide online services such as learning platforms or even MIS services however, also includes companies which provide software which we may use, such as software or hardware to provide network monitoring or Wi-Fi or other functionality. The reality is that we use far more third parties then we tend to be immediately aware of, with each vendor representing some form of risk in terms of the effect if their service wasn’t available or if their service was breached, resulting on the loss of school data to the dark web. The TEISS event however widened my view to include the overall supply chain. Consider a cloud hosted MIS system for example. The vendor might use an external identity provider, a third party backup solution, an MDR solution and a separate bulk email solution, and we, as the user of the MIS may not be aware of which solutions they are using, and maybe the contract with the MIS provider requires they inform us of a breach, but do they need to notify us of a breach of a third party they use? And never mind just breach situations, do they need to notify us of vulnerabilities identified in the third parties they use? Remember, the school as the data controller is responsible for data even when being processed by a third party; How can we discharge our duties when we don’t actually know the risks? I feel we sometimes treat the use of cloud services as a way to shift the risk to them rather than the school, however all we can shift is the responsibility, the accountability and liability generally remains with the school.
Recovering identity services
In discussion of the recovery phase of an incident, the issue of identity services was raised. We might have all our data and our systems nice and backed up, and we may have tested these backups to make sure we can recover them but what happens when our identity services are compromised? How can we recover from backups when the identity services needed to authenticate are compromised and unavailable? I must admit I myself have spent a fair amount of time in considering backups and disaster recovery but this raised a new angle. Having break glass accounts is all well and good, but if our identity services have been compromised and even destroyed then these accounts are unavailable meaning we can’t get to our backups. Are we sufficiently prepared for rebuilding our identity environment, including rebuilding all the trust connections across different systems and services as required to mount a recovery and get things back working, even if only to a minimum viable environment situation.
Not if, but when?
We do tend to spend a lot of time talking about our protective and defensive measures, our AV, EDR, XDR, MDR, SOC and other two or three letter acronyms but these defences only give us a less than 100% probability of a successful defence. Looking at the probability of a breach or incident, if we look far enough into the future we approach a 100% chance that it will happen. So maybe this means we need to spend more than 50% of our time talking about how we manage the “when” it happens. And maybe the key here is not to treat a cyber incident as an IT or cyber issue, but as an organisational or school issue. It’s a school operations incident albeit one of the cyber variety. So, the question then becomes how do we manage the different critical aspects of a school if there is no IT available. Thinking on this, I think teaching and learning can easily continue in the short term without IT; Teaching worked for many years before we started adding tech to classrooms. The issues therefore are other areas of a school such as do the door locks work so staff and students can get in and out? Will payroll operate to pay suppliers and also pay teachers and other staff? How will we manage safeguarding without our safeguarding platform or the ability to easily ping emails back and forth? What about contacting parents if there are issues or even in general, if we don’t have access to our MIS? It’s about the key business or school processes and how they might work in a minimum viable environment without our usual IT systems.
Conclusion
So, it was a very enjoyable conference once again, although I will note it wasn’t without my usual train related issues which saw me arriving home two hours later than original planned due to delays; Why do I expect anything different?
Thinking back one of the key discussions in a group session focussed on culture and I think this is key. Cyber resilience, a term which has never fully sat well with me, is an ongoing battle against changing technology, evolving threats and evolving threat actors, as well as increasing internal risks as technology becomes more integrated and critical and as people are asked to become more efficient and do more, something which has a tendency to result in occasional errors. As such it is all about building the culture such that the risk is addressed by all and not just by IT or cyber teams. This is the ideal. The question therefore becomes, how can we engage our school communities in cyber resilience, in the same way we engage them in safeguarding? Is it time we stopped talking about cyber resilience in schools and started referring to it as digital safeguarding maybe?
Technology and Learning