Tag: InfoSec

TEISS London 2023: Reflections

During September I managed to find myself in two industry level cyber/info security conferences, one of which I have already blogged about (See here).   This post focusses on the other event, being the TEISS London 2023 event which was a little more focussed on incident management rather than the previous event which was a little more generic.   So, what were my take-aways as relevant to education?

Incident Response

One of the key discussions across this particular event was in relation to the inevitable cyber incident and therefore the need to prepare.    Discussions arose around desktop exercises, the development of incident response playbooks and disaster recovery plans.    The key take-away for me was in the need to play through potential cyber incidents and to do this regularly.   We are not talking about once every few years, but as often as can be managed so that the relevant staff, both senior and IT technical, know how to respond when the inevitable issue arises.    It was also discussed, the need to carry out these desktop exercises with different groups of individuals in order to ensure that all are prepared.   Desktop exercising is definitely something I want to look towards repeating in the coming months, and building a process so that it doesn’t occur ad-hoc but more as part of  a regular process allowing for the review and improvement of the related processes with each test.

Concerning external factors

One of the presenters went into the risks associated with geopolitical issues, where issues in the geopolitical space often result in corresponding issues in the cyber arena.  From a schools point of view it is easy to wonder why this makes a difference;  Why would a nation state or similar focus on education?    I think the issue here is not so much an attacker focussing on education, but on the collateral damage which might impact education.   Now this collateral damage might be accidental however we also need to acknowledge the increasing use of cloud services;  This often means data and services hosted in various countries across the world so what is the potential risk where countries have disagreements and where some aggressive activity online results.   It is easy to say your school exists in Europe or the UK so this is unlikely however the presenter demonstrated some  aggressive cyber activity even within the UK and EU, so it therefore isnt unpredictable that this may happen again in the future.    For schools this means, as far as I am concerned, that we need to continue to do the basics plus prepare to manage an incident when it occurs.

Artificial Intelligence

AI once again factored in the discussion however at least one presenter suggested that where we are now is more akin to Machine Learning than AI.   I suspect this depends on your definition of both terms, with my definition having ML as a subset of AI.    The key message here was that the current instance of AI, generative AI, presents rather generic responses but quickly.   Its benefit, whether used for defence or attack, is its speed and ability to ingest huge amounts of data, however it is only in pairing with a human that it progresses beyond being “generic”.   In the future this may change, as we approach the “singularity” however for now and the near future AI is an assistant for us and for criminals, but doesn’t represent a significant innovative change in relation to cyber security;  good security with AI is little different to good security prior to generative AI.

Human Factors

The human factor and culture were a fair part of the discussion.    The cyber culture and “the way we do things around here” in relation to information security is key.   We need to build safe and secure practices into all we do and at all levels;  Easier to say than it is to do.    This also links to the fact that humans, and the wider user group which in schools would be students, staff, parents, visitors and contractors among others, continue to be involved in around 74% of breaches.   This means it is key that cyber security awareness training needs to hit all of these users and be regular rather than a once a year.    Additionally, if we assume we will suffer a cyber incident, how do we protect our IT staff and also those senior staff involved in incident response and management.   The stress levels will be very high, and as a result self-care may be lacking, but schools and other organisations have a duty of care for their staff, and during a cyber incident that duty of care may become all the mor important.   This is why, in my team anyway, I am introducing a role of “chief wellbeing officer” as part of our incident response plans.

Conclusion

The organisations at this particular event, similar to the previous cyber event, were generally large corporate entities yet for me the messaging may be all the more important for schools given we hold student data and student futures in our hands, and given the targeting of educational institutions.  How do we get more schools to attend these events?    I suspect events like these fall into the important but not urgent, where fixing a server issue or a device issue in a classroom is urgent and important, but then how do we ensure that school IT staff are prepared and preparing for cyber incidents?   Chicken or the egg issue maybe?   

Cyber incidents are inevitable and I have always said that “the smartest person in the room is the room” so if we can share with industry where I believe they have much more experience in this arena, then maybe we, as in schools, will be all the better for it.

TEISS European Information Security Summit

I try to step outside education at least once each year, looking at the bigger technology world by attending an industry event.  The most recent of these ways the TEISS European Information Security Summit on 23rd Feb in London.    I feel it is important to keep up to date with the wider technology world to sense check my thoughts and ideas and to benchmark technology in education against technology in other sectors.    During the course of the event it was interesting to have discussions from a diverse range of industries including highly regulated industries like banking.   Hearing that they suffer similar issues to education, such as shadow IT or issues identifying responsibility for data, but at a much larger scale was reassuring.

Given below are some of my takeaways and thoughts from the various sessions and discussions I had throughout the course of the conference.

Budgets and Cyber

One of the first takeaways from the event related to cyber security and budgets.    It was presented that cyber budgets and cyber spending has been on the increase for a number of years.   It was also however indicated that the volume of attacks and the size of attacks continue to increase.    For me this suggests that more budget, including more staffing associated with additional budget, does not necessarily solve or improve the situation in relation to cyber.   From the point of view of schools and colleges this is important given the limited budgets available.    I think this highlights the need to start approaching cyber and cyber risk a little differently including possibly being more accepting of the fact we will never reach 100% secure and therefore accepting cyber as a journey and simply trying to focus on our key “business” assets and on continual improvement in relation to cyber security in whatever form this may take, including where this may be simple and small improvements.

Gamification

User awareness and cyber security culture was one of the three main streams offered at the conference with one session looking specifically at the potential use of gamification in relation to cyber security awarenss training.   It is true that often cyber security and other online training can be a boring process of reading a screen of text and clicking next repeatedly before completing a test at the end.   Clearly not an engaging experience and therefore possibly an experience  where little long term or deep learning takes place;  We may remember for long enough to answer the test at the end, but ask the same questions a week later and I suspect the retention of the content will have dropped to very low indeed.   So this is where gamification comes in.    The presenters identified two types of gamification, being content or structure based.   In content based gamification the content is presented as a game.  In structured based gamification the content is the same but includes some sort of leader board, prize of other enticement to engage users.   As the session was presented I was thinking of the potential of doing a Kahoot quiz with heads of department where they need to identify whether emails are trustworthy or not for example.     I also thought about some sort of competition between departments so maybe a quiz or phishing test which results in a cyber score which can be reported and compared with other departments.   This is one area I will certainly be looking into in the short term to see how I can try to gamify user awareness materials and processes, and to see what impact that has.

Civic duty rather than organisational cyber security awareness

Another point that was made during the conference was to engage people on security awareness beyond simply keep the organisations data secure but to accept that we can also deliver a civic benefit in making users more secure, both personally and also professionally.   Where we seek to do this we are more likely to engage users and have them learn from awareness programmes plus additionally we address the risk of a personal cyber incident potentially impacting on the school or other organisation anyway.  Take for example the compromised personal mobile phone:  It may have organisational email on it or info about the individual which could be used in crafting attack against them in their professional context, among other data which could pose a risk to the organisation.

Regulation as a change agent

One of the panel sessions I attended involved discussion of change and of compliance with security standards, change processes, etc.     From a school and college point of view this can be difficult as although policies are in place sometimes these will be overlooked and busy staff, both teachers and support staff, as well as students, may fail to engage with requirements or training around cyber security.    One of the panellists in the session highlighted that this wasn’t an issue in financial technology (FinTech) due to the nature of the business being heavily regulated meaning the penalties for non-compliance, for both the individual and the organisation, can be quite extreme.   Taking this insight and applying it to education got me thinking of the potential for the DfE to set requirements and of ISI and Ofsted to then include this within the inspection requirements.   Now the release of the DfE standards is a small step towards this however I suspect that is about as far as things will progress, which without any monitoring or penalties for non-compliance, is very limited in terms of impact.

Cyber insurance

There was a good session discussing cyber insurance with a very clear take away.  The session talked about how the cyber insurance market has seen policy costs increase along with greater requirements to get insured.   The questionnaires which you need to complete were a particular focus of discussion in that some of the questions are not easy to answer or not appropriate in a given context.   I have never really thought about this however the panel highlighted that the purpose of these questionnaires is for the underwriters to get a view of the risk in order to provide their proposal.   As such if the questions don’t make sense, it is the underwriters which we need to discuss this with to find out what it was they were hoping to find out from a given question.   Apparently the underwriters often don’t have access to client information, with this handled by the broker, so it is for the client, the school or college, to request a discussion with the underwriter and to initiate dialogue.

Conclusion

Cyber security seems to me to very much be a business risk, including where that business is the education of students.    As such it impacts all organisations albeit the scope of impact and the scope of risk varies.    This means there is a lot to gain from sharing experiences and ideas across sectors rather than just within sectors.    Having attended this industry focused information security event, where I think I may have been one of very few from the education sector, I came away with a fairly long list of ideas and things to try.    

But if I am to leave this post with one thought it is that maybe we need to get past the doom and gloom of cyber and become more accepting of doing what we reasonably can and of seeking to constantly improve, even where these improvements might only be small and minor;   It is about risk management.Any progress in the right direction is progress after all.