On the Friday afternoon of BETT 2025 I had the opportunity to deliver a session on cyber security for education, called “cyber resilience and schools: lets get pragmatic”. Now I will admit I was a bit worried with it being a day three afternoon session, would anyone turn up, however the session was very well attended which was great. One thing I will note though is that when I asked about the roles of the various people in the audience, around 95% of them were from technical IT roles. I get why this would be the case however I worry that this is symptomatic of cyber incidents still being see as an “IT” issue rather than a school wide issue. When an incident happens, although IT will be the people working hard to resolve it, it will be the whole school which is impacted including in relation to administrative tasks like registration and parental contact, teaching and learning, pastoral and wellbeing support and much more. Cyber resilience, or cyber security if your prefer that term, needs to be seen as a school wide issue so my thanks and applause go to the small number of school leaders who attended my session, and I hope they found it useful.
My presentation broke down into four main areas, being the current context of schools and cyber security, the need for risk assessment, the need for incident preparation, and the basics which schools need to be doing to limit risk including reducing likelihood and impact of an incident.
In relation to the context it is pretty easy to see the impact and risk in relation to cyber and schools with one school being forced to remain shut at the start of the first week of BETT due to a cyber incident. The ICO also acknowledged that reported incidents in 2023 had grown 55% over those in 2022. If putting a cost figure to things, cyber crime world wide is estimated to reach $10.5 trillion dollars this year. So cyber crime will definitely continue and will continue to hit schools. One key challenge for schools though is the limited budget available, both financially and staff resource related, to tackle cyber risks and cyber resilience. This highlights the challenge for schools however I noted a discussion in an industry event where they talked of whether doubling cyber related budgetary spend might half the risk; The common consensus was probably not. So, cries for more money, although money would help, would not solve the challenge.
It is therefore about risk management and balance. Schools can be more secure but in doing so this might impact on flexibility, and therefore on the educational experience of students. We need to seek to risk assess, identifying our risks, their likelihood and impact, plus the mitigation we could or have put in place, complete with any implications of such mitigation. Once we know our risks we can plan accordingly in terms of mitigation or incident planning.
My next main point was the need to accept that cyber incidents are a “when” rather than an “if”, and based on this we need to prepare ourselves. For me this is where desktop exercises are useful, actually working through an example incident with colleagues to identify what needs to be done, by who and when, plus to identify any assumptions which may have been made in terms of how an incident would be responded to. Now this was one of the exercises from my session however the key value is in conducting such exercises in your own school, with a cross section of your own staff and therefore where the exercise can be tailored to the specific needs and context of the school. It is all about thinking about the processes in a safe environment of a desktop exercise rather than in the heat of battle in the event of a real life incident.
The last section of my presentation, which may feel a little backwards in relation to having looked at risk management and incident planning first, was that of how we might pragmatically delay an incident occurring or limit its impact. As I mentioned earlier we don’t have the resources of enterprise organizations so we cant simply throw money or resources at the problem. For me this therefore means we need to seek to do the basics in terms of cyber resilience. This refers to forcing MFA, patching as many servers as we can, providing users only with the access they truly need, etc. It is these basics that will reduce the risk level for our school and college, and hopefully see criminals moving along to the next school or organisation in the hope of an easier target. And generally the basic steps don’t cost the earth, other than some time to undertake them.
Conclusion
My summation for the session was very much about the need for cyber resilience to be seen as a school wide issue and therefore for it to be discussed at the highest levels including governors/trustees and senior leadership. They need to have a sense on the risks being faced and guide in relation to seeking to address these risks. They may not know the technical side however they set the risk appetite and therefore guide the spending of resources, including IT staffing, plus the balance between security and flexibility, which includes flexibility in the classroom. They should also be central to considering the “what if” scenario and considering how the school might respond to cyber incidents such as data breaches, ransomware, etc. It is better to prepare than to have to work out what you are going to do while in the midst of a cyber crisis. And lastly is the basics, we simply need to do these as they are the most cost effective method to delay or limit the impact of a cyber incident.
Cyber crime isn’t going away, so we need to plan and prepare, and not just the IT staff.
Now if you wish to review my slides or the resources, which included some cyber incident cards for a risk assessment exercise, then you can access them here via Google Drive.
Technology and Learning