Category: cyber

TAGs and Data Integrity

Following on from my previous post regarding Teacher Assessed Grades (TAG) and cyber security, in my first post I focused on mitigation measures around avoiding possible data loss.   In this post I would like to focus on the integrity of data rather than possible loss.

  • Accidental changes made by users with access
  • Deliberate changes made by users not authorised to make changes, such as students.

The are a couple of issues which could impact on the integrity of TAG data:

Dealing with these issues relies on a number of basic principles which ideally should already be in place.

Least Privilege Access

This refers to simply minimising the users which have access, including minimising those users who have write access over those with read only access.   By limiting the permission level provided you therefore limit the users who may accidentally or deliberately make unauthorised changes and reduce the risk as a result.

Linked to the above it is important to fully understand which users have access to which data/systems, with this being routinely reviewed and adjusted to accommodate for staffing changes, role changes, etc. 

A checking process

It is likely you will have a process for gathering the data, with this data then reviewed by Heads of Department before eventually going to Senior Leaders then the exam boards themselves.   It is also important to have a review process to check that unauthorised changes havent occurred along the way and that the integrity of data is retained across the whole process, from collection to eventually supply to the exam boards.

Audit Trails

If we assume, that there is a reasonable likelihood of an accidental or deliberate unauthorised change, the next thing we need to be able to do is to is identify such changes including the user who performed them, and the changes they made.    It is therefore important to consider if the solution we use to store our TAG data has the relevant audit capabilities, whether it is using the audit logs in your Management Information System (MIS) or version history in either Google Workspaces or Office 365.

Conclusion

Generally, when considering cyber security, the important thing is to identify the risks and then identify and employ appropriate mitigation measures.    There is seldom a “solution” in terms of a product or configuration or setup which is perfect, however there is a solution appropriate to your context, your organisations view as to risk and risk appetite.  

It is also important to note that the best approach is a layered approach.   In this and my last post I havent mentioned the use of storage arrays, mirroring of servers and other approaches aimed at either ensuring business continuity or making recovery quick and hopefully easy.    Although these options add to the complexity of the possible approaches, the key is once again to assess the risks in your school’s situation and context, and deploy the solutions which you believe best address these risks within the framework of a risk management strategy.

TAGs and Backup

As schools gather their Teacher Assessed Grades (TAGs;  We do like a good acronym in education) it got me thinking about cyber security.

The two potential key issues I see in relation to TAGs are:

  1. Loss of access: So, this could be deletion, ransomware or some other issue which means the school doesn’t have access to these important grades and therefore is unable to provide them to the relevant exam boards.
  2. Manipulation of grades:  This would be an individual, internal, or external, gaining access to the grade information and manipulating it either for someone benefit or simply to cause mischief.

For this post, lets focus on loss of access:  So, what measures can a school take?

The key mitigation measure for loss of access is backup.   We need to ensure a backup is kept separate to the main systems on which the data is stored.    So, if the data is being stored in the schools Management Information Systems (MIS) then ideally there should be an exported copy stored in Office 365.    By keeping it in a separate system, we hopefully avoid any potential issues which might result from a significant problem with the MIS followed by issues recovering the MIS from its own backup.  As our data backup is in a separate system, we would be able to deal with this scenario.

Ideally, we also want to keep copies geographically separate, so maybe stored on a separate site or using a cloud-based solution.   We may also choose to use a removable media solution to “airgap” our backup.

The key thing for me is that there is no one single solution.   You need to consider the risk, the available mitigation options, and their cost, in terms of financial costs, time, staffing, difficulty/complexity, etc. and then decide what works for your school.    For example, removable media may help in terms of air gaping our backups, but it also would incur costs in terms of time to remove, replace and store the tapes/drives in use.  If staff is limited this may therefore me a less appealing option.  It is also about avoiding reliance on a single process/solution.   So, having tape backup as a single solution is unlikely to be sufficient.   You should be layering the various backup options to arrive at a solution which is appropriate to your resources, your data, your finances, etc. while reducing the risk of any single point of failure.

The other point I think is important to make regarding backups is the need to test them.   All too often the only time backups are tested is at the point when recovery is required due to an incident.  It is at this point that we can least afford backups to fail.  As such it is important to test backups to make sure they work as they should, that you are aware of the processes and aware of any potential pitfalls.    By doing so, you can be reasonably assured that when you truly and urgently need them you will know what do to and can be confident in the likely success of recovery processes.

Coming up with your school’s solution to backup doesn’t need to be complex.   It is about considering different scenarios and the mitigation options and then identifying what is right for your school based on its needs and its appetite to risk.    As I have often commented, it is all about risk management.

Data Protection and Cyber Security in a Pandemic

In a pandemic, when trying to keep students learning and businesses operating, while schools, offices and shops are no longer able to operate as they normally would, cyber security and data protection aren’t exactly top of the list of things to consider.   They may even have fallen off the list altogether.   As such, over a year after the first lockdown I thought it appropriate to share some thoughts in relation to data protection and cyber security in schools.

During a pandemic it is critical to prioritise.   The important things come first.   So, health, safety and wellbeing are likely at the top of the list.   For businesses, during a lockdown, the ability to work remotely is critical while, when looking at educational institutions, enabling online teaching and online learning are critical, all requiring action to be taken quickly.    Back in mid-march 2020, although the writing was on the wall, we didn’t see the first UK lockdown coming and so when it did there was a rapid move to put the relevant technologies in place to enable online working, teaching and learning.

The issue with this rapid deployment of technology was that it was done based on an immediate need rather than fully thought and reasoned out.    Considerations, such as potential cyber security of data protection risks, were, due to immediate necessity, either pushed to the side or given less consideration than they would normally receive, or they are due.    So now we find ourselves a year further on, here are some of the things I think we should be looking at:

  • The big players

Schools coalesced largely around the two big players in relation to cloud based productivity solutions, being Google and Microsoft.    For me this was done for very good reasons given the functionality provided by each, however I wonder if the implications of this, such as the reliance on a single platform had been considered.   I also wonder if schools have considered what they would do in the event of a significant issue/outage within their chosen platform or if specific tools within the platform were discontinued.   I do believe that it is almost essential to select one of the two platforms, however I think it is important to consider the implications of this decision.

  • Where is my data?

During the pandemic, and in order to deliver the best learning experiences possible, teachers introduced new apps, often for specific lesson activities rather than for long term use.    I suspect that as a result of this the overall visibility in relation to the apps in use, and therefore the location of school data, may have reduced.    This is something that will need to be addressed and will likely require schools to audit the apps in use as we move forward.

  • PIA and risk assessments

Linked to the above, apps may have been introduced without an appropriate review of cyber security and data protection, including reviewing terms and conditions, privacy policies and other documentation relating to third-party apps.   This would have been done due to the need to quickly adapt to the remote learning and teaching situation we found ourselves in however as we move forward appropriate reviews and impact assessments will need to be carried out.   Additionally, changes to existing platform settings or their usage are likely to have been made to facilitate learning during a lockdown, and as such any previously conducted risk assessments or impact assessments may no longer be valid; These will therefore need to be reviewed and updated.

  • Use of personal devices

During lockdown both students and staff have often either been forced or have chosen to make use of personal devices in remote working and remote learning.    With this comes cyber risk and also data protection implications, such as the potential for school data to end up on a personal device which is shared by different members of a family.    This needs to be considered and risk assessed, and appropriate mitigation measures put in place, whether these be technical measures and/or policy measures.

  • Remote Access

Remote access to systems was key during lockdown.  How else would students and staff access the relevant systems including both teaching and learning, and administrative systems.   We now need to review this situation with a view to cyber security to limit the risk of the malicious use of remote access by external threat actors, plus also to ensure that remote access settings are appropriate to a secure IT environment.

The above 5 issues are the 5 which come most easily to my mind however I suspect I could easily continue this blog to cover 10, 15 or even more items which we now need to consider.    The pandemic and resulting lock down required us to work quickly and flexibly to identify solutions.   We now need to spend some time and reflect on the decisions made, and to check that in the longer term they continue to be the right decisions.  

As I have commented on a number of previous occasions, the issue with data protection and cyber security is that everything is ok until it isnt.   We may have put new systems in place or changed settings to support us through the pandemic.    There may be no current issue with what has been done however unless we now spend time to analyse the decisions and their potential implications, we run the risk of sleep walking into a data protection or cyber issue.   As some sense of normality hopefully returns to the world, we need to look back to the rapid change the last year has brought and assure ourselves that we are happy with what is in now in place.

Less email filtering?

Cyber security is often thought of as a defensive exercise.   It is often thought in terms of preventing threats gaining access however in considering malicious emails I wonder whether there might be a slightly different way to think about it.

My concern is this;  If in our cyber defence we do a really good job and prevent malicious emails, such as the all too common phishing email getting through, then we could potentially create a work force who are unfamiliar with phishing emails.   Our defences may create a situation such than when a phishing email eventually does get through, and this is pretty much guaranteed, the recipients are ill prepared to identify it as malicious and respond to it accordingly.   Our defences create a more vulnerable user base. I also would suggest that an expectation of 100% successful filtering if naïve; Our filtering solutions are simply not that good combined with the fact cyber criminals are constantly adjusting their approach to bypass common filtering solutions and approaches.

Now to be clear, I am not proposing no defence against malicious emails.   What I am suggesting is that having filtering which is at least slightly porous, allowing some malicious emails through may be preferable in developing users who are more aware.

I suspect some may argue that awareness is developed by training and awareness campaigns, etc, however I would suggest that these are all proxies for exposure to the real thing, and for learning to deal with the real thing. Again, I am not saying that we shouldnt have any awareness training, in fact I am a firm believe in the critical importance of awareness training, I am simply suggesting that training is not as effective as real life events.

The challenge with the above is the level of porosity.   As I suggest, not porous enough and the user base may be ill prepared however equally defences which are overly porous will simply expose users to a great volume of risk through a greater volume of malicious emails.   Once again the challenge relates to achieving balance and to managing risk.