Cyber-Security in Schools
Posted on: 9th Dec 2019 by: Gary Henderson
Recent research from LGfL has revealed an urgent need for more cyber-security training within schools.
Why is there a knowledge/skills gap here?
What could the impact of not having staff with cyber-security expertise be?
How could we ensure schools acquire that knowledge?
The issue of cyber-security skills in schools is multi-faceted. There are implications in relation to school IT staff and their cyber-security skills, school leadership, the wider staff body and also the development of cyber-security skills among our students in attempting to prepare them for the increasingly digital world we now live in. It is also worth mentioning the need to also build awareness and skills in parents and the wider community and the importance of cyber-security is only growing.
From a GDPR point of view, each school has a responsibility to protect the personal data they store in relation to staff, students, parents and other members of the community who interact with the school. At this level of analysis, it is the cyber-security skills of IT staff which are likely to matter the most. They must be as well prepared as possible in the face of increasing cyber threats. As a perfect illustration of this, an article in ZDNet indicated that “education users are twice as likely to be targeted than consumer users” by phishing attacks, plus ICO data for quarter 2 of 2019 identified that education is the 3rd most common industry to report a data breach, reporting around 11% of all breaches reported to the ICO in the quarter. In 2019 there were significant incidents at education instructions in the US in particular, but also in the UK such as the incidents at Swindon College and Lancaster University. Where schools fail to consider cyber-security they are increasing the risk of a significant cyber-security event. It is at this point I must note that those schools which do identify the risk and take action are not immune to a cyber incident, they just reduce the likelihood and potential impact for when, rather than if, it happens.
Cyber-security skills are key in schools, or any other organisation for that matter, to being prepared. One of the biggest issues is that cyber-security skills cannot remain static as the threats are always changing and evolving and therefore resources must be identified to support continuous cyber-security skills development among IT staff. The challenge here is that this is difficult where resources are limited plus, I believe that often cyber-security, especially of smaller schools, isn’t on the radar of senior staff. It also must be acknowledged that the wider societal need for cyber-security professionals or those with cyber-security skills is also making it more difficult for schools and other educational institutions to source suitably skilled staff.
In the face of the difficulties, we still need to identify a way forward. My suggestion here is first to raise the profile of cyber-security within schools and this involves engaging senior staff as to the risks, to specific examples of where incidents have occurred and to the costs of dealing with an incident. From there hopefully, schools can seek to allocate resources in line with their attitude to risk, whether this is staffing, finance to support the professional development of IT staff, software or hardware or any other resource.
I believe the other key area where action can be taken is in the gathering of threat intelligence. Individually schools are reliant on the skills of their own IT staff and on third parties, who often have their own agendas or profit margins in their mind. Collectively however schools have a much wider pool of knowledge and experience and it is pooling this knowledge and experience that I see the biggest opportunity. One of my favourite phrases at this moment in time is “the smartest person in the room, is the room”. Not sure where it came from or who said it originally, but it sums cyber-security skills up. If the IT staff in all schools seek to share their approaches to cyber-security skills development, to cyber-security issues, their challenges and their successes, then we will have a very experienced and skilled room and we will be all the better for it.
Cyber-security risk continues to grow and evolve and therefore the skills needed to prevent or minimise incidents also continue to grow. This is an issue not unique to schools, but an issue which impacts the world as a whole which in itself presents schools a further challenge given, they are unable to match the resourcing available in commercial organisations. It is due to this that I believe the solution is a collective one, requiring schools and other educational institutions to work together, to share and to pull their resources, knowledge and experience together.
ANME Member and Director of IT at Millfield School, also a trained teacher with 20 years’ experience across secondary schools, further education and higher education, both in the UK and the Middle East.
Written for Education Executive
 Ranger, S. 2019. Phishing emails: Here's why we are still getting caught out after all these years. [Online]. [1 December 2019]. Available from: https://www.zdnet.com/article/phishing-emails-heres-why-we-are-still-getting-caught-out-after-all-these-years/
 Information commissioners office (ico). 2019. Data security incident trends. [Online]. [1 December 2019]. Available from: https://ico.org.uk/action-weve-taken/data-security-incident-trends/