Wargames - how safe is your school?
Posted on: 1st Feb 2022 by: Ian Stockbridge
Take a moment to congratulate yourselves and your teams for helping to provide education in the most challenging conditions since World War II. Covid-19 has taken the most terrible toll on friends, family and the economy globally. It can be hard to find a silver lining when something so tragic happens, but that is exactly what I would like to try to do.
Delivering education in these terrible conditions has made schools across the country look at IT in a completely different way, adopting new IT systems and practices in weeks that, in different circumstances, would have been delayed by years of procrastination and discussion. We have delivered benefits to staff and students that will last beyond Covid-19, and I take great heart in that.
The problem with having delivered remote access and teaching for education is that security policies and technical measures may not have adapted at the same rate. The world of cybercrime has been quick to take advantage of this. Ransomware attacks targeted at education and their devastating effects over the past 24 months have all too often made the headlines.
We as a society need to holistically review cyber security and acknowledge our dependence on technology. We all have a responsibility to better protect the systems we depend on. The Government has never been more explicit on this. So far this year, the Government has published a National Cyber Strategy 2022 and a Government Cyber Security Strategy 2022-2030.
It makes sense that we in the education sector do our part in reviewing our own cyber defences in 2022 and identify where improvements need to be made so that we can continue to do what we do best – help deliver education.
The most crucial first step in this journey is getting support from the highest level. It should be clear to all the value IT has delivered over the last two years in the education sector. It was our “Apollo 13” moment for myself and my team, delivering great success whilst facing a very real crisis. What may not be clear to governors, trustees, and senior management is how delivering these new services may have changed an organisation’s risks. It is essential that the whole organisation has a thorough understanding of the risks related to cyber security. Without support from the top, there is no mandate to bring in new policies and no justification for extra resources or funding. Cyber security needs to be evaluated from a “not if but when” perspective.
So let us start with questions that governors and trustees absolutely need to discuss with the school leaders... The NCSC has published an excellent document that provides eight insightful questions for governors and school leaders to get the ball rolling.
This should generate some probing questions for IT departments. To really get the discussion flowing the second and vital step is where you invite governors, trustees, and senior management to play a game of “Global Thermo Nuclear War”. Now all of you old enough to remember “Wargames” will be smiling (the younger staff can just go Google it) and thinking “what does this have to do with the governors, trustees and senior management?”. Well, in that film, the computer ran thousands of simulations to work out what would be the best way to “win a nuclear war” without actually having one.
So why can’t we simulate having a cyber incident without actually having one? The great news is that you can, and the process is sometimes described as “Wargaming” (tenuous link, but we got there in the end). Once again, the NCSC has delivered another excellent free resource for us. They call it rather unexcitingly “Exercise in a box”.
Whilst not as exciting as simulating the end of the world, it helps you simulate a series of different types of cyber-event without being under the pressure of dealing with an actual cyber-event. Ideally, you will want a representative from the board of governors or trustees, a member of senior management, your data protection officer, and the IT manager. If possible, get a teacher to effectively run the event like a presenter, allowing the key stakeholders to focus on their specialist areas.
These two processes will reveal one of two things:
- You are totally prepared and ever-vigilant to the changing cyber risks.
- You will have identified areas that require further attention.
The idea of this first blog is to get the ball rolling and get people asking the right questions about cyber security.
If you have found this helpful, I will follow up with some suggestions about what to do next.
May the force be with you.
ICT Manager at Concord College
Studying for BSc Cyber Security
- April 2022 (3)
- February 2022 (1)
- January 2022 (2)
- December 2021 (4)
- April 2020 (1)
- December 2019 (1)
- October 2019 (1)
- September 2019 (2)
- August 2019 (1)
- July 2019 (1)
- June 2019 (3)
- May 2019 (6)
- April 2019 (2)
- March 2019 (2)
- February 2019 (1)
- January 2019 (2)
- December 2018 (1)
- June 2018 (2)
- May 2018 (1)
- December 2017 (1)
- June 2017 (1)
Latest on the Blog:
Posted on: 26 Apr 2022
Posted on: 25 Apr 2022
Posted on: 25 Apr 2022
Posted on: 1 Feb 2022
Posted on: 31 Jan 2022