Cyber Security: Looking Inwards (Gary Henderson) - ANME Blog

Cyber Security: Looking Inwards

Posted on: 1st Jul 2022 by: Gary Henderson

Often when looking at cyber security, and by association at data protection, we focus on the external risks. We focus on:

  • managing vulnerabilities which an external threat might use to access our systems and data
  • on managing and monitoring the areas on our network where an external threat may gain access
  • managing the security of our data solutions in relation to attempts at external access.

We look outwards for the dangers, and I suspect, given all we constantly see in the press regarding organisations suffering externally driven cyber incidents, this is becoming all the more common. Yet a recent article[1] regarding a disgruntled ex-IT staff member got me thinking that maybe we aren’t sufficiently considering the internal risks.

Accidental disclosure

I feel accidental disclosures of data go largely unreported and therefore any statistics in relation to how often they happen would be massively under-representative. Accidental disclosure might include where data is disclosed by accident in an email or via sharing functionality. The most common scenario is when the email is sent accidentally to the wrong person. Although sharing functionality in Google and Microsoft also allows for sharing files with the wrong person or for permissions to be misconfigured accidentally, allowing unintended users to have access.

We need to accept that mistakes will happen, and I am afraid this will only become more common as we get continually busier, so the challenges are twofold, to reduce the number of incidents, and to respond quickly to rectify things where they occur. On the preventative side, it’s about little prompts ahead of sharing externally and limiting permissions, especially external sharing. With responding, it’s about user awareness and the need to report issues or suspected issues as soon as possible.

Change management

The internal issue of change management relates to the potential for changes in settings, permissions, processes, etc., to have a negative impact on the school. In attempting to address an issue or a request, it is all too easy to simply go ahead and change a setting, but sometimes the unintended consequences can be problematic, to say the least. Here, it is about the appropriate change management processes to ensure that changes are approved and ideally tested before being deployed. This won’t stop those issues we couldn’t predict; however, it should ensure that those we can, we do, and that appropriate governance of change and accountability is in place. The right change management processes will also potentially help where changes are being made by an internal user, purposefully seeking to cause a negative impact, as it will be apparent that such changes were not approved.

Offboarding

As the earlier mentioned article highlighted, we also need to be conscious of the potentially disgruntled ex-employee who might seek, post leaving, to inflict damage. There is also the potential for an ex-employee to seek to use school data to their advantage post leaving. This highlights the vital need for appropriate off-boarding processes to manage the proper disabling and deletion of user accounts. There is also the need, particularly with IT staff, for any key passwords to be changed to prevent their future misuse.

Students

Looking inwards at threats, we cannot forget the students. Some will be seeking to explore cyber security themselves through keen interest and may unintentionally cause issues. Others may be actively looking to cause problems, modify or access data. Here the critical measures needed relate to segmentation of your network to prevent students from accessing sensitive data and systems, and monitoring to try and detect any unusual or malicious activity from among the student body.

With those seeking to explore, I think there is great potential to harness and encourage their eagerness and ensure they operate within the school’s code of conduct, and local legal parameters. In a world where a shortage of cyber security professionals continues to be reported, it seems a missed opportunity to focus on sanctioning students where their actions were focused on learning, albeit having a potentially negative impact.

And for those students with malicious intent, I think there is clearly the need to sanction and warn them of the dangers of their current path, but equally, there is an opportunity to direct them onto a more positive pathway where their skills and interests might be able to be put to more constructive use.

Conclusion

The current press around cyber security almost encourages the external-facing focus. We are worried about hacking groups, nation state-backed offensive security operations, and other external threats. Therefore, it is all too easy to look outwards when there are equal risks already within our perimeter, risks which equally need to be considered.

 

[1] Bedford, C. 2021, Sacked IT technician admits he hacked into and wiped data from school systems, Leicestershire Live, viewed 27 May 2022, https://www.leicestermercury.co.uk/news/local-news/sacked-technician-admits-hacked-wiped-6011952/

 

Gary Henderson

ANME Ambassador

Director of IT at Millfield School
(also a trained teacher with 20+ years’ experience across secondary schools, further education and higher education, both in the UK and the Middle East.)

Written for Education Executive

Tags: Gary Henderson, EdExec,


Testimonials from Members & Partners

  • “Fantastic event, with interesting content and very well organised.”

    Alain Squiteri, Sales Director - InVentry

  • I thought the day was excellent. It was really good to have the companies there and invaluable for meeting and speaking with new contacts. I really hope this carries on as it was desperately needed in our field.

    Janet Cannell, Member

  • We’re really proud to be ANME’s platinum sponsor. It’s such a great platform for school network managers to get together and share ideas, plus it provides us the opportunity to speak directly to schools using our solutions and get their feedback and input into new features. Every event is always different, with fantastic speakers providing real insight and ideas on all things edtech.

    Al Kingsley, Group Managing Director, NetSupport Limited

  • ANME meetings provide valuable networking - being able to talk to other professionals doing the same role and understanding their approach and their context. This is a great way to challenge what you are doing in your own setting.

    Neil Limbrick, ANME Ambassador

  • A fantastic online resource of like-minded professionals that you can use to bounce ideas off, chat things through, get advice from. Invaluable.

    Ric Turner, Balshaws Church of England High School

  • The ANME is a priceless resource for anyone working in an IT support role in the education sector. The online forum is lively and informative and the regular meetings provide insight into new products and valuable networking opportunities with peers from other establishments. I've lost count of the number of valuable conversations and helpful tips that I've had since becoming a member. If you've not been to a meeting before then try to attend the next one in your area, you won't be disappointed.

    Dave Leonard, ANME Ambassador and ICT Manager at Matthew Moss High School

  • The ANME has been a great resource when you're a lone IT manager, now you have friends going through the same obstacles as you, with plenty of advice and guidance.

    Michael Frost, ANME Member & IT Network Manager at Parkwood Hall Co-operative Academy

  • Being part of the ANME is like being part of a large corporate IT department, there's always someone you can ask for advice

    Paul Gillon, ANME Member & Network Manager at West Hill School, Stalybridge

  • ANME is like having a team of IT experts at my fingertips. It helps me keep up to date with the latest trends in IT education.
    Rick and the ANME members have always helped when I've needed extra guidance to make great IT decisions

    Clifford Fernandes, ANME Member & IT Manager at Claremont High School

  • I attended my first ANME regional meeting recently which was great. It was Informative, relevant and useful! Unlike some meetings I attend where you get one or two useful nuggets of information, but other bits have been added to the agenda as fillers. Glad to be a member of this group of like-minded individuals.

    Adam Hall, ANME Member & IT Operations Manager at Four Oaks Learning Trust