In the next few weeks the exam season will start to slow down, hassled teachers will lift their heads seeing the long holidays approaching and many schools will start locking their doors and shutting up shop until mid August.
Before we know it we will have the annual news stories hitting the headlines as the exam results for both GCSE and A Levels are released. Will standards this year have risen? fallen? who knows. Then the schools start to crank back up to full speed; new pupils, new parents, new timetables, new courses, new staff and lots and lots of new data.
The education industry is the third highest industry sector to suffer a reported cyber breach, according to figures from the Information Commissioners Office (ICO), behind only health and local government.
These figures are the cyber breach cases that have actually been reported and the ICO have taken action on. In the real world many schools may not be aware of their duty to report such events, so I suspect the true figures are considerably higher. In my experience schools regularly lose data on USB sticks, they leave laptops on trains, staff email data to ‘their home email accounts’, they use insecure cloud services, share their passwords and do all manner of other activities that bypass polices and procedures – if those polices and procedures exist at all. All of these activities, which are completely understandable, make schools highly vulnerable to a cyber breach.
My heartfelt recommendation and rallying call to them all would be to use the looming 6 weeks (more if you are an independent school) of summer holiday to get their cyber house in order. Don’t wait, cyber breaches are on the increase, you could be next!
When talking to school leaders they have a tough time equating the cyber risks. They are organisations with a relatively small numbers of administration staff, but vast amounts of dynamic data. A cyber criminal will not be looking to ‘take out a school’ well not unless he is a disgruntled ex-pupil, or ex-member of staff – oh and that’s a risk too – a cyber criminal will look to simply obtain data from a ‘soft target’ such as a school.
As Schools are in touch with their customers – parents – on a regular basis, their names, addresses, occupations, work numbers and mobile numbers are kept up to date. This data is valuable to a criminal because it is current and updated almost daily; therefore it’s worth money on the black market as it can be used for future fraudulent activities. Maybe some parents have suffered from some sort of identity theft, but may not be aware that the source of this could be via data stolen from their local school. Independent schools should be even more vigilant, because as they charge fees for their services (and these fees are usually significant) then they may hold on record parents financial details too – that could be worth even more money on the black market!
Offsted, the UKs schools inspectorate does rudimentary checks on cyber bullying, as part of their anti-bullying procedures. However at this time they do not check any other cyber related areas. Some independent schools may have a few low level checks done on their information governance, usually backup integrity and random checks on user access privileges done by their financial auditors, but to date there is no compelling reason for schools to be checked on their cyber integrity. A school does live or die by its reputation, most of them openly publicise their Offsted rating and they celebrate their academic prowess or the achievements of its sport teams or their cultural outputs. All of that will be worth nothing if they get hacked and have to publically declare it.
If a school, any school, wanted to differentiate themselves to their customers, they can show off a shiny new science lab, or the new AstroTurf, but in 2015 that’s hardly cutting edge. The summer holidays could be used to obtain Cyber Essentials, the first step on the ladder of taking cyber seriously. That would be a credible differentiator.
The summer will pass and before you know it the Autumn term will be here and schools will start having open days. There is the Independent Schools trade show with parents looking at where best to spend their money on their child’s education. In general the recruitment process for the intake of September 2017 will begin. During that time schools will be investing in nice new glossy prospectuses showing off their investments in new WiFi, new computer labs and all manner of technology. Technology and it’s creative use across the curriculum, as well as being a subject in itself, can a very good differentiator for schools, but parents need to become more savvy. Don’t let a glossy screen put you off, ask to see the schools comprehensive cyber policy.
I can see it now; a tenacious prospective parent starts asking some probing questions on the governance of the school. They are undecided on which independent school to send their gifted daughter too. So they ask their tour guide about the schools polices…
“Safeguarding policy – check!”
“Health and safety policy – check!”
“Critical incident policy – check!”
“Cyber Security policy – err, umm, can I get back to you on that one. In the mean time why don’t you look at our lovely new science labs”