Health & Safety legislation has been in place since the early 70’s. It’s enforceable by law and it does exactly what it says on the tin – it mitigates risk and makes the workplace or classroom a safer place. Many people complain about it, but there is no doubt it is a good thing. cyber security is the new Health & Safety, but with a few twists.
Back when I was at school H&S was essentially a dirty word, despite the legislation coming into force, it wasn’t really ingrained in every day school life. At our little village primary school children would play on climbing frames, swinging from bar to bar 6ft above the ever so soft and forgiving tarmac and concrete! No issues there! Sometimes at break-time our Headmaster would actually ask us to cut up his firewood (I’m not making this up), what could have possibly gone wrong handing over saws and hand axes to a bunch of 8 year old boys high on sugar and overly excited by the latest football stickers ‘swapsies’ from Panini. If we could go back in time to the late 70s but with the H&S hats on of today I fear the doors of St Marys would have been slammed shut ‘until further notice’.
H&S legislation, from my laypersons perspective, has taught businesses and educational establishments two things. Firstly those in charge have a responsibility to keep individuals safe, if they don’t and an accident happens then they can be personally held responsible and liable for it. Secondly it has taught us to become risk aware. At this moment in time the legislation for Cyber Security is not enforceable, it’s recommendations only, but it would be wise to look at cyber security through the Health & Safety glasses.
The main reason that H&S gets a bad press is because it can be seen as going too far, it can be too paranoid, it can be simply ‘too much of an overhead’. However if your child is at school, don’t you hope, in fact don’t you expect that those in a position of authority will keep them safe? Of course you do. How long before you are asking similar questions about how safe your child is online while at school?
If you are a teacher, a department head, or even a headmaster, go into one of your classrooms and just sketch out a H&S risk assessment. You know the drill; you’ve probably done it before. Doors being slammed on fingers, desks are robust and won’t collapse, no trip hazards, no exposed cabling. You can probably get to 10 without even thinking. H&S has been ingrained into you over a period of time…now do the same for cyber security.
How many have you got? Did you get passwords? How about removable media? or perhaps the misuse of social media. Cyber bullying? Hacking? Use of cloud services? I can sense that you may be starting to struggle here, but hopefully you get my point. Oh and congratulations on doing your first ‘back of the envelope’ cyber risk assessment; trust me you are going to be doing many more of these in the future.
The difference between H&S and cyber is that if a pupil in classroom falls over a trailing power cable and cuts their arm, it affects just that one pupil. Not his classmates, or his teacher, it doesn’t effect the pupils next door, or the parents (except the parents of the unfortunate). If you applied your cyber risk assessment to that same tripping incident, then as one child fell and injured themselves then in very quick succession others would fall, it would be a domino effect and before long all the pupils in your classroom would have metaphorically fallen over, then those in the classroom next door, then those in the adjacent buildings and so on and so on. This is the key difference between H&S and cyber. In most H&S incidents the effect is relatively small – an individual, with cyber it can effect everyone.
It could be argued that H&S legislation has taken the better part of a generation to be become ingrained in all those at work, we don’t have that luxury of time with cyber. All the statistics point to this being a global threat to businesses of all sizes. In fact many of the large businesses and government organisations are now relatively secure, the cyber criminals know that and are moving down the food chain to target SMEs and schools. So in fact the threat is actually increasing to many.
So before all you teachers and school leaders break for the summer, sit down in your empty classroom and start writing your first proper cyber risk assessment. Just don’t trip over that cable as you leave.