The classroom became unrecognisable in 2020 when the Covid-19 pandemic swept the world, as most students were sent home to learn using digital technologies. IT systems were expanded and tested beyond anything that had been done before to support teachers in delivering a decent education under the most challenging circumstances. However, during this time there has been a consistent level of ransomware attacks in education settings, including a spate affecting more than 70 schools at the start of 2021.
To discuss what schools and multi-academy trusts have learned, the New Statesman convened a virtual round-table discussion, sponsored by Sophos. The chair was Jon Bernstein, former deputy editor of the New Statesman. He opened the discussion by asking Andrew Proctor, pro vice chancellor of digital at Staffordshire University, to give his thoughts on the past year.
Proctor said the past year had presented an “opportunity for cyber to become much more front and centre at board level”. He believes it is a sign of a healthy organisation that these issues are discussed across the organisation and that “conversations are happening at the right level”. That means raising the awareness of teachers and students to help keep them and their families safe online. Proctor added that it is important to engage with “sense-making and storytelling” to help attract interest and then, ultimately, investment into cyber.
“What it all comes down to is everyone’s got responsibility,” agreed Kerr M, schools engagement lead, economy & society at the National Cyber Security Centre (NCSC). It has produced some resources to guide school governors and boards through questions they should be asking about cyber security, such as whether there is a list of all the organisations that provide their IT services. Alongside this, the NCSC has produced training for staff. For Kerr “a whole place-based approach” to ensuring cyber security was important.
Chris Major, UK education sector manager at Sophos, highlighted the importance of data theft as part of cyber attacks, rather than just focusing on the operational impact. He said it is difficult to have the conversation about cyber security at the right level, or to ensure it is happening at all. One of the problems, he believes, is that people in the IT security sector are “seen as kind of salespeople”, making it difficult to establish the level of trust needed for a strategic conversation.
Another problem is that there is “far too little time and probably resources spent on training”, with customers often investing in the products but leaving staff unaware as to how they work. For Major it is about trying to have a more strategic, more partnership-based conversation.
“You’re only as strong as your weakest link,” reflected James Browning, chief digital & information officer at the Academies Enterprise Trust. It was dealing with lots of new users who were less informed and educated about cyber security. “You’ve got to take everybody with you,” he observed. Recently, one of the schools in the trust was subject to an attack and he felt there was a challenge to be made constantly as to why organisations were not moving faster to get rid of their known vulnerabilities.
Several participants had already adopted a “cloud-first” strategy before the pandemic. Peter Bradburn, director of IT & communications at Aspire Academy Trust, said they were already implementing it when people started having to work remotely. However, there were still weaknesses around the configuration of the cloud platform. Stuart Jones, director of technology at Outwood Grange Academies Trust, said many schools in the UK have “adapted very quickly to the needs of the situation” but have not conducted the due diligence to really nail their security. Fabian Olteanu, strategic IT manager at Excelsior, explained that the trust was also far along with policies and procedures, but the human factor still proved a challenge. Teachers were still falling into security risks “no matter how much training we were providing to them”, he said. It had created a lot of manuals and documentation, which helped to improve the situation, but that was still not enough. The trust now uses two-factor and multi-factor authentication across the organisation to keep the risks down, but there are challenges in bringing people along with this approach. “Teachers like to teach. They don’t like to be taught,” Olteanu observed.
Balancing security and delivering the curriculum was a tension mentioned by several attendees. Tristan Kirkpatrick, director of computer science, Outwood Grange Academies Trust, said it was about “rapidly putting in a system to make sure that that could happen so that teachers can deliver their curriculum”. However, there was a gap to bridge between the technical team and teachers to raise the awareness for teachers, and to how they would actually do these things. “We protect that – that’s our job,” said Les Leese, head of technology integration at Ormiston Academies Trust. “A teacher’s job isn’t to actually know about it – a teacher’s job is to teach,” he continued. The role of IT was to provide a safe environment, but the sudden forced move to online virtual-type learning environments created lots of problems. Teachers had access to “suddenly fantastic resources, available at their fingertips, which, actually, we may have blocked when they were in school”. Part of the solution, Leese said, was people needed to slow down, but it was a challenge when there are enthusiastic and excited teachers.
Outwood Grange Academies Trust asked an outside organisation to run a phishing attack against the trust as a test, explained Jones. “Literally all I gave them was our name,” he said. The phishing test revealed a whole set of vulnerabilities that exposed the back-end services used by teachers. As a result, he said, there was a “really big push for us into educating users and teaching them how to be protected online”. The trust is now looking at multi-factor authentication.
Dominic Norrish, chief operating officer at the United Learning Trust, said the change had been like moving from “pushing water uphill with a broom, and then suddenly, last year, the job became stopping people going over the waterfall in a barrel”. In his opinion the only way to make cyber security work as an everyday responsibility is to “create accountability” in staff to make them feel that this is part of their job. The trust has found that the best way to do that is to produce training that is highly relevant and set in its context. “No one ever spent any money on this until there was a problem,” Norrish added. “That’s because schools haven’t got any money.”
“Covid, the DFE [Department for Education], the NCSC have all had a hand in actually promoting our strategy that was in place, but very underlying, under a very strong curriculum focus,” reflected Ellis Jacklin, head of IT & data at the David Ross Education Trust. Jacklin went to his head teachers and gathered their IT budgets together and created a centralised model. “From my perspective, that has been our absolute saving grace over the past year,” he said.
For Jacklin, the human factor is vitally important to get right. “We have to ensure that [staff] know they are the solution to threats without insisting that they’re the cause,” he said. The trust has moved away from an IT focus and towards a safeguarding approach, he explained, with everything else falling in behind that. Jacklin feels they are in a “really good place” as a result.