A Simple Guide to Cyber Security

We all know what a crowbar looks like, we know which windows in our school are most likely to get a brick put through them and we know the strengths and weaknesses of CCTV. Physically securing our schools is not new territory and the technology used by those trying to get in has not really changed in quite some time.

Cyber security is not quite so easy. To begin with the number of people with potential access is not limited to those within walking / driving distance – but potentially anyone with internet access (so around 4.66 billion people).

Then you have the speed at which technology changes – the design and technique of using a crow bar have largely unchanged since William Shakespeare wrote Romeo and Juliet (Act 5 Scene 2: “Get me an iron crow”). I cannot imagine any of the software and devices we are using today will be around at the end of the decade, let alone into the next century.

But the real challenge is the complete lack of ability to see an attack coming or to understand which digital door maybe kicked in. It may even be that you are attacked and never find out.

Of all the discussion within the online community of the ANME – this is the biggest challenge and frustration. We know the attacks are happening because we see the headlines, but we never get to find out where the vulnerabilities were.

The knee jerk reaction from School and MAT leaders is to ask for a security audit, often out of frustration of now knowing what else to do. A security audit is possibly a good idea, but it is only every a snapshot and not a strategy for ensuring ongoing protection.

Much like the introduction of GDPR, it is about putting ongoing processes in place and potentially a systemic change of culture.

So this is my checklist of things that SBM’s and Technical Teams need to work together to put in place – all of which should eb part of an ongoing review:

Patch / Release Management
Hardware and software manufacturers release updates for their products all the time. The vast majority of these are security updates. Make sure you have a robust process for installing the latest releases on anything connected to your system including all laptops, desktops, switches, routers, projectors, CCTV, door entry etc. Patch management is generally a small update – often released several times a year. Release management is a more significant upgrade done every few years and may have a license or cost implication.

You would always replace an old and rusty padlock, so update your old and rusty software too.

Configuration Management
Make sure that your devices and software are not still using the factory settings and that any changes made to the configuration are documented and reviewed.

You would not leave a combination padlock set on “0000” – don’t so the same thing with your systems.

Service Continuity Management
With the number of attacks that have happened in schools over the last year it is no longer safe to assume you will never be a victim and make sure you are prepared for when an attack happens.

I have done a number of exercises with MATs and individual schools to walk them through an attack so they can understand what their response needs to be at each level.

This can include how to cope without computer and telephone systems, what the decision making process will be, who the key contacts will be, how to handle press enquires etc.

The impact of a cyber-attack is directly related to your ability to respond to it – so do not underestimate the importance of preparation.

Training
Despite all the technology, the biggest threat to your organisation is the people within it. The biggest weakness is the weakest password or the member of staff who is not aware of the need to be vigilant about which links to click in an email and how to check whether you should put your password into any given website.

Training and awareness is, and will always be. the easiest and cheapest way to keep your systems safe.