Monthly Archives: August 2017

You and You and You are the Weakest Links (in the information security chain)

Over the last twenty years or so as an Educational Technologist, I’ve visited literally thousands of schools. When I first started, my point of contact was the ICT (Information and Communication Technology) Network Manager. Nowadays, it’s almost always a member of senior leadership. I don’t flatter myself that I’m more important than I used to be. It’s simply that technology in most schools is now integrated in teaching, learning and operations from top to bottom. It’s strategically important.

Of course, with strategic importance comes a sharpened focus, not only on the benefits of technology, but on the issues and threats it introduces. Barely a week goes by without a story about the effects of screen time on children or the destruction wreaked by the latest malware. Where once upon a time, I could guarantee I’d find an administrator password on a sticky note in the office, initiatives such as Safeguarding and Prevent have ramped up the focus on safety and security in schools.

And yes, senior leaders are nervous. Apart from an unwelcome appearance in the media, if a school’s Safeguarding or Prevent arrangements do not meet requirements, then Ofsted is likely to place them in special measures.

As if that wasn’t enough, against a background of growing threat, hardening sanctions and shrinking budgets, the replacement of the Data Protection Act (DPA) with the EU’s General Data Protection Regulation (GDPR) is going to hit (mostly unwary) schools hard on the 25th May 2018. As of April 2017, only 43% of organisations were actively preparing for GDPR.

Whilst it’s true that the GDPR will bring more clarity and rigour to the discipline of information security, schools may well have more of a mountain to climb than most because they are Data Controllers with sensitive personal data on minors. It’s not clear from the legislation whether the appointment of a Data Protection Officer (DPO) will be mandatory for schools, but it would certainly seem to be sensible advice.

However, the main purpose of this post is not to bemoan the plight of schools but rather to point out an emergent weakness in this layered process of security hardening. It’s mandatory for schools to designate a member of senior management as a Safeguarding Lead. It’s also mandatory to appoint a Prevent Lead. With the advent of the GDPR, it seems there will be a DPO as well. To perform these roles effectively will require:

  • An understanding of the relevant regulatory environment
  • Experience of practical application in a school
  • A grasp of the technology landscape across the school and its supply chain

In the good old days (ahem), when I used to roll up to meet the Network Manager, usually I wouldn’t need to speak to anyone else. They were the Kings and Queens of their IT domains. Perhaps they lacked a strategic perspective on occasion, but at least there was one person who understood every piece of technology in the organisation and the implications of every change that was made.

I’m certainly not advocating a return to the past, but, going forwards, I think the increasing regulatory load is already leading to fragmentation in the security chain. In a world where one IoT device can become a gateway for a serious network incursion, it’s easy for knowledge to exist in silos which lead to Donald Rumsfeld’s infamous unknown unknowns.

My conclusion is that people are usually the weakest link in the security chain and, in this case, the weakness is exacerbated by an approach to safety and security in schools that is evolving in silos. I would simply advocate that domain experts with overlapping interests come together on a regular basis to educate each other and review their mutual challenges. Every school – every organisation – should have a Safety & Security Working Group that aligns and coordinates the work of all stakeholders.