In this article, Dominic Norrish, Group Director of Technology at United Learning, explores the various security considerations he suggests you’ll need to make as part of your strategy implementation.
We’re aware that you might not necessarily be the person that leads on security and GDPR in your school but it’s important to consider these elements ahead of any strategy planning and implementation.
Information Security is a critical topic for school leaders to understand and take control over. It’s also huge and complicated, so this piece can only scratch its surface.
In these benighted times, it is statistically inevitable that data breaches and malware attacks will seriously affect many schools’ ability to educate their pupils. It will happen somewhere – and its extent and seriousness will be determined by how well the school in question has managed this risk.
Data breaches & leaks
A breach occurs when you lose control over data that is supposed to be kept secure, either by accident (sending an email to the wrong recipient) or, which is more worrying, through intrusion and theft. This is more common than you might think, particularly from internal threats (pupils and disaffected staff); and from staff losing control of online accounts, generally through being ‘phished’ via a convincing email prompting them to log in to what purports to be their Microsoft/ Google account.
The breach risk extends far beyond traditional stores of school data like a Management Information System. For example, many teachers will have used an app that helps organise seating charts and presents information about learning needs. The app needs to know contextual data (name, form, age, gender) to function at even a basic level.
Schools also routinely create personal data about pupils using a range of software – notes on attitude, behaviour, learning needs, pastoral incidents, assessment grades, etc. These proliferate through multiple MIS add-ons for assessment, behaviour, safeguarding, reports, and are accessible over the Internet on any device. Are you certain about how these data are secured, retained and deleted?
Similarly, any app which a child or teacher uses is potentially taking user data of some sort off their device: Do you know why? Do you know to where? Are you confident you remain in control of these data, as you are legally obliged to ensure?
The connectedness and availability of data in schools has expanded massively in the past decade, but appreciation for the risks this presents has lagged, and schools may be falsely confident about their exposure to risk. It is easy to imagine serious consequences for the school and the ‘data subject’ (the child) when the next targeted breach or unintentional leakage occurs.
Digital Privacy Impact Assessments (DPIA) are an essential management action for any school considering introducing any new tech tool/ partner. A DPIA is a risk assessment – it simply involves asking the right questions in order to identify privacy risks and work out how to mitigate them. When this functions well, schools either implement something safely or accurately recognise its riskiness and choose not to proceed.
Schools are under constant bombardment (via email) from attempts to extort money in order to unencrypt data that the attackers have locked. The software that does the encryption is referred to collectively as ‘malware’. Encryption is devastating because pupils’ work, your SEF and the MIS are critical to the operation of the school. The key thing to remember is that no technical tool can totally prevent these attacks and that therefore schools must develop layered protection in depth from malware:
- Network managers should take technical action to stop malicious software entering and propagating through school systems - one of the most effective and least popular is to ban USB drives! This is known as hardening and will differ based on email provider and other facets of your IT landscape;
- Ensure that anti-virus systems detect known threats and prevent infections spreading, on every device, using the latest definitions with zero exceptions. Many is the infection begun on a head’s laptop because “Antivirus makes it run slowly”;
- Ensure that data are safeguarded through reliable, secure back-up regimes. People who pay ransoms do so because they have no backup and thus no option;
- If using laptops and other mobile devices, encrypt their hard drives;
- Move key systems and data from on-premises systems to the cloud, to limit the impact of infections. Cloud systems such as Office365 and G-Suite allow schools to hold all user documents in the cloud and access them securely from anywhere. The other critical system to consider off-siting is your Management Information System. This isn’t a guarantee of avoiding encryption, but it’s an order of magnitude better. It also obviates the perennial, weed-killer-resistant threat that is staff taking data out of secure systems using USB drives to ease their access to them.
There are several management actions which school leaders should consider/ check are in place:
- Include Information Security on the SLT risk register and document your actions to mitigate this risk. This will ensure that it will continue to be monitored as new threats/ mitigations emerge.
- A named member of SLT should manage this risk, reporting to Governors, and operational control should sit with the Network Manager.
- Move away from risky practices (have we mentioned USB drives?) to safer ways of sharing access to sensitive data (e.g. links to hosted files rather than attachments);
- Stop implementing new systems or working with new external partners without a robust DPIA process;
- Use line management processes to hold technical staff to account on critical activities. Some key questions include: –‘Are all our servers patched with the latest security update for their operating system?’ –‘How do you know that every PC and laptop is automatically installing Windows and Anti-Virus updates?’ –‘Can you demonstrate that backups are working and are secured from themselves being encrypted?’
- Implement annual security training for all members of staff in better security practices (passwords, shared accounts), how to spot phoney emails and to create a culture of accountability in all. Even if an email with malware evades all technological defences, it will fail because a properly trained user will not action it. The best and last line of defence is a user who feels responsible for their own IT security. This will also prevent them becoming a victim at home, and the additional stress and wasted time that would bring.
Depending on the approach your school decides to take with education technology will affect the kinds of considerations you’ll need to make about GDPR. This toolkit from the Department for Education is a useful starting point no matter what your approach.
Once you’ve reflected on the points raised with other course participants, click the ‘Mark as complete’ button below and then select ‘Technical considerations’ to explore the technical considerations to be made as part of your strategy.
© Chartered College of Teaching