JC Gaillard talks to Glaucia Rosas from the Edutec Alliance on how school leaders need to approach cyber security in the wake of the COVID pandemic.
Over the past few years, and especially during the pandemic, schools and other organisations have moved their operations to online environments. This reliance on technology, however, has come at a price. Besides all the challenges that schools had to overcome in terms of adapting or changing their teaching and learning practices to the online or blended format, there are other challenges that sometimes are less visible to school leaders.
This interview with JC Gaillard, the founder and managing director of leading boutique cyber security consulting firm Corix Partners, addresses two very important topics that school leaders and boards must get their grips on: Cybersecurity and Data Privacy, and in particular why these are no longer issues schools can afford to just delegate to IT.
What are the biggest cyber issues you see affecting schools today?
Like many businesses and organisations around the world, schools have become more and more, if not entirely, dependent on digital services throughout the COVID crisis.
A crisis during which cyber threats have escalated, in particular, ransomware threats like recent incidents in the US have demonstrated.
Even when students start to return, part of the digitalization of the school experience is likely to remain in some way, or for some time while the dust settles over the pandemic.
Before the crisis, a cyber-attack might have disrupted schools; it might have affected their admin staff or some of their teachers; it might have damaged reputation if data is leaked, but the problem would have been contained or somewhat containable.
Now it’s the entire school operations which could be halted and possibly for days, with increased financial impact, in particular around ransomware, more scrutiny around ethical questions about whether to pay the ransom or not, and increased media coverage leading to escalating reputational damage if the story leaks out.
I think the cyber context is considerably more complex for schools today, compared to what it was 2 years ago. To be fair, this is true for most organisations which have had to go through a fast-paced digitization throughout the pandemic.
How can schools avoid the risks they are facing?
The first thing, in particular for school leaders, is to accept that the context has changed around cyber security over the past couple of years, and to understand to what extent it has changed.
They have become more and more dependent on digital services, and that has exposed them considerably more to cyber threats, which in parallel have also escalated.
The defences you might have had in place 2 years ago may not be enough any more.
The main risk here is denial; thinking that nothing has changed.
Once you have accepted that, the second step is to understand that there is no real silver bullet here, in spite of what countless vendors would like you to think; this is not something you can outsource or make disappear by simply buying some tech or giving it to a vendor to sort out.
Technology has a role to play of course in cyber protection, but to determine what you need to do, you need to understand first where you are coming from around cyber security, the things you were doing well before, or not so well, or not at all, and decide on an action plan in accordance.
But invariably, this will not be just about technology; you will have to act at people, process and technology levels to raise cyber security maturity if you are starting from a low point.
For example, if you look at how you can achieve some form of effective protection against ransomware, it is about acting at a number of levels.
You need to train staff and students around identifying phishing emails and not opening unexpected attachments; that’s primarily about PEOPLE if you want, but it’s not enough by itself, because of human nature and invariably mistakes will simply be made.
You also need to filter emails and attachments upstream to reduce their occurrence in people’s mailboxes; you will need TECHNOLOGY to do that; but by itself, that’s not enough; some will always go through somehow.
You also need to apply security patches in a timely manner because those vulnerabilities are what malicious material is looking for, and that’s primarily about the way your IT operational PROCESSES are organised; but by itself, again that’s not enough; across large IT estates, you are always likely to miss some devices.
Thinking defence in layers is key, and People, Process, Technology, not just Technology.
From our research, schools have many network security tools in place, but the Cyber Security solutions market being full of ‘snake oil salesman’ — and what’s your opinion on the solutions out there and what schools should be prioritising?
This is a hard question to answer, in particular around prioritisation, because situations are bound to vary from school to school. Cyber security has been around in some form or another for the past 20 years; most schools — like most businesses — would have been exposed to it and are likely to have already a number of tools in place as you say; firewalls, anti virus and the like; I don’t believe there is a single organisation anywhere in the world which is a complete greenfield in terms of cyber security.
So key to determine priorities would be to understand what has been done so far, and where strengths and weaknesses are in the current practices. And thinking in terms of People, Process and Technology; not just Technology as I said before.
This reliance on technology also makes school a data-rich organisation. Schools collect data on student performance, behaviour, safeguarding, attendance, health issues etc. Also they hold data about parents, their financial information, and much more. In the old days a security breach would be someone walking out with a pen drive or making copied on a xerox machine. Nowadays, data breach is much easier and much more dangerous. There are strict regulations that schools must follow too. How can schools take control over their data to avoid any issues with breaches?
Again, this is a hard question to answer, because here you are touching — very rightly — on data protection regulations and they will vary from country to country.
I agree with you that schools will — in all cases — hold personal data about students and their parents, sometimes sensitive data for example around health issues as you point out; of course, they also hold personal data as well about their staff, like any employer.
In generic terms, I would say:
- Start by building a proper understanding the data privacy regulations you have to comply with (there may be several), and what they impose upon you, not just in terms of data security, but also around the way consent is obtained, retention, deletion and international transfer obligations or limitations, etc…
- Understand where the personal data you hold is stored, in structured (i.e. systems or databases) and unstructured (i.e. files or emails) repositories; the sensitivity of it (according to regulation); the service providers involved in its processing and the nature of the contract you have with them; who has access to the data; how you control and monitor that.
Once you understand the situation you face, you can start building up some form of compliance alignment roadmap, but it’s hard to be more specific without that.
- Don’t ignore unstructured data (files and emails).
- Cloud providers, in particular Microsoft through Office 365, have put vast efforts into this and offer very comprehensive features; look into what they can offer before jumping in the arms of some vendor (you were talking before about “snake oil vendors” and there are countless in that space…).
I can see large schools investing in external support, like consultancy firms, to develop their Information Security Governance. But how can smaller schools (or school with limited resources) make sure they have good governance in place?
Good governance around cyber security is not just about complex roles, responsibilities and policies; of course all those are important, but it has to start with clear ownership and a credible and visible acceptance of the issues from the top.
If teachers, students, admin staff, IT staff, see someone at the top of the school credibly and consistently taking ownership of cyber security, as a priority for the school, their mindset will start to change.
That’s something any small school can do once they accept this is something they want to address.
Information Security is also about people, culture, and communication between stakeholders. But our research shows that there is a huge gap dividing IT and school leaders. Most school heads do not understand the world of IT and the head of IT does not necessarily understand in depth the needs of teachers and students. These actors speak different languages. What would you recommend schools to do to overcome this communication issue?
Cyber security is no longer something which you can just see as an IT problem.
Threats are real and are more virulent than ever; they can cause you considerable pain through downtime, considerable financial damage through ransomware if you decide to pay the ransom, considerable reputational damage if the story reaches the media including social media, and possibly loss of business — or more — if data about VHNW parents is leaked out, and that’s before mentioning possible regulatory implications or fines if personal data is involved in countries where it is strictly protected
Even if they have to educate themselves about it, school leaders need to understand this is something serious and real which can take the school down; not some weird IT issue.
There is nothing to be embarrassed about; this is serious and this is real and it’s happening everywhere across all industries; and it needs to be owned at the top of the school as a real risk and handled as such
In my experience, once that level of acceptance has been reached at the top, natural top-down dynamics and the management experience — in general — of the people of the top do the work; priorities get a reset and change starts to happen.
It may involve the creation of small cyber security unit to act & coordinate at the interface between IT, teachers, students and admins, if cultural differences require it; or simply the appointment of a high-ranking school official to drive a cyber programme of change
I also believe it could make a lot of sense for some schools to combine privacy and security actions into one programme of work, where they believe maturity levels are low on both fronts.
But it has to start with clear, visible, credible, and consistent ownership at the top of the school organisation for any of that to work.
The Edutec Alliance helps schools to overcome their digital transformation challenges: Shaping technology structure and strategy to offer the best possible learning experience to pupils and efficient day to day operation for the whole school community.
Corix Partners is a Boutique Management Consultancy Firm focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.