Managing risk has always been a critical part of any school’s agenda, but in today’s climate of overburdened budgets and countless claims on a School Business Manager’s time, there are numerous technology-based risks which can easily be overlooked.
Most schools have excellent risk management strategies in place to minimise these eventualities, but for those who don’t, it’s worth conducting a full audit of your IT systems to identify any anomalies and ensure they’re covered.
Silvana Tann and Chris Taylor of RM Education work with schools every day to help them consider these risks and develop clear strategies to manage them. Here, they examine some of the most potentially catastrophic situations schools could face, and present practical solutions for minimising these risks.
Your current technology is going out of date and you can’t afford new devices
Technology is moving at a pace many schools struggle to keep up with, and this trend is at odds with the fact that historically, schools have become used to investing huge, one-off, lump sums into hardware because that’s what they’ve always done.
But there’s a constant risk of this technology going out of date – so leasing your school’s devices, instead of constantly buying and upgrading them, presents a clear solution for mitigating that risk.
Schools must ensure they’re armed against these kind of attacks and that their back-up systems are as robust as possible
Chris Taylor suggests that there’s often a fear of leasing equipment in state schools because of the notion of spending public money without actually owning anything.
“Governing bodies can often have quite a traditional mind-set from that perspective, and feel that if they’re going to invest over a five year period, they want physical assets to show for it,” says Chris.
“But in technological terms, the only thing you ever own is the technology of today – as soon as it goes out of date, all you’re left with is the debt from that redundant technology when it changes.
What would happen if one of your SLT was carrying around removable media like disks or data sticks which could identify pupils, and that data was accidentally dropped on a bus or train?
“In our everyday lives, consumers lease everything, from smartphones to cars. You don’t have to worry about the initial cost outlay and if your phone is lost, stolen or damaged, it’s easy to get it replaced. And if it’s superseded by something newer and shiner, you simply upgrade your package.”
Chris explains that while leasing makes sense for consumers, it makes even greater sense for schools. As well as alleviating budgetary pressures and safeguarding against changing technologies, a leasing model means devices can be used at home by pupils – enabling them to continue learning outside the classroom.
You have an IT problem you can’t solve – and it brings learning to a halt
“When you think about the whole ICT estate, from infrastructure to software to security, there are so many pressure points on your Network Manager or IT support staff,” explains Silvana Tann.
“And if they’re ill, absent or on annual leave and something goes wrong, it can create a log jam that could lose hours of teaching and admin time.”
While some schools might think it’s more cost effective to run all their IT systems ‘in-house’, Silvana believes there are substantial risks in doing this because schools are limited to one person or one skillset. If something happens which can’t be fixed ‘in-house’, schools then find themselves having to bring in outside expertise at an additional cost.
“When an IT issue occurs that goes beyond the expertise held locally – such as server failure, or pupils not being able to log into something – schools have to rely solely on their Network Support Manager or IT technician, who may not always be able to help,” says Silvana.
“This puts schools in a vulnerable situation as it could ultimately lead to hours of lost teaching time and major classroom disruptions. Schools need access to a team of experts with a real sense of what’s going on in education generally, staying on top of the latest whitepapers, cloud strategies and emerging technologies – and that simply can’t be done entirely in-house.”
Outsourcing IT support allows schools to transfer the risk of day-to-day mishaps and any other risks associated with IT to the service provider, as well as providing cover for sickness and holidays.
It also minimises any disruptions from technology, as IT partners providing managed services to schools can run proactive checks on the schools’ systems throughout the day to instantly pick up and rectify issues before they become a problem.
Alternatively, co-sourcing IT support can fill in gaps in internal expertise and save schools time, money, and effort in recruiting additional staff. By combining services from within the school and from a well-chosen partner, both parties can work to achieve the same goals.
You open an email that turns out to be malware, and lose critical school data
Most of us have, at some point, opened an email that looked relatively benign, but turned out to be a phishing scam or something else that aroused our suspicion. But if someone in your school opened an attachment that turned out to be ransomware or malware – and you don’t have your data backed up – your critical school information could be at risk.
The prevalence of malware (malicious software) and ransomware (which encrypts your network and charges you thousands in a ransom to decrypt it) is a growing cause for concern, and it’s more of a case of ‘when’ rather than ‘if’ your school is targeted.
“You’re only as good as your network or disaster recovery plan,” warns Silvana. “And in an age where data is so critical, schools must ensure they’re armed against these kind of attacks and that their back-up systems are as robust as possible.
“This is an area where schools rely heavily on the strength of their anti-virus software and the capabilities of their Network Managers – but that won’t always mitigate the risk because so many security threats are developed every day, and it’s incredibly difficult to be aware of every new virus as it’s launched.
“I’ve known schools attacked by a serious piece of malware which their own systems didn’t detect, but we found it remotely and removed it before it could do any damage – that’s why having remote technical support can be essential in managing this risk.”
Ultimately, a good governance policy should be the starting point, outlining clear protocols for what all staff should do if they receive an email from an unrecognised sender, or an odd attachment from someone they know whose account may have been compromised.
Your pupils are accessing inappropriate or extremist material in school
The internet has undoubtedly brought a myriad of benefits to learning, but as the breadth of content available to pupils increases every day, so do concerns over online safety and the risk of pupils accessing inappropriate content.
“The key to managing risks associated with online safety is to empower pupils to understand those risks for themselves – from stranger danger to cyber-bullying to sexting – and be able to proactively reduce them,” says Silvana.
“But that can’t be done without a strong, clear and up-to-date e-safety policy that identifies every potential risk and outlines protocols for managing them. These policies also need to be updated frequently, because technology is evolving so rapidly that new risks to internet safety emerge every day.”
However, no policies can prevent a pupil searching for inappropriate content, so integrating filtering and monitoring tools into your school’s network is fundamental to mitigating these risks.
These tools allow schools to filter age-appropriate content and to track and monitor keywords or topics which could highlight a major cause for concern – such as students looking for information on suicide or self-harming, or content which could be considered radical or extreme.
You’re not sure where all your school’s data is stored
New General Data Protection Regulations (GDPR) will come into force in April 2018 to replace previous Data Protection laws, and they’ll set significantly higher standards for the way that all organisations – including schools – manage and store their data. Amongst a litany of other changes, schools must be able to show complete transparency with their systems for data storage and management and have clear procedures in place to deal with a suspected data breach.
“Ultimately, these regulations exist to protect the people whose data is held by any type of organisation, and if organisation’s aren’t able to show exactly how their data is stored and managed, they could face hefty fines,” explains Chris.
“As data owners, schools can benefit from being much tighter on security and storage of that data, both in-school and beyond. For example, what would happen if one of your SLT was carrying around removable media like disks or data sticks which could identify pupils, and that data was accidentally dropped on a bus or train?”
Chris suggests this is another area where using cloud-based systems can support schools in the transparency and security of their systems. “If your critical data is stored in the cloud, your team can use tools like Google Drives, which removes the need memory sticks and it has the added benefit of increasing collaboration and sharing,” says Chris.
“Being able to access your work in the cloud from anywhere – using secure passwords – gives schools much greater control and transparency over where and how their data is stored.”
For schools who work with multiple IT support partners, Chris advises them to carry out careful checks and due diligence on their supplier’s data systems to make sure they are completely reliable and in line with GDPR standards too.
Someone cracks your passwords and accesses confidential information
Silvana estimates that 60 per cent of schools have passwords that can be cracked in less than a minute. This tends to happen when staff rely on the same passwords for years because they’re easy to remember – but they could be putting your systems at risk.
“With a school’s permission, we can test the strength of their passwords for them by deliberately attempting to crack them – and it’s pretty scary how quickly that’s possible,” says Silvana.
“Today’s generation of tech-savvy pupils might even see it as a challenge to hack their school’s systems, and it does happen – we’ve known pupils to crack admin passwords and access – or even try to expose – confidential information on other pupils.”
Schools have an obligation over how long they hold pupil data, as well as financial information and correspondence between staff and SLTs, and with forthcoming changes in data protection law, it’s going to become essential for schools to be able to lock down confidential data.
However, Silvana points out that this risk can be mitigated if schools adopt and enforce effective password policies, and change them regularly. The industry standard is that passwords must be at least eight letters long and contain one uppercase letter and one digit.
“Schools are obliged to keep data safe and this is another area where moving your systems to the cloud gives you greater security and peace of mind. A school’s Management Information System (MIS) holds critical data that schools can’t run without, but hosting it in the cloud ensures your data can be locked down and stored safely – and you can access it using a single sign on for multiple sites, removing the need to remember lots of different passwords.”
You’re losing money by paying for technology you don’t use – or need
“Investing in new technology can be a risk if it’s not properly planned and implemented,” explains Silvana. “If you don’t have the in-school knowledge to fully leverage the benefits of the technology you’re bringing in, or a clear plan of how it’ll support teaching and learning, it’s likely your shiny new hardware will end up in a store cupboard.”
This risk seems relatively obvious, but it’s a surprisingly common one. When schools haven’t taken a methodical approach to implementing technology to support teaching and learning – rather than bringing in the latest devices and trying to shoehorn them into your pedagogy – schools risk paying for things they can’t use or don’t actually need.
From software to interactive whiteboards to gleaming new iPads, Silvana says she’s seen thousands of pounds worth of technology effectively go down the drain, because of a lack of pedagogy, leadership, ICT expertise or foresight.
“My advice to schools would be that if you think you’ve already made all the cost savings you can – think again,” says Silvana. “A full audit of your IT systems and software will help you determine how you can be more efficient, and reveal what you need, and what’s potentially draining your resources.”
Your broadband capacity can’t cope with the demand
Some countries, such as the Baltic states, have nationwide policies in place to ensure optimum wifi provision across the whole country – but in the UK, we’re still behind the curve.
As schools explore new ways to improve their technology provision, make cost savings, increase collaboration and facilitate anytime-anywhere learning, having the right infrastructure in place to support these things is essential.
“We know that moving to the cloud brings tremendous benefits to schools, but as more elements are stored in a cloud environment, schools need a broadband provision that can cope,” says Chris.
“Do they have a line with enough capacity for all their users to log on at the same time? Do they have a back-up line if the first line goes down? There’s no point having a cloud-based learning environment if your systems can’t handle it because if the internet’s not available, then teaching and learning stops.”
Chris says that while it’s understandable for schools to be adverse to new investments in the current climate, technology often requires a short term investment for a long-term gain – and if schools can get their infrastructure right today, they’ll reap the benefits for years to come.
3 more ways to minimise risks in your school today
1. If you don’t already, make sure you have an up-to-date and accurate asset register. It may seem unlikely, but if your school gets broken into and you don’t have the serial numbers for each of your devices, your insurance claim could take twice as long to complete.
2. Check when your server’s warranty expires, and set up alerts so you know when the expiry date is approaching. If it’s out of warranty and your server crashes, the cost of having to replace it with an upgraded model could be significant. Longer-term, consider removing the need for servers by moving your school’s systems to the cloud.
3. Sit down with your Network Managers and make sure they have clear and complete documentation on all your systems. If they left or were absent, would your school have all the documentation you need for someone to keep your network running without them?
For more information and advice, visit www.rm.com/outsource
By Kevin Robinson with Silvana Tann and Chris Taylor of RM Education