Roundtable: Save the data – Boris Radanovic & Andrew Williams

Are our schools and universities doing enough to safeguard student and staff data? Steve Wright quizzes some experts in the field

The last in our series on safeguarding data, we speak to Boris Radanovic, Engagement and Partnership Manager and Andrew Williams, Online Safety Consultant at South West Grid for Learning.

Q. We’ve all been well schooled now in the importance of data security. But can you outline some simple, practical and affordable solutions for schools and universities?

0 Data security and affordability can seem difficult to achieve simultaneously. Furthermore, the very wide range of schools and universities makes it difficult to suggest a one-size-fits-all approach.

But there are some obvious steps to take:

  Regular, off-site backups give you peace of mind and resilience to recover quickly in the event of an incident. 

  Up-to-date software is key: software vendors provide updates and patches to help close security gaps. If you don’t update regularly, your technology will be vulnerable. 

  Good quality, regular staff training, especially around ransomware and social engineering, is always a good approach.

  Elsewhere, institutions should manage permissions vigilantly. Not all users need admin rights. Staff should ‘elevate’ privileges to install something. That way malicious installs can’t work ‘silently’. 

  Think carefully about your passwords.

  Build data security into your network design – think about Wi-Fi, remote working and segmentation (and if you don’t know what these mean, seek help from your IT team). 

  Finally, plan for when things go wrong – have responses, breach management, business continuity plans and communications plans in place. Draw them up, test them and modify following the test. Then repeat at least annually. Consider insurance to underwrite the risks.

Q. Are schools and universities sufficiently aware of both the risks out there and the solutions available to them?

Andrew Williams: Staying on top of advances in technology can be a real challenge for some establishments. With reduced capacity and a natural focus on protecting the child and supporting their learning, data security often takes a lower priority. However, changing this mindset is vital. That’s not to say that all establishments don’t prioritise data security: many do, and some do a fantastic job of it.

With the variety of educational establishments across the UK, unsurprisingly we see a wide range of approaches and technologies implemented. Trust in your technical partner is imperative, but how can the client – especially a school or university – assess the latter’s capability? Our own partnerships across industry suggest that there are a wide range of partners who are suitably prepared to support educational establishments with software and services that are readily adoptable by establishments, meeting a wide range of requirements. The challenge, here, is the time and money required to explore the market and identify cost-effective products for education. These are definitely out there, but some establishments need to recognise that paying to secure your data is as important as paying to secure your site.

Q. How much of this comes down to material solutions (better software, etc.), and how much down to human solutions, such as better training for staff and students?

Boris Radanovic: Those two elements are interwoven and cannot be readily separated. On the one hand, material solutions do exist that help to protect your systems and data. But, to quote Kevin Mitnick, computer security consultant, author and hacker: “The weakest link in the security chain [is the] people who use, administer and operate computer systems.” While online security protects systems and processes, online safety protects and educates people. System and data security remain vital concerns for any responsible organisation working in today’s digitised system. 

It can be argued, though, that education, raising awareness and investing in your workforce gives better and stronger protection of your core assets than any software. You can always buy a new data security programme – but if your staff have no idea of the basic principles of data security, all that money and effort will be in vain. 

It was clear, from our 2018 Annual Assessment of School Online Safety Policy and Practice, which took evidence from 13,000 schools, that staff training remains consistently one of the weakest aspects of school online safety, with 43% of schools offering no staff training, to date, around online safety.

Creating a competent and cybersecurity-aware staff (and by extension, providing staff with access to effective cybersecurity training) is vital. 

Q. Do schools and universities face a slightly different set of issues from other industries, when it comes to data security?

Andrew Williams: Cybersecurity threats do not know nor recognise the type of organisation, merely seeking to exploit vulnerability where it exists. The question is not whether educational establishments face a different set of concerns. Rather, it is: do those establishments realise how valuable or sensitive their information is to the online world? Schools and universities process and store amongst the most sensitive type of personal data, and need to be aware of this and vigilant in response.

That said, there are two areas where we see a slight difference between education and other industries: lack of capability and lack of funds. This is not to denigrate those professionals responsible for cybersecurity in education, many of whom are highly qualified. What is unclear, though, is the extent to which senior leaders recognise the importance of data security, and allocate sufficient resources. 

In terms of the sources of threats, schools and colleges may be somewhat different from other sectors here. A 2018 Jisc survey indicated that the sources of many cyberattacks in UK HE are students or staff. This may not come as a surprise as, in some schools or colleges, students’ digital capabilities will sometimes exceed those of the professionals managing the technology.

Given that education establishments hold extremely valuable data, isn’t it about time we helped them to understand this, and ensured that they are adequately resourced to plug any gaps?

Q. Is there one particular area (such as loss of sensitive information, malware, phishing etc.) where schools and universities are particularly at risk?

Boris Radanovic: We have continued to see a rise in phishing emails sent to educational establishments. With ever-increasing sophistication, these can very cleverly appear to be official and legitimate emails from your bank, a tech company or similar. 

Whilst on the subject of fakes, we have also seen a growth in educational establishments spreading and instilling fear and misinformation about online challenges and fake news. The hysteria merely creates a moral panic, simply driving people towards the problematic content in their concern and inflating the problem. Without proper guidance and advice, or even a basic amount of effort to research a new trend or topic, establishments are prone to sending well-intentioned, but misguided information to their pupils or students. Tools and helplines are now in place – such as the Professionals Online Safety Helpline, which allows professionals working with children to get help with any online safety issues that they, or the young people in their care, may face. 

Q. In terms of its data security, how does the UK education sector compare with a) other UK industry sectors and b) other education systems around the world?

Andrew Williams: If we compare the education sector against other public services, it could be argued that there is not a huge amount of difference. There is a good level of coordination and, in some cases, information-sharing processes have been agreed. That said, schools and colleges have a high level of local autonomy – particularly in England – which makes for a great variety of approaches towards security. In a general sense, large educational establishments do have a greater capacity to implement successful data security measures.

There can be little doubt that many educational establishments at any stage of development would benefit from a statutory requirement to meet a given set of standards in data protection, security and wider technologies, coupled with some clear funding to step-change the industry towards a more secure and protected environment.

Our experience working with educational institutions across Europe seems to suggest that they have similar, if not identical problems and obstacles: a low level of understanding of, and engagement with data security concerns, coupled with a lack of funding for investment in security and safety. 

The advantages that the UK has over some other systems are its relatively strong investment in technology, and the role of the mainstream media in highlighting issues. That all falls down, however, if schools and other institutions don’t have the resources, whether financial or human, to invest more in this area.