Every school wants good safety and security. So does every business, every charity, every public sector organisation. After all, protecting the things that are important to you from risks and dangers is a key priority.
Achieving good safety and security, however, requires an understanding of how these two areas, often looked at as one, are quite different.
Here’s a concept that helps, with three main elements:
- You: a person that uses Systems
- Systems: the hardware, software and information that you own, use or manage, and interface with (to be part of the Environment)
- Environment: other users and systems outside your organisation, and wider society
In both safety and security, the ‘Environment’ is generally beyond your direct control, while the ‘Systems’, and of course ‘You’, are generally within your control.
Safety is about protecting You from Systems and the Environment; however, Security is about protecting Systems from the Environment and from You.
At SWGfL we’ve been providing tools and services to help you with online safety for over ten years. Today, thousands of schools use our 360 degree safe online safety self-review tool, and hundreds of schools are benefitting from BOOST, a suite of powerful tools from our online safety experts.
But what about security? A lot has been happening recently, and we think schools need tools, services and support in this field too.
Information Security Challenges
For a start, GDPR landed on 25 May 2018, bringing with it a range of new requirements around the processing of personal data, new and strengthened rights for data subjects, and obligations to ensure that:
- Personal data is processed in a manner that ensures appropriate security (article 5); and
- Data controllers and data processors implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32).
We’ve also seen the continued rise of ransomware. IBM and Verizon (in their 2018 Data Breach Investigations Report) advise that ransom attacks were the dominant malware form in 2017, and that ransomware is increasing to become the primary attack vector of malware generally. The statistics also show that ransom attacks are beginning to target servers (rather than individual users).
And education is a target (because, like healthcare, the data that criminals can extract has value): in early 2017, a US FE organisation paid a huge sum to regain their data following a ransom attack.
And more recently, of course, the news that nearly 50 million Facebook users’ accounts were compromised reminds us of the scale of them problem, with Mark Zuckerberg reported as saying “I think this underscores the attacks that our community and our services face”.
Information Security for Schools
Information security, or InfoSec, isn’t new. But some of the challenges above are putting it into a new context. For example, whilst the Data Protection Act 1998 was based on the premise that you were compliant until you were proven not to be, GDPR puts the onus on you to demonstrate compliance.
Do schools need to think about InfoSec any differently to everyone else? Well, yes. Similarly to online safety, InfoSec is different in schools for a number of reasons, including:
- Most of your users are under 18, and are not employees of the organisation
- You process a lot of personal data, including images of children
- You process a lot of ‘special category’ (or sensitive) personal data, including medical records of children
- You may work very closely with other schools (as part of a Multi Academy Trust or a federation), so you need to share, but still maintain individual systems and boundaries
- You may allow (or even promote) the use of personal devices (or BYOD) on the network, which brings a whole new set of security issues (see below)
So what can you do? We’ll be bringing you a range of InfoSec tools, services and support over the coming months. For European Cyber Security Month, SWGfL has started work on a range of things we think schools will find useful.
For starters, run through our ‘Personal Devices’, ‘Defence in Depth’ and ‘Twelve Information Security Steps’ below and get in contact to let us know how you get on.
Use of personal devices in school, or Bring Your Own Device (BYOD), means a range of additional or increased security risks to think about, including:
- Data leakage: personal devices aren’t always patched, setup and controlled in the same way as school devices, but if they can access school data, the risk of data leakage increases.
- Data merging: with personal devices joining a school network, it can be difficult to differentiate between school data and personal data.
- Increased malware: users install different apps and send and receive different types of data on personal devices, which can mean a lot more malware that may then make its way on to the school network.
- More vulnerabilities: on personal devices, security products may not be as up to date as on school devices, and application downloads may not be as secure. This can introduce additional vulnerabilities when the devices connect to the school network.
- ICT infrastructure demands: more devices puts additional pressure on WiFi, storage, the internet connection, as well as potentially creating a requirement for Mobile Device Management (MDM) technology.
Managing these risks needs careful thought, and it is usually the case that policy needs to come before implementation (e.g. for MDM to work effectively, the policy for which devices are and are not permissible needs to be clear).
Here are some key personal device questions to consider:
- Do you have a clear policy?
- And can that policy be effectively applied?
- Do you undertake regular checks for compliance with the policy?
- Do you know which personal devices are accessing your network?
- And do you know which resources and services these devices are accessing whilst on the network?
- Do you have an effective process for enrolling users and devices in the BYOD scheme?
- Do you separate organisation data and personal data?
Defence in Depth
Defence in depth is a concept within information security in which multiple security layers are implemented throughout the ICT systems. A good approach will combine security controls from three areas:
- Physical security: anything that prevents unauthorised physical access to systems or data (e.g. perimeter fences, locked doors, CCTV).
- Technical security: the hardware and software used to protect your systems and data (e.g. firewalls, disk encryption, Windows account permissions).
- Administrative security: the policies, procedures and guidance set out to help ensure the right level of information security (e.g. recruitment practices, data protection policy and user account management processes).
Three of the key technical security measures we recommend are set out below:
- Firewall: an enterprise-class, professionally-managed, ‘next generation’ firewalls provides a strong perimeter defence.
- Web filtering: preventing user access to sites that contain inappropriate material and malware is an effective means of reducing the likelihood of issues.
- Anti-malware: good quality, up-to-date anti-virus software on servers and workstations is essential. It’s also advisable to consider anti-exploit technology to provide additional protection against ‘zero-day vulnerabilities’.
- Training: the fourth security measure! And still one of the biggest information security challenges. The best technical security measures can be of little use if users leave the doors open.
Of course, an effective defence in depth approach will require more than this, and will require frequent review, but making sure these measures are in place is a good start.
Twelve Information Security Steps
Click here to view the twelve key steps you can take (or just check, if you’ve done them in the past) to get some information security fundamentals in place.
If you want any more information about information security, or want to discuss how we can help you, please visit the Security area.