I try to step outside education at least once each year, looking at the bigger technology world by attending an industry event. The most recent of these ways the TEISS European Information Security Summit on 23rd Feb in London. I feel it is important to keep up to date with the wider technology world to sense check my thoughts and ideas and to benchmark technology in education against technology in other sectors. During the course of the event it was interesting to have discussions from a diverse range of industries including highly regulated industries like banking. Hearing that they suffer similar issues to education, such as shadow IT or issues identifying responsibility for data, but at a much larger scale was reassuring.
Given below are some of my takeaways and thoughts from the various sessions and discussions I had throughout the course of the conference.
Budgets and Cyber
One of the first takeaways from the event related to cyber security and budgets. It was presented that cyber budgets and cyber spending has been on the increase for a number of years. It was also however indicated that the volume of attacks and the size of attacks continue to increase. For me this suggests that more budget, including more staffing associated with additional budget, does not necessarily solve or improve the situation in relation to cyber. From the point of view of schools and colleges this is important given the limited budgets available. I think this highlights the need to start approaching cyber and cyber risk a little differently including possibly being more accepting of the fact we will never reach 100% secure and therefore accepting cyber as a journey and simply trying to focus on our key "business" assets and on continual improvement in relation to cyber security in whatever form this may take, including where this may be simple and small improvements.
Gamification
User awareness and cyber security culture was one of the three main streams offered at the conference with one session looking specifically at the potential use of gamification in relation to cyber security awarenss training. It is true that often cyber security and other online training can be a boring process of reading a screen of text and clicking next repeatedly before completing a test at the end. Clearly not an engaging experience and therefore possibly an experience where little long term or deep learning takes place; We may remember for long enough to answer the test at the end, but ask the same questions a week later and I suspect the retention of the content will have dropped to very low indeed. So this is where gamification comes in. The presenters identified two types of gamification, being content or structure based. In content based gamification the content is presented as a game. In structured based gamification the content is the same but includes some sort of leader board, prize of other enticement to engage users. As the session was presented I was thinking of the potential of doing a Kahoot quiz with heads of department where they need to identify whether emails are trustworthy or not for example. I also thought about some sort of competition between departments so maybe a quiz or phishing test which results in a cyber score which can be reported and compared with other departments. This is one area I will certainly be looking into in the short term to see how I can try to gamify user awareness materials and processes, and to see what impact that has.
Civic duty rather than organisational cyber security awareness
Another point that was made during the conference was to engage people on security awareness beyond simply keep the organisations data secure but to accept that we can also deliver a civic benefit in making users more secure, both personally and also professionally. Where we seek to do this we are more likely to engage users and have them learn from awareness programmes plus additionally we address the risk of a personal cyber incident potentially impacting on the school or other organisation anyway. Take for example the compromised personal mobile phone: It may have organisational email on it or info about the individual which could be used in crafting attack against them in their professional context, among other data which could pose a risk to the organisation.
Regulation as a change agent
One of the panel sessions I attended involved discussion of change and of compliance with security standards, change processes, etc. From a school and college point of view this can be difficult as although policies are in place sometimes these will be overlooked and busy staff, both teachers and support staff, as well as students, may fail to engage with requirements or training around cyber security. One of the panellists in the session highlighted that this wasn't an issue in financial technology (FinTech) due to the nature of the business being heavily regulated meaning the penalties for non-compliance, for both the individual and the organisation, can be quite extreme. Taking this insight and applying it to education got me thinking of the potential for the DfE to set requirements and of ISI and Ofsted to then include this within the inspection requirements. Now the release of the DfE standards is a small step towards this however I suspect that is about as far as things will progress, which without any monitoring or penalties for non-compliance, is very limited in terms of impact.
Cyber insurance
There was a good session discussing cyber insurance with a very clear take away. The session talked about how the cyber insurance market has seen policy costs increase along with greater requirements to get insured. The questionnaires which you need to complete were a particular focus of discussion in that some of the questions are not easy to answer or not appropriate in a given context. I have never really thought about this however the panel highlighted that the purpose of these questionnaires is for the underwriters to get a view of the risk in order to provide their proposal. As such if the questions don't make sense, it is the underwriters which we need to discuss this with to find out what it was they were hoping to find out from a given question. Apparently the underwriters often don't have access to client information, with this handled by the broker, so it is for the client, the school or college, to request a discussion with the underwriter and to initiate dialogue.
Conclusion
Cyber security seems to me to very much be a business risk, including where that business is the education of students. As such it impacts all organisations albeit the scope of impact and the scope of risk varies. This means there is a lot to gain from sharing experiences and ideas across sectors rather than just within sectors. Having attended this industry focused information security event, where I think I may have been one of very few from the education sector, I came away with a fairly long list of ideas and things to try.
But if I am to leave this post with one thought it is that maybe we need to get past the doom and gloom of cyber and become more accepting of doing what we reasonably can and of seeking to constantly improve, even where these improvements might only be small and minor; It is about risk management. Any progress in the right direction is progress after all.
No comments:
Post a Comment