This is a guest blog from Stone Group and Advanced Security Consulting.
Stone Group’s Simon Harbridge and security consultant Jay Abbott of Advanced Security Consulting recently got together to discuss the worrying issue of security in schools and how technology helps and hinders its progress. What they talked about may surprise you.
Simon Harbridge: Jay, you and I recently attended the same debate on digital safeguarding, and we found a lot of common ground. I was quite surprised that the conversation seems to be still revolving around simply educating kids about the dangers of online conversations. Were you?
Jay Abbott: I wasn’t taken aback, but I was a little concerned by it, as were you I think! We were talking with highly influential people, from NASUWT, Childnet, ParentZone, as well as heads of school. I felt that there was a fixation on the damage that being online can cause, and the knock-on effects on teachers and pupils, rather than a need to solve the root issues.
Simon Harbridge: Agreed. There were several moments of clarity, one being a comment that kids don’t respect or use the term ‘e-safety’, so we shouldn’t either, and another being that kids don’t distinguish between on and offline conversations or relationships – they are all part of their social mix. I can relate to that, because we’re spending a lot of time with schools who want to foster an environment of location independent learning – bringing education to life with lessons outside the classroom that use elements such as Augmented Reality to bring things online into the offline world. BYOD and one to one device schemes are driven by this change. It’s kind of exciting, seeing technology be such an integral part of day to day life in schools, especially as it’s matching children’s expectations about how life ‘should’ be.
Jay Abbott: Precisely, but from my experience, the focus needs to also be on the ‘back office’ parts of a school’s technology, for the roots of digital safeguarding strategy to really take hold. No one to one device scheme, or digital policy is going to weather the demands on it, or the attacks on its security, without particular attention to the technology, and the people managing the devices.
Simon Harbridge: Of course. We’re working with a lot of schools at the moment to replace their obsolete Windows Server 2003 technology. Much of that is driven by the unique security threats to education that continuing to use it beyond the end-of-life Microsoft has decreed. We think about one in five schools will be left vulnerable. What kind of problems do you think sticking with obsolete technology like Windows Server 2003 can lead to?
Jay Abbott: Well, in the context of a school, where an “us vs them” culture exists between the general user base and supporting infrastructure, maintaining strong internal defences is essential. The ability to attack and exploit known vulnerabilities has literally become child’s play and can even be executed from mobile phones and tablets. Due to a combination of free access to the required tools, simple user interfaces, readily available information and video learning on how to use the tools and a general teenage desire to “mess around”, any unpatched and out of date systems accessible from networks that students are attached to is a recipe for disaster.
Simon Harbridge: Yes. I wonder if enough schools consider that these sorts of attacks can come from within? There’s a lot of focus still on the safeguarding issues sites such as ratemyteacher put into play, but more needs to be understood about the basics, such as the fact that without support on obsolete products, you are also without security, so the bottom line is, everybody in the school, and that school’s data is vulnerable, regardless of the policies, internet management software or pupil education schemes you have in place.
Jay Abbott: Ofsted focuses on digital safeguarding and the penalties for failure to make sure the standards are heavy, and lots of schools understand that. But more needs to be done to promote understanding that technology’s role in your Ofsted rating doesn’t begin and end with the device in the child’s hand. I would urge Ofsted themselves to speak more about this and offer clearer guidance.
Simon Harbridge: We met with David Brown, the ICT lead at Ofsted and had a very interesting conversation about data protection and the lack of awareness in schools of its importance. The Information Commissioner’s Office (ICO) can, and will turn its attention to education soon – the NHS has recently been audited and the public sector must be held accountable for the information it safeguards. Schools should be thinking about the safety and security of their pupil and teacher data as a matter of course, before any increased scrutiny begins.
Jay Abbott: Yes, and again, data compliance and security is a ‘back office’ issue. Education really needs to continue to get its entire house in order, not just the front line of technology.