Infosec In Schools – Is This Too Much To Ask For…?

According to the Information Commissioner’s Office (ICO), Data breaches in the UK have increased tenfold in the past five years. In local government the increase was 1,609% and within the NHS 935%.

With the current potential fine of up to £500,000, for data breach’s and breach of data that is not adequately protected, Schools are not immune to such fines but, at the rate at which cybercriminals are compromising systems with bias to industry or organisation and the lack of robust security in some schools, it will not be long before the ICO will be issuing fines to Schools for data breach’s.

In the education sector, firm figures are not yet available. However, Schools, FE & HE institutions are arguably some of the institutions that have been somewhat left behind in the trends of picking up the mantle for Information Security. Unless they are a ‘flashy’ academy, a high profile university with lots of money, or one of those schools that falls into the category of building schools for the future, essential security programmes and best practices are hardly something that is on the radar of their internal infrastructure. The situation gets worse further downstream, where not a lot of schools actively deliver up to date relevant cybersecurity or cyberbullying workshops and or educational awareness seminars to fulfill there e-safety responsibilities.

The pace of technology is moving so fast to the extent that the programs currently delivered in schools are dated and require a total overhaul for most part. For this to happen, a shift in every aspect of the schools’ culture and the education system needs to take place from strategy, curriculum, to teachers, infrastructure, to pupils’, staff, parents, guardians and careers.

The Facts

More and more there is a significant focus on education institutions, simply because they are seen as easy targets for cybercriminals. Over the past few years there’s been a spike in the frequency and amount of security breaches in the education sector that can be argued to be utter carelessness. One such example is that of the ‘big bang’ of the conficker virus that slammed a lot of educational institutions and compromised a lot of confidential systems, data, emails and took control of critical infrastructure assets. The impact was so harsh that Internet Service Providers and various other organisations blacklisted some institutions and various domains.

Some of the most recent reports of data security breaches in Schools are as follows:

•  Children’s private records leaked on internet from independent school applications – http://www.telegraph.co.uk/technology/news/9485004/Childrens-private-records-leaked-on-internet-from-independent-school-applications.html
• Somerset schools’ website security ‘breached’ by Southwest One – 19^th January 2012 – http://www.thisisthewestcountry.co.uk/news/8800627.Somerset_schools__website_security__breached__by_Southwest_One/
• School in breach of transfer test security – 13^th December 2011 – http://www.belfasttelegraph.co.uk/news/education/school-in-breach-of-transfer-test-security-16090244.html
• Ignored password security policy leads to school data breach – 9^th August 2011 – http://www.computerweekly.com/news/2240039375/Ignored-password-security-policy-leads-to-school-data-breach
• Children’s private records leaked on internet from independent school applications – 19^th August – http://www.telegraph.co.uk/technology/news/9485004/Childrens-private-records-leaked-on-internet-from-independent-school-applications.html
• A-level exam axed following major security breach – 13^th July 2012 http://www.telegraph.co.uk/education/educationnews/9330283/A-level-exam-axed-following-major-security-breach.html

Like many businesses, the default security culture that is expected is a painstaking taste to acquire and the majority of businesses nowadays are playing catch-up with everything in the technology arena unless they are at the cutting edge of forward thinking innovations and being pacesetters.

The Current Situation In the Education Sector

The current situation and the way in which the powers that be fund, support and drive curriculum programmes have much more to be desired. With the lack of, or shortage of ICT teachers and experienced ICT members of staff in some schools, this leaves schools more vulnerable to cyber-attacks and even if schools are subscribed to their Local Authorities for infrastructure services, there are still a massive amount of deficiencies in various areas to say the least, in terms of holistic security and compliance and keeping up with the pace of mainstream technology.

Why Pupils & Institutions Data Needs Protecting?

• Protected children & vulnerable children need their privacy protecting
• The school has a responsibility for safeguarding children whilst they are in their care on campus
• Test results, exams and pupils records can lead to serious implications if their sensitive information were to fall into the wrong hands such as a pedophile, cybercriminals and people with malicious intent

There’s Still Hope…

The Ofsted e-safety framework is a great start to standardise and set the foundation for best practices and governance in schools in a holistic manner.

The framework covers key areas such as:

• All teaching and non-teaching staff should be aware and be able to recognise e-safety issues with high-quality leadership and management to make e-safety a priority
• High priority given to training and continuation training to all staff, including the contribution of the wider school community. One member of staff to receive accredited training (for example: to become an e-safety officer)
• Clear reporting processes
• Rigorous, plain English policies and procedures integrated with other relevant policies
• Progressive e-safety curriculum
• Provision of a recognised Internet Service Provider (ISP) with age-related filtering
• Good risk assessment

The Challenges

Some of the key challenges that hinder the growth and seriousness of this area as a profession are:

• It’s attractiveness to the younger audience who will make up the future workforce
• The industry does not have a standardised career path similar to well established professions such as finance, medical, Nursing etc.
• There is not enough awareness in schools and even with the general public on the opportunities and rewards in an information Security/Cybersecurity career
• The lack of teachers & Career Advisers with the right skills, and knowledge and depth of experience – most of these advisers are somewhat backward in terms of technology experience and are predominantly focused on traditional mainstream career paths

 

If the education sector is to thrive and become more vigilant and as high-tech as some of the wealthy academies, there needs to be a radical shift in culture and the way in which the traditional curriculum is structured and run.

What Needs To Be Addressed At School Level?

Some of the things that need to be addressed to enable schools, the labour force and the country on a whole, to sustain and defend against the growing cyber threat that could compromise key National Infrastructure systems are:

• Greater support from government, education bodies and independent agencies to ensure that the right resources are allocated to the areas that need it most and those areas that will promote a cultural change and a fresh approach to looking to the future of cybersecurity and how to mitigate risks
• Recruit and or train educators of the future and encourage existing industry professionals to work in the education sector
• Train a new generation of career advisers and make sure that Information Security is seen as an attractive profession with similar and more rewarding remuneration as similar professions and other career paths
• Regular campaigns and awareness workshops need to be part of the ethos and strategy to build a stronger platform and framework for the new generation of security professionals
• More cyberbullying workshops, competitions and activities around security privacy and best practices needs to be undertaken to continuously reinforce the message and long term objectives of establishing Information Security as a professional to aspire to
• Career open days need to be carried out across the country to raise nationwide awareness to highlight the importance of Information Security and cybersecurity to country and schools

 

At the moment, there are no prescribed pathways for a younger person or an adult looking to get into or switch career paths to follow. Some or if not most of the seasoned security professionals in large organisations nowadays are people who just fell into Information Security because they were the most technical person at the time in an organisation or they independently saw the need and a gap at the time and so their career evolved from there onwards.

Like many other career pathways that have a definitive route into a sector, the IT sector on a whole is one of the most disjointed and there are many unorthodox routes into various roles in Information Technology.

As an example, a typical route into the field of Information Security to become a Chief Information Security Officer (CISO) could possibly look like the below:

1. Aspiration or career change
2. Gain applicable experience (through a series of various roles including but not limited to: Security Analyst, Security Auditor, Malware Analyst, Systems Security Administrator, Network Specialist, IT Manager/team lead…)
3. Gain a degree (or non-degree qualification) or gain private training which are non-curricular related
4. Qualification is one or many of the following: CISM, CISSP, CISA

 

Some of the most common job tittles/roles in the field of Information Security are:

• Chief Information Security Officer (CISO)
• Security Analyst
• Security Consultant
• Privacy Analyst/Consultant
• Security Architect
• Technical Security Architect
• Security and Compliance Officer
• Security Manager
• Vulnerability Manager
• Ethical Hacker

 

Some of the various qualifications one needs to possess to work in the field are as follows:

• CISSP – Certified Information Systems Professionals
• MSc. Masters in Information Security
• BSc/BS – Bachelors of Science in Information Security
• ISO27001 Lead Auditor
• CISA – Certified Information Systems Auditor
• CISM – Certified Information Security Manager
• CSO – Chief Security Officer
• Many years of hands-on experience directly in the field*

The government recently launched a CyberSecurity Apprenticeship Scheme [ http://www.bbc.co.uk/news/uk-19987761 ] that is aimed at attracting apprentices in the area of Security to create a pool of future professionals to help protect the interest of the country and help with the Country’s cybersecurity strategy. Suffice to say, enough hasn’t been done to ‘chip’ the iceberg and it will take a combination of efforts, partners and equal aspirations of the eligible workforce to really move things forward in this area.

As a country with such a strong reputation for the education system we possess, we are positioned in a unique place to lead by example and embed a strong security culture in schools and education institutions to help combat the ever growing threat of cybercrime against our nation. The sooner efforts to build cybersecurity as a mandatory course in schools, the sooner the better we will be in nurturing an educated, committed and skilled workforce to fill the gaps in this area. Never before has there been such a push for more skilled security professionals to fill the skills gap to protect national infrastructure and intellectual property of the state, business and individuals.

Practical Steps And Suggestions

So, how can the government and the business community help make this happen?

1. Empower senior educators and institutions with the free-will and support they need to make the right decisions and to be accountable for the outcome of such initiatives
2. Embed the need for excellence, result-driven measurement in performance objectives and KPI of education institutions
3. Embed security culture in the core of the education system – i.e – from kindergarten, primary schools, secondary schools through to FE and HE institutions
4. Develop extra curricular programmes and activities inside and outside the educational environment to keep the momentum and enthusiasm flowing
5. Make the profession attractive to all gender and other age-old professions
6. Incentivise and make sure the profession is seen as viable profession worthwhile pursuing as any other career
7. Develop a framework or code of conduct and association that harmonise all the disjointed packets of the profession – by doing so, this ensure that misconduct and malpractices and carelessness is dealt with in similar ways as those working in the legal, financial and medical arena
8. Develop and implement legislations and supplementary framework to support and add credibility to the profession to ensure it is taken seriously
9. Embrace change and adapt to the changing cyber-world around us

This list and recommendations could go on and on but nothing happens without the commitment of all stakeholders involved and senior management buy-in and support. The approach that is needed is a collaborative approach that also requires direct input in the form of a top-down approach where necessary.