Keep vigilant in the face of Cyber threats!

It appears impossible to read the news at the moment without hearing about another IT security breach. In the fortnight leading up to the time of writing, there have been reports of hacks at Uber, Imgur and a private members club whose clientele includes Stephen Fry.

Some reports suggest that cyber-attacks more than doubled in 2017. These include well publicised attacks such as the WannaCry ransomware attack that affected the NHS earlier in the year. Ransomware (a form of malware which locks files on your computer and will only unlock them in exchange for money) is a particular area of growth in cyber-attacks. In fact, more than 4,000 ransomware attacks have occurred every day since the beginning of 2016 (a 300% increase over 2015) and the proportion of phishing emails that contain a form of ransomware grew to 97.25% in 2016.

With so many attacks making the news, you may be concerned about the of cyber security threat to your Independent School. As a school with a duty of care to hundreds of pupils, it is extremely important that cyber security is tight. With so many schools keeping personal data on staff, pupils and parents as part of day-to-day operations, the consequences of losing sensitive material do not bear thinking about – particularly with the danger of steep fines under the GDPR legislation coming into force next May.

Although some Independent Schools have a dedicated ICT team, with engineers that protect and improve their networks, many don’t. For those that don’t, what practical steps can staff take to ensure that your school is as protected as possible

Patch Tuesday

Have you ever heard of Patch Tuesday? If you are not familiar with ICT, then chances are you have not. Patch Tuesday is an unofficial term referring to when Microsoft regularly releases patches for its software products. This is the second (and sometimes fourth) Tuesday of each month.

Every Patch Tuesday Microsoft releases a large number of updates for its Windows desktop and server software. These updates make UI (user interface) tweaks, performance improvements and security patches to Windows software.

If you are unfamiliar with Patch Tuesday, then chances are your desktops and servers aren’t getting the patches they need. By keeping on top of the updates, you can ensure that your hardware and software is up to date, and therefore protected from cyber security vulnerabilities

Education and Acceptable Use Policies

Whilst it is true that most Independent Schools have an ICT ‘Acceptable Use Policy’, it is also true that many pupils and staff have limited knowledge of it and limited knowledge of how they can stay on the correct side of it. In order for cyber security to work in a school environment, staff and pupils alike must understand why it is important to be safe online.

This must not just be in the context of the school, but also of the individual. Pupils are unlikely to be moved to stay safe online if they feel the only consequence of their actions is the school getting fined. By educating pupils of the dangers to them of poor judgement online, such as ransomware locking their valuable files or phishing emails stealing bank details, they are far more likely to take cyber security seriously.

By agreeing a fair ICT Acceptable Use Policy, educating pupils and staff on the details and rigorously enforcing it, you can make great progress in your school towards a safer cyber environment.

Contingency planning

Even if you feel that your cyber defences are relatively strong, a determined intruder is difficult to keep out. Schools have vast stores of personal data and Independent Schools in particular have data on high income individuals – this makes them targets for cyber-crime.

Therefore, it is important to have a plan in place should a cyber-attack occur. Under the GDPR legislation, all organisations experiencing a cyber-breach must notify the Information Commissioner’s Office (ICO) within 72-hours of the nature of the breach, what was stolen, and the measures you are taking to reduce the damage. To comply with this requirement, your school will need an individual that has at least a basic understanding of cyber security to liaise with the ICO directly.

You will also need a strong backup approach in place. It is preferable that you backup every day to a cloud server or an external drive. Once the backup is completed, removing the external drive from your servers and storing it securely will prevent the backups from also being infected. Furthermore, perform tests of your backups to ensure that they work and to give you a rough idea of how quickly you can restore your infrastructure from a backup. If your tests indicate that your backups take too long to restore, you may wish to look for better options.

Removable Media Controls

Many people still use USB thumb drives or external hard drives to store and transport files. However, removable storage media is an extremely unsafe way to manage file transfers. Thumb drives in particular are easy to lose and when pupils and staff can use personal thumb drives to move files around, you have little control over what files they are removing from the school premises, or indeed what files they are bringing in to the school network.

If a pupil or staff member were to bring in a thumb drive from home that had a malicious file on it, that file would have the potential to infect the whole school network.

Ensure that removable media is encrypted and scanned for malware before importing files onto the school network. Many businesses have even banned removable media entirely. A cloud option, particularly one that is built from the ground up with security in mind, such as Citrix ShareFile, is in my opinion by far the safest way to store and share documents.

Be Vigilant

It is not easy to keep on top of cyber security. However, it is so important to understand and to mitigate the risks. By putting the advice listed above into action you will not be completely protected from cyber threats, but you will have a strong foundation of security.

If any school would like further information or consultancy on ways in which they can protect themselves, or ways in which they can reach GDPR compliance next May, please do not hesitate to get in touch with me at schools@entrustit.co.uk or 0330 002 0045.

GDPR - top tips to get compliant

It’s that time of year again, the summer break is over and it is back into the routine for another academic year. Any bursar will tell you that September is an extremely busy time of the year with a seemingly endless list of things requiring attention. In the hubbub of the new academic year, it is easy for tasks to be put on hold, which is why I am taking an opportunity in this edition of ‘educateIT’ to gently remind headteachers and bursars of a deadline that is now two months closer – the GDPR regulation.

I’ve spoken so much with bursars about GDPR recently that I am starting to feel like a broken record, but the reality is that it is so important that it will be on the agenda right through until the 25^th May 2018 deadline and beyond.

After a well-deserved 2-month break, you may be racking your brains to remember exactly what GDPR entails. The General Data Protection Regulation (GDPR) is a piece of EU legislation designed to provide a common data protection policy amongst EU member states. When it comes into effect next May, it will supersede all existing data protection regulations (in the case of the UK, that is the Data Protection Act 1998). Because current data protection legislation differs across member states and was introduced before the cloud and social media, it was clear that modern legislation was required.

No doubt that if you have heard about GDPR, you will have heard the scare stories about fines of up to €20 million for non-compliance. As an independent school, it is unlikely that you could ever face such an astronomical fine for non-compliance, these fines are reserved for the worst offenders. However, it is a safe assumption that under GDPR fines for non-compliance will move up the value chain. For more on GDPR, read my blog from March 2017 entitled “GDPR – What’s it all about and how does it affect Independent Schools?”

During my visits to Independent Schools at the tail end of last term, I was frequently asked when would be a good time to start tackling the issue of GDPR compliance. At that time, I urged schools to begin work as soon as possible – since compliance is not something that can be attained overnight. In the new academic year, with the deadline less than 9 months away, my message is that if your Independent School hasn’t begun the process of GDPR compliance, it should be as near to the top of your agenda as possible.

With that in mind, what are some key considerations an Independent School should make as it progresses towards GDPR compliance?

Firstly, it is a good idea to get acquainted with the Information Commissioners Office. This is the Data Protection Regulator in the UK. Under GDPR, an organisation that experiences a data breach of any kind is obligated to inform the ICO of the breach, exactly what was exposed and what measures are being taken to mitigate damage, within 72 hours of discovery. Failure to do so is an offence and will result in a fine. Furthermore, GDPR requires certain businesses to appoint a dedicated ‘Data Protection Officer’ who is an expert on GDPR. The details are a little cloudy on this at present, but it is quite possible that schools will fall into this category.

The next consideration involves processing of personal data and consent. GDPR gives individuals more control over the use of their personal data. At a recent visit to an Independent School, this topic came up when the bursar mentioned that they perform wealth screening on prospective parents. Whilst this is a savvy business practice, under GDPR withholding personal information for the purposes of wealth screening can only be legally performed with the explicit consent of the individuals in question. Furthermore, the school must keep a record of exactly when consent was given and must make it clear to the individual the basis for which the school requires this information. The individual may also withdraw consent at any time, at which point withholding personal information becomes illegal.

In certain instances, passive consent is allowed. For example, when a pupil enrols at a school, it is implied that the individual gives consent for personal information to be stored by the school for the purpose of providing them with an education and pastoral care.

Once you have collected that data, the question of where that data is stored arises. Whilst many Independent Schools still store all their important data in servers on-site, cloud adoption is accelerating. Popular cloud services such as OneDrive or Dropbox are provided by U.S. based companies and are powered, for the most part, by U.S. based datacentres. U.S. data protection law is not as stringent as EU legislation and reliance on U.S. based storage could lead to compliance issues.

That doesn’t mean that storing data on-site is a preferred option. In almost all cases I have dealt with in my long career in the IT industry, on-site storage options are less secure than their cloud counterparts. The only exception is for organisations that make their cyber-security a top priority, throwing vast amounts of cash at servers, monitoring software and antivirus. A cloud storage option such as ShareFile is a strong offering if security is mission critical.

A final important consideration is that of Social Media and pupil internet usage. This links back to my earlier paragraph on consent. Because most school pupils are under 16, they can never legally give consent online. An Independent School, particularly one that has boarding pupils, acts as a legal guardian for those pupils while they are on school grounds. The school is therefore legally responsible for the information they share online, and the websites and social media accounts they sign up for while on school grounds. Having a stringent acceptable use policy in place for pupils’ internet use is a good first step, but educating the pupils on the dangers of posting personal information online would go a positive step further.

As the GDPR deadline looms, I cannot stress enough the importance of taking action now. In the business sector, GDPR is getting increasing air time and most parents will be aware of the regulation by now. To show that your Independent School is on top of the changes, I recommend a letter to inform parents that your staff are aware of the changes, and that your school is making the necessary steps to reach GDPR compliance by the May 2018 deadline. Proactively reassuring parents that the personal information of themselves and their children is safe will put minds at ease.

Towards the end of the last academic year, I received a number of requests for assistance with GDPR. To Independent Schools with a genuine need and interest, I met with bursars to discuss further. I am continuing to offer this service at the beginning of this academic year. If you would like advice on GDPR compliance, please do not hesitate to get in contact with me on 0330 002 0045 or email schools@entrustit.co.uk

Why Independent Schools must Prepare Pupils for Jobs that Haven't been Invented

Whether we like or loathe technology, there is no doubt that every facet of our lives is being changed by digital transformation.

Technology is changing businesses - we only have to see the impact of Uber on traditional taxis, Purple Bricks on traditional estate agents or Airbnb on traditional holiday accommodation, to understand that the world around us is changing because of the use of technology.

The way our young people socialise and interact with each other has also totally changed in recent years with the use of Snapchat, Instagram, Facebook and a plethora of other social media sites, not to mention the streaming of music and films/TV and the advent of e-readers and the subsequent digitisation of books - so different from my day where we went to a shop to buy a CD or borrowed a book from the library!

Technology has also made the world a much smaller place, with the cloud, virtual learning environments, and virtual meeting environments enabling remote working and real-time communication wherever we are. And - for better or worse - this "permanently connected" status of our smartphones and tablets has also meant for many of us that much of our work lives and our personal lives have become 24x7.

And the pace of change continues to increase. Already Artificial Intelligence (AI) is starting to change the world around us, dispensing with the need for some jobs, while creating the need for different, digitally savvy skills to create and manage the technology. This is a trend that can only be set to continue and extend in coming years. Meanwhile the Internet of Things (IoT) is continuing to evolve, with everything from our building management systems, to our CCTV systems being connected to the Internet. Perhaps soon the fridges in our school kitchens will be monitoring their own stock levels and automatically re-ordering items that are running short.

Embracing technology, and equipping pupils with the skills to thrive in the new digital economy, forms a vital part of preparing pupils for life beyond school. Already there are so many jobs that just didn't exist 10 years ago, and there is no doubt that some of our pupils today will be undertaking jobs in the future that haven't even yet been invented.

This is why it is so vital for schools to embrace technology and build it into every element of school life. Of course, embedding technology into school life does rightly raise concerns amongst the Senior Leadership Team as to how to safeguard pupils in this environment, as well as preventing all the distractions that come with things like social media. However with the right controls, processes and technologies in place, this is very much achievable, as has been shown by many independent schools, such as Stroud School, whom I featured in a recent piece on my blog

If you would like to know more about EntrustIT's ICT strategy and project services, which enable schools to embrace digital technology and embed it into school life, please do not hesitate to contact me on 0330-002-0045 or email schools@entrustIT.co.uk

Preparing Your Independent School for GDPR: Cyber Security Issues

In my recent blog I talked about the importance of understanding your data and securing your information systems from internal threats in readiness for GDPR. In today's article I wanted to talk about the other side of the coin: securing your information systems from external security threats.

We only have to open a newspaper or turn on the news these days to hear about some new cyber security threat or data breach that has occurred. Protecting against such breaches forms an important part of GDPR compliance, since you need to be able to demonstrate that you are taking proper care of the personal data that your school holds.

There are a wide range of factors to consider here, which will include:

1. How is your network secured from threats like malware, ransomware and hackers?
In days gone by a firewall and some antivirus software would largely do the job, but with the constantly evolving threat landscape this is no longer the case and a much more sophisticated suite of school procedures, processes and technologies is needed to provide full protection.

2. What are your procedures for applying security updates to your systems?
New security threats are emerging daily and software vendors are releasing a constant stream of fixes and patches to try and mitigate the risks from these threats. Therefore it is critical that you apply these security fixes to both your servers and your PCs and laptops in a timely fashion. Indeed, the timeliness of updates has now become even more critical since some cyber criminals are now reverse engineering the fixes from vendors such as Microsoft, in order that they can see what vulnerabilities have been fixed, and using that information to directly target those vulnerabilities in organisations who have not applied the appropriate update to their systems.

3. How is your data backed up?
Taking full system backups which are regularly tested is essential, so that you know you could recover data in a timely fashion should your school be hit by a cyber threat such as ransomware.

4. What are your procedures around physical security of your servers and IT equipment? Having good cyber security in place is critical, but if someone can access your server room or acquire a laptop or smartphone containing school data, then the very best cyber security systems can be rendered useless.

5. How do you manage secure disposal of old PC and server equipment?
Equipment that is end-of-life and being replaced will often contain confidential data or emails, and therefore it is important that it is properly wiped, to guarantee that data cannot be restored.

6. How are your staff educated to ensure they are aware of the latest cyber security threats?
It is all too easy to click on seemingly legitimate attachments or web links which may actually contain malicious code, and with new threats constantly emerging, the vigilance of your staff in being able to spot such scams will form part of your defence strategy.

7. How and when are your procedures around cyber security reviewed and updated?
Given the constantly changing threat landscape, it is critical that procedures and controls around cyber security are regularly reviewed and updated

For more information about protecting your school from cyber threats or preparing for GDPR, please do not hesitate to contact me on 0330 002 0045 or email schools@entrustit.co.uk.

Protecting your School's Network Manager from Stress and Burnout

In my recent blog, Why Every Independent School needs a Super-Hero, I talked about the wide ranging variety of roles that we expect our network managers to fulfil, from support provider and trainer, right through to network architect, project manager, cyber security expert and much more besides. 

At this time of year, when for many of us our thoughts are beginning to turn to a welcome break from work, let's spare a thought for our network managers who are often planning for one of their busiest periods in the school year – the summer holidays.  

Whilst we are enjoying the sunshine, many of them will be immersed in technically complex projects to upgrade the school’s network infrastructure. Now don't get me wrong, for many network managers, this is an exciting period of the year when they get to experience new technology and increase their technical skill set.  However, it is important that all of us get a break from time to time, and as employers we all have a duty of care towards our staff to ensure that that is the case.

So, if not during the summer holidays, then when will your network manager get a break this year?  This can be a tricky challenge, since once the summer holiday projects are complete, and school is back in full swing, we need our network managers to be in school more than ever, to provide support, hand holding and training, especially during that back-to-school phase, when invariably passwords will have been forgotten, there will be large numbers of new pupils, some new staff and  some snagging issues from the holiday upgrade projects.  As a result, I see many network managers who become overloaded, and in some cases this can even lead to serious health issues.

One answer can be to partner with an experienced schools ICT provider, who can provide a flexible holiday cover support contract for your network manager, giving network managers the time and uninterrupted rest they need to recharge their batteries, whilst giving schools the reassurance that their ICT systems are still safely supported.  Such contracts can also provide a useful backstop for the network manager at other times, by providing them with extra resources and skills to call upon during what could otherwise be stressful situations, such as getting to the bottom of a particularly thorny problem, or providing day-to-day support when they are tied up on project work.

So while you are relaxing by the pool this summer, do spare a thought for our hardworking network managers.  

If you would like more information about EntrustIT’s support services for schools, including holiday cover for Network Managers, please do not hesitate to contact me on 0330 002 0045, email schools@entrustIT.co.uk or visit our website http://www.entrustit.co.uk/our-specialisms/education/

How would your Independent School cope with 22 Hours of ICT Downtime?

In the wake of British Airways catastrophic IT Failure which left so many passengers stranded at airports at the start of half term, I thought it would be timely today to talk about disaster recovery.

As anyone who has ever experienced network downtime will know, it is amazing how crippling an ICT system failure is to a school, and how far reaching the consequences can be. Not only does an outage create classroom and administrative operational chaos, it can also have serious consequences for the school’s reputation, particularly where there is loss of critical data such as pupils’ coursework, or a breach of security around confidential pupil data.

Whilst many schools I talk to tend to associate ICT downtime with large events such as fires or floods, the reality is that the majority of ICT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable, with the EMC Global Data Protection Index 2016 study showing that the average length of unplanned downtime was 22 hours. Indeed the situation seems to be worsening this year, with ICT downtime caused by ransomware attacks in particular often running into a week or more.

And while many of us can work around a short system outage, when such outages are extending into days or even weeks there can be a serious impact on the school’s operations and reputation. As such, it is critical that the senior leadership team have a thorough understanding of their risk management processes and contingency procedures around network resilience, backups and disaster recovery.

So is it enough to have a disaster recovery plan? Sadly I fear not. I’m sure BA had a disaster recovery plan, but how well did it work when it was used in anger? For many schools, I find the disaster recovery plan that was put together some years ago and has sat in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as our use of technology in education has moved on apace, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

In order to ensure ongoing relevance, I always recommend that schools continually re-assess and test their plans around resilience, backup and disaster recovery, against the operational needs of their school and their changing use of technology. Some points to consider would include:-

• How long could you afford for each of your various ICT systems to be down for? 
• How much data and email, if any, could you afford to lose?  
• When did you last try a test restore of your data or email? Did it work?
• Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results demonstrate that recovery times and data loss met your school’s current operational requirements as defined above? 
• Do your backup and disaster recovery plans meet your forthcoming GDPR compliance obligations? 
• Where are your backups held? Would an incident like a fire or a ransomware attack wipe out your backups as well as your live systems? 
• In the event of a major disaster, what hardware would you restore your backups on to? 
• How would your school operate in the period whilst the systems were down? 
• How would you communicate details of an outage with parents, staff, pupils and the public to minimise the reputational damage to your school?

 If you are unclear of the answers to any of these questions, it may be time to review your processes and procedures around disaster recovery planning to ensure your school is not exposed to undue risk in this area. If you have any questions or would like information on ways EntrustIT can help, please do not hesitate to contact me on 0330-002-0045 or email schools@entrustit.co.uk

Monetising Your School’s ICT Facilities

Independent schools spend a significant amount of money on ICT facilities both to enhance the learning environment and to ensure the smooth running of the school’s administrative function. Whilst most schools will look to incorporate messages about their ICT facilities into their marketing literature to attract new pupils, there is also the opportunity to leverage ICT to generate income from other sources too.

Technology plays an important part in most people’s lives nowadays, and when booking social, educational or leisure activities, having access to good technology, such as fast Wi-Fi and Internet connectivity, forms an important part of people’s decision making process in choosing a venue for such events. This is something which Independent Schools can capitalise on, since they have these facilities anyway, which are often lying dormant, or as a minimum under-utilised, during the school holiday periods.

ICT suite(s) are an obvious facility that can be let out in the school holidays to summer schools, clubs or local groups. However lettings do not need to be restricted to the ICT suite alone nowadays, since most independent schools now enjoy school-wide Wi-Fi and support for BYOD (Bring Your Own Device) which presents the opportunity to let out any classroom, allowing guests to bring their own equipment and effectively set up an ICT suite "on the fly".

Many Independent Schools have also invested in a music technology suite, which is a desirable facility which can be let to groups, clubs and budding local musicians during periods when the school is not using it.

Wi-Fi is also now considered a "must have" for events such as weddings, parties, summer schools or business conferences. Whilst they are not always aware of it, many schools’ Wi-Fi systems offer the facility to generate restricted-duration tickets for guest Wi-Fi access, as well as the ability to charge for Wi-Fi access in the way that many hotels do, typically offering a basic level of connectivity for free and then charging a fee for higher speed/capacity.

Most schools have also bitten the bullet and paid the charges needed to get high speed leased line Internet connectivity into their premises. However many smaller businesses or clubs in the area cannot necessarily afford these type of costs. This offers another opportunity to Independent Schools to provide a slice of their internet connectivity to a local small business/golf club/sports club etc as an income generator for the school.

So one way and another there is much that schools can do to leverage their ICT and create an additional income stream from it.

Naturally if you're planning to provide access to your school ICT facilities to outsiders, then some suitable security provisions need to be put in place. This is relatively straightforward though, since firewall policies can be set up and Wi-Fi configured such that guests are kept completely separate from the school's network traffic and systems.

If you would like more information on this topic, please do not hesitate to contact me on 0330-002-0045 or email schools@entrustit.co.uk.

Preparing for GDPR – Understanding and Securing your School’s Data

Following on from my recent blog, “GDPR – What’s it all about and how does it affect Independent Schools” I’ve had requests from several schools asking for more information, so I thought it would be useful to elaborate on some of the issues that GDPR raises for Independent Schools.

I wanted to start by further exploring the importance of understanding what personal data you hold and where that confidential data is stored. Bear in mind personal data can be as simple as a pupil, teacher or parent’s name or email address.

This may sound like an odd topic, as I'm sure many of you are thinking you know exactly where all your schools’ data is held. But do you really?

The scary reality nowadays is that your school’s precious data may already be widely scattered. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of school, staff and pupil owned portable devices such as laptops, tablets and smartphones which now hold school data or emails? Or data that has been copied to removable media such as USB sticks? Or data that has been shared with business partners and other third-parties? Or copies of data taken for backup purposes?

Then there is the cloud. The cloud has revolutionised the way many schools store their data, but in doing so has also globalised the way data is stored, with many public cloud providers distributing data across servers worldwide in order to optimise costs.

So do you really know where all your data is held? And does it matter?

Well in terms of GDPR it certainly matters, as you need to be able to demonstrate that you are protecting your data and using it appropriately. The more widespread and less controlled your data is, the more vulnerable you leave your school to a breach of data security. So understanding what you have and where it is forms the first step towards compliance.

If, on reflection, you realise that your school’s data is already widely scattered, you may wish to bring it together in one secure, central repository in order to make it easier to control and manage. Luckily nowadays there are technologies that facilitate this; for example we have built our very own EducateIT desktop platform for schools, which is an onsite private cloud solution which allows a school to bring together all their data in one secure, central, onsite repository, where they and their authorised partners can access it securely wherever they are, without the source data ever leaving the security of the school. For other schools, where data is generally central, but perhaps also resides on some mobile devices too, we work to implement processes and technologies to prevent data leakage and manage mobile devices.

Either way, it is paramount to put the school back in control of its data, knowing both where it is and who has access to it. This in turn needs to be documented, both so that the senior leadership team team have understanding of, and control over, their valuable data and also in order to provide documentation for compliance and audit purposes. This not only puts schools back in control of their data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Once you have this understanding, the next step is to understand how you secure your data. This broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access).

Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your school’s data, and forms an important part of preparing your school’s information systems for GDPR compliance.

GDPR places accountability on schools to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that schools hold a vast array of personal data, much of which is about children, whom the GDPR identifies as “vulnerable individuals” deserving of “special protection”, and it becomes clear that the legislation is likely to cover the vast majority of a school’s data.

Therefore, for each of your computer systems, it is important to understand, and have documented, who has access to that system and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to the system. Allowing wider access to systems puts you at greater risk of a data security breach or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats. As well as having SOPs in place to handle the ICT access control requirements of new starters, it is equally important that there are procedures in place to cover leavers (both pupils and staff) and what happens when somebody changes role within the school.

Password policies are always a bone of contention and an area where a fine balance needs to be struck. Policies that are too lax lead to easily guessable passwords which may not demonstrate due care of data under GDPR. On the other hand, policies which demand highly complex, long passwords which change frequently, may lead to dozens of forgotten passwords and/or the temptation to record passwords on sticky notes, which also certainly doesn’t demonstrate due care of data!

Nowadays, it is also likely that third parties such as freelancers, suppliers and of course parents will have access to some of your ICT systems or data. In this case this needs to be secured in just the same way, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to ICT security, with the potential for copies of data or emails to be residing on all kinds of devices, both school owned and personally owned, which do not necessarily conform to school security standards. So developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just your main school-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures all those little databases or spreadsheets that have been developed by an individual or department and which contain personal data.

I hope this has given you a useful insight into some of the key areas to consider around readying your school for GDPR compliance. If you need help preparing for GDPR, or indeed with any element of your ICT system, please do not hesitate to contact me on 0330 002 0045 or email schools@entrustit.co.uk

Why Every Independent School needs a list of Specific Unknown Problems!

It's that time of year again, when schools are starting to plan their network upgrade projects for the summer holidays. And if only we could list every unknown problem that might occur, it would make all our lives so much easier!

Of course with technology being technology, it never seems to work quite like that. We only have to think about any high-profile public sector ICT project to know that these things are rarely brought in successfully on time and within budget, with a fanfare from the delighted user base!

And to expect our schools’ Network Managers to deliver what are now often highly complex ICT projects on their own over the school holidays can be an unrealistic expectation. We have to bear in mind that delivering ICT infrastructure projects requires a whole raft of specialist skills ranging from systems design (a specialist skill in its own right), to systems installation, people management, project management, risk management and organisational skills.

Then put this against the backdrop of a schools' operational environment: often hundreds of software applications, not always inventoried, and indeed sometimes not on the Network Manager's radar at all. Downtime windows confined to school holidays. The need to structure the project plan around certain days or rooms where the system needs to be operational, such as on exam result days or periods where certain facilities are let for summer schools. A plethora of rooms, buildings and keys. Laptops, some of which will invariably have been taken off site. The need to liaise with third parties such as software suppliers over a period when many people are away. Key users who aren't available for testing or training as they are on holiday. And the vagaries of technology, where something doesn't quite do what it says on the tin!

Then there’s the increasingly critical need to build in cyber security and data protection from the ground floor up in any new or upgraded systems, again a specialist skillset in its own right.

Added to this, we need to remember that these types of projects are not something our Network Managers do every day, and just like anything any of us are doing for the first time, it is unlikely to go as smoothly as if we had done it many times before. So perhaps it is little wonder that schools sometimes experience disruption at the start of term in September, when ICT projects have over run!

The key to success in these projects lies in the planning. Whilst none of us have a crystal ball to be able to anticipate every problem that may occur, having a breadth of experience in carrying out these type of projects means that many of the "unknown problems" that might present a challenge to in-house ICT staff, will actually be "known issues" to someone with wider experience, and can be planned for accordingly.

And let’s not lose sight of the fact that, with a helping hand to support them to succeed, these exciting projects not only enhance the schools’ learning environment, but also offer a fantastic development opportunity for schools’ Network Managers.

If your school needs an experienced organisation to work with your in-house ICT team to plan and deliver your forthcoming network development projects, please do not hesitate to contact me on 0330-002-0046 or email schools@entrustit.co.uk to discuss your requirements.

GDPR – What’s it all about and how does it affect Independent Schools?

The new EU General Data Protection Regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. Whilst many schools, and indeed businesses, that I work with were hoping this would go away, especially in light of Brexit, it has now been confirmed that the UK will be implementing the legislation and as such, is “the elephant in the room” that schools can no longer afford to ignore. So today I thought it would be useful to share some information on what GDPR is all about and what key actions Independent Schools need to be taking to ensure compliance.

  By way of background, GDPR has been developed to reflect the changing use of data in the digital world in which we now live. With the digital economy being primarily built upon the collection and exchange of data, including large amounts of personal data, which is often sensitive, there is a need to protect EU citizens’ privacy rights. GDPR is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

Whilst these aspirations are to be lauded, there is much concern amongst schools and businesses alike as to the reality of understanding and implementing the legislation within their organisation. And whilst the implementation date of 25th May 2018 may still seem a long way off, the reality of the situation is that the changes this legislation requires many organisations to make are so far reaching that they need to start work now in order to be compliant in time.

The new legislation also gives the regulator real "teeth" in terms of enforcement. For example if you do not comply with some of the fundamental provisions in the legislation, such as obtaining necessary consent, you can be fined up to 4% of your total worldwide annual turnover or €20 million, whichever is greater. Equally, penalties of up to €10 million or 2% of your total annual turnover apply for not putting in place adequate security.

In addition, breaches have to be notified to the data protection authority and in some cases the people affected, without delay. This leaves the school concerned highly exposed to reputational damage and potential pay-outs to affected parties.

The situation for schools is further complicated by the fact that the GDPR identifies children as “vulnerable individuals” deserving of “special protection”. As such, schools also need to be aware that the new rules introduce some child-specific provisions, most notably in the context of legal notices and the legal grounds for processing children’s data.

One important element of GDPR compliance is protecting your data from external security threats. Schools are becoming an increasingly popular target to cyber criminals unfortunately, as there is a perception that they are a soft target, not always equipped to spot signs of increasingly sophisticated cyber fraud. Threats like ransomware for example, which I highlighted in my recent blog, are sadly now becoming more and more common in schools. And apart from the financial and operational impact these type of threats have on the school, which can be extremely damaging as they lock pupils and staff out of the system, such malware can also be used to export information. This presents a major risk under GDPR, given the compromised data involves the details of schoolchildren, which could have serious implications if it fell into the wrong hands.

In addition to outside security threats, there are a plethora of other threats to schools’ confidential data, ranging from something as simple as a staff member’s laptop or phone containing school email or data being lost or stolen, through to unauthorized copies of data being made or inadequate starter and leaver procedures for systems access.

There is no doubt that GDPR will have a wide ranging impact on schools, affecting functions as diverse as marketing, fund raising, admissions, HR and ICT, and as such is something that will need much Senior Leadership Team time and planning in order to mitigate the risks and ensure compliance by the deadline.

So what do Independent Schools need to be doing in order to mitigate the risks?

Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as a pupil, teacher or parent’s name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.
2. Identify threats to this data. This could include things like cybercrime mentioned above, but also accidental loss by staff, deliberate theft by staff or pupils, lost devices and unauthorised access to data. This is vital if schools are to avoid the fines of up to €10 million that can be levied for unauthorised access to, or disclosure of, personal information.
3. Invest in and implement the right technologies to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats. It is vital to realise that a firewall and a piece of anti-virus software are not enough.
4. Put together a new or updated data protection policy and train staff on it. This is important as everyone in your school needs to understand their obligations under GDPR and how to make themselves fully compliant.
5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that all staff are constantly kept up-to-date with best practice around security and data protection.
6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your school.

In future blogs I will be exploring these issues in more depth, but if in the meantime you need help with GDPR compliance, please do not hesitate to contact me on 0330-002-0046 or email schools@entrustit.co.uk

Public Benefit - Yet another job for the beleaguered bursar?

With 78% of ISC schools holding charitable status, and the recent Government Green Paper "Schools that work for everyone", controversially suggesting that Independent schools could and should do more as a condition of their charitable status, I wanted today to explore the "public benefit" issue.

Independent schools already do much to support local state schools, partnering with them to provide support such as teaching, masterclasses, special events, facilities and help with university applications. Indeed according to the latest census of ISC schools, well over 1100 schools are involved in such partnerships and projects.

I noticed with interest that according to the ISC survey, 991 schools already have some form of sporting partnership with local state schools, whether that's hosting joint sporting events, playing sporting fixtures, inviting local state school pupils to attend coaching sessions or sharing sporting facilities. 570 schools also partner with local state schools for drama classes, performances and facilities, whilst 616 collaborate on musical events.

But interestingly, I noted there was no mention of partnering with regard to ICT facilities. This struck me as strange given most independent schools have invested significantly in their ICT infrastructure, and could leverage this at little or no cost in order to assist with meeting the "public benefit" test.

For example, many independent schools have a spare corner of storage capacity somewhere within their network, which could easily be utilised to say host email accounts or provide some storage for a local primary school, whose requirements are normally minimal. This offers a significant benefit to the state school, avoiding the need to purchase or refresh costly server hardware, and these days can be delivered in a secure way which ensures the two schools’ data and network traffic remain completely separate.

Internet connectivity is another example of something that can potentially be shared with a local primary school. Independent schools in more rural locations have often had to invest significant sums to get telecoms lines installed to provide high speed internet connectivity, something which can be cost prohibitive to local primary schools, who are left to make do with a very slow connection. In this case, the Independent School's local network can potentially be extended to connect the local primary school on a secure network segment, which enables them to share the independent school's internet line.

There are many other permutations of ICT sharing too, which could help independent schools to increase resource sharing with the state sector without further adding to Bursars’ workloads or budgets - thereby achieving a win-win for everyone.

Please feel free to contact me on 0330 002 0045 or email schools@entrustit.co.uk if you would like more information.

Fraud Alert – Schools Targeted with Ransomware

As I'm sure many of you will have seen, Action Fraud have published an alert after schools across the country have fallen victim to cyber criminals who have targeted schools in a widespread "ransomware" attack. Although it has so far predominantly been state schools who have been targeted in this particular attack, I wanted to make sure all my contacts at Independent Schools were aware of what is happening, and the best ways to mitigate the risk from these types of threats, as it seems that schools are the latest perceived "soft target" for these money making cyber criminals.

For those who aren't aware, ransomware is a form of malicious software (malware), which effectively hijacks your school's data by encrypting it, rendering it unusable by staff and pupils. The cyber criminals then demand payment of a ransom in order to provide the security key needed to decrypt your data. In the recent attack on schools this ransom has been up to £8000, but can be even higher, with some UK organisations who experienced these type of attacks last year being presented with demands in excess of £35,000!

Schools are not alone, as research conducted in June 2016 by Ostermann Research showed that 54% of organisations in the UK had experienced ransomware attacks during the previous 12 months, and, somewhat worryingly, 58% opted to pay the ransom, which would seem to suggest that the risks around such an attack had not been fully assessed or planned for, and contrasts sharply with data from the US where only 3% of victims paid the ransom.

So what should Independent Schools be doing to protect themselves?

Having good system backups, which are stored off-line so that they cannot also be encrypted, is, of course vital. But having to carry out a full scale disaster recovery of the school's ICT systems should really form the last line of defence. This is something I will talk about in future articles in more detail, but it is certainly not something to be undertaken lightly; it can be highly disruptive to the school's operations and indeed, without proper preparation, there is no guarantee of total success.

Unfortunately there isn't a piece of software or a firewall rule that will completely stop these sorts of attacks. Prevention really requires a blend of policies, staff training, plans and technologies to form a cohesive defence strategy for the school. Some of the steps we typically take with the schools who we work with include:

• Reviewing their current systems to identify risks and vulnerabilities.
• Working closely with the senior leadership team to define and implement a risk mitigation plan to address any vulnerabilities identified.
• Implementing a suite of technical measures, which may include hardware, software, cloud technologies and security policies to protect the schools data.
• Training and educating staff, particularly as these type of threats often get into a school through someone clicking on a bogus link or attachment.
• Devising, implementing and testing contingency plans including disaster recovery plans, frequent data backups, security incident response plans and emergency operating procedures.

Unfortunately whilst ransomware is generating such a healthy income for cyber criminals, I think it is only likely to become more prevalent, so it is best to be prepared. If you need any help or advice, please do not hesitate to contact me on 0330 002 0045 or email schools@entrustit.co.uk.

Getting Best Value from ICT Budgets in Independent Schools

With ever increasing demands for new and improved technology in independent schools, it is easy for ICT to become a bottomless money pit. Naturally, every school wants to use technology to enhance the learning environment, equip pupils for the digital world that they will be living and working in, as well as ensure that the school is keeping up with its competitors and using technology in a way that will serve to attract further pupils to the school.

The bursar however, has the unenviable job of trying to balance all these laudable ambitions against a limited budget!

This is where I often get called in to help bursars review current ICT budgets and look at strategic ways next academic year's ICT budget can be most effectively utilised. Because we work with numerous schools, and have a good handle on the technology marketplace, we are able to give bursars a steer on whether they are paying about the right amount for ICT services and staffing both commercially and in relation to other schools. We also look at whether there may be ways they can "flip" their budget to achieve their technological aspirations in a different way.

Every school is different, but with ICT forming a significant part of the school’s overall budget, it is well worth taking a little time to review how best to deliver maximum possible value from a limited pot of resources. Whilst time and space don't allow me to cover every scenario here, I thought it would be useful to jot down a few of the common areas that I find are worth reviewing:-

1. ICT Invoice review. This is often a very revealing exercise, as many schools receive a plethora of invoices from different providers each term or year, relating to services, maintenance contracts, software subscriptions and the like. The descriptions on such invoices are often vague or use technical jargon, which make it hard to know what they relate to, whether they are still actually relevant and whether they are offering good value for money. We have spent time with many schools unravelling their invoices to understand just these factors and frequently this exercise alone has yielded many thousands of pounds in ongoing cost savings.

2. Software review. Most independent schools have an array of software applications that have grown over time. Reviewing (or indeed making!) a list of all applications and asking questions such as "Who uses it?", "What for?", "Do we still need it?" and "Is there a cheaper way to licence it?" normally reveals another nice chunk of money that can be used for more exciting ICT projects.

3. Internet connectivity. With technological advances, prices for Internet connectivity are constantly falling, but many schools are not aware of this and so are oblivious of the opportunities to re-negotiate their contract, or perhaps add a back-up Internet line for the same cost they are currently paying for their main line alone.

4. ICT staffing costs. In some cases, independent schools find a better skills mix and a cost saving can be achieved by part or fully outsourcing their ICT function, or by changing provider.

5. The Cloud. Strategic use of the right public and private cloud solutions can potentially save schools a fortune in hardware and support costs, whilst also offering remote working capability and the ability to securely access the school system from pupil and staff owned devices.

6. "Closed" cloud. For those schools not yet comfortable with the idea of their data residing off-site, closed cloud solutions can offer similar benefits to private cloud solutions, as well as significant cost savings over a traditional network, whilst still keeping all data in school.

7. Leveraging your ICT systems commercially. From utilising digital technology to market your school more effectively, through to renting out your shiny new music technology suite over the holidays, remember you can use your technology to boost your bank balance too, not just deplete it!

If you would like more information on any of the topics raised or if you'd like to book a budget review, please do not hesitate to contact me on 0330 002 0045 or email schools@entrustit.co.uk.