GDPR and PHYSICAL security – How important is it?

Regular readers of this newsletter will know that I have paid a lot of attention and focus to the General Data Protection Regulation (GDPR). To recap, the GDPR is EU Data Protection legislation which is coming into force in May. It is a ‘beefed up’ version of the UK’s Data Protection Act 1998 and aims to introduce a common standard of data protection across the European Union – particularly covering the latest advances in social media. Despite Brexit, the UK will be under the legislation from May 25^th 2018 and the legislation is expected to make its way into British law after our exit from the European Union.

In the last couple of articles that I have covered the topic of GDPR in, I have focused primarily on GDPR in cyberspace – the need to focus on cyber security in order to keep on the right side of the legislation. Cyber security in the context of GDPR is no doubt extremely important, but for this article I would like to move away from technology and focus on GDPR in the context of physical security.

When referring to GDPR and compliance, very few commentators refer to the necessity to secure physical data. However, personal data is still stored in a physical format and therefore is still subject to GDPR legislation. For example, many schools use physical folders with pupil and parent information. Remember that Article 4 section 12 of the GDPR states that a “‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”. This means that a member of staff, or worse a pupil, accessing sensitive data without proper consent is classed as a breach.

Think also of physical computers. Most staff will have access to a computer that they use for their work. In many cases, this will contain sensitive information. Do you have a policy in your school that staff must lock their computers if they leave their desk, even if it is only for a short while? Are those computers protected with strong passwords? In my experience working in the IT industry for many years, most users will not set strong passwords. They are usually easy to guess, or in the most worrying cases, system defaults such as ‘password’.

A report for the Telegraph newspaper in 2017 found that the top 10 most common passwords are as follows:

1.       123456

2.       123456789

3.       qwerty

4.       12345678

5.       111111

6.       1234567890

7.       1234567

8.       Password

9.       123123

10.   987654321

Granted, passwords are difficult to remember, especially when you have lots of different passwords for lots of different user accounts. Nobody wants to have to keep phoning their IT department because they’ve forgotten their password again.

Nonetheless, a strong password is absolutely critical to keeping sensitive data secure. A handy tip for creating passwords is to think of a phrase that sticks in your mind. For example: ‘the quick brown fox jumps over the lazy dog’. Now take the first letter of every word in that phrase and combine them to make a word: ‘tqbfjotld’. The password itself is unlikely to be guessed, but because you remember the phrase, you remember the password.

What about the security of your devices and servers? If you keep a server on-site a determined intruder could gain access to it on location. This would allow them to copy data onto an external drive and remove it from school grounds. If you do keep a server on-site, make sure that it is in its own locked room – and preferably that that room is air conditioned to avoid overheating. If you would like an extra level of security, then CCTV is a really good option. It is now possible to get ‘Cloud CCTV’ options, whereby a camera (or network of cameras) are installed in your school and connect to the internet network. It is then possible to access a live video feed of all your cameras in one online portal. The cameras can also record snapshots or video, allowing you to obtain the evidence you need to prosecute should the worst happen. The cameras are small and unobtrusive and are reliable – speak to me if you would like to find out a little more.

A good starting point for getting your physical data security up to scratch would be to assess what data you hold in physical form, where you keep it, and whether you need to keep it any longer. First of all, any data that is not crucial to running your school should be destroyed – there is no use keeping data unnecessarily.

Build up a list of your data sources and the data you hold. Then consider who has access to it, both intentionally and possibly unintentionally. If you keep folders with sensitive information in on school grounds, are they kept in an area away from unqualified staff? Are they kept in locked cabinets? Do your staff know exactly who should have access to what and can you be sure that they know not to share information with others? If you have important data stored on hard drives in servers and computers, do you ensure that you encrypt that data?

It is also worth introducing a policy around external hard drives and USB sticks, as well as personal cloud drives such as DropBox and Google Drive. We recommend that use of external drives is at least restricted, but preferably banned outright, and the use of personal cloud storage should also be banned – it is untraceable. Personal accounts for these services follow users wherever they go, meaning staff could potentially access sensitive material even if they are no longer employed by your school.

By ensuring all your staff (and pupils) understand and appreciate GDPR and how it affects your school, you can make sure everyone is pulling in the right direction to help your school be compliant. GDPR compliance involves an effort from all stakeholders in your school and the first step is strong, unambiguous policies surrounding data security.

For more information on GDPR, or for an IT security audit of your school, please do not hesitate to get in touch with me on 0330 002 0045 or contact schools@entrustit.co.uk.

Keep vigilant in the face of Cyber threats!

It appears impossible to read the news at the moment without hearing about another IT security breach. In the fortnight leading up to the time of writing, there have been reports of hacks at Uber, Imgur and a private members club whose clientele includes Stephen Fry.

Some reports suggest that cyber-attacks more than doubled in 2017. These include well publicised attacks such as the WannaCry ransomware attack that affected the NHS earlier in the year. Ransomware (a form of malware which locks files on your computer and will only unlock them in exchange for money) is a particular area of growth in cyber-attacks. In fact, more than 4,000 ransomware attacks have occurred every day since the beginning of 2016 (a 300% increase over 2015) and the proportion of phishing emails that contain a form of ransomware grew to 97.25% in 2016.

With so many attacks making the news, you may be concerned about the of cyber security threat to your Independent School. As a school with a duty of care to hundreds of pupils, it is extremely important that cyber security is tight. With so many schools keeping personal data on staff, pupils and parents as part of day-to-day operations, the consequences of losing sensitive material do not bear thinking about – particularly with the danger of steep fines under the GDPR legislation coming into force next May.

Although some Independent Schools have a dedicated ICT team, with engineers that protect and improve their networks, many don’t. For those that don’t, what practical steps can staff take to ensure that your school is as protected as possible

Patch Tuesday

Have you ever heard of Patch Tuesday? If you are not familiar with ICT, then chances are you have not. Patch Tuesday is an unofficial term referring to when Microsoft regularly releases patches for its software products. This is the second (and sometimes fourth) Tuesday of each month.

Every Patch Tuesday Microsoft releases a large number of updates for its Windows desktop and server software. These updates make UI (user interface) tweaks, performance improvements and security patches to Windows software.

If you are unfamiliar with Patch Tuesday, then chances are your desktops and servers aren’t getting the patches they need. By keeping on top of the updates, you can ensure that your hardware and software is up to date, and therefore protected from cyber security vulnerabilities

Education and Acceptable Use Policies

Whilst it is true that most Independent Schools have an ICT ‘Acceptable Use Policy’, it is also true that many pupils and staff have limited knowledge of it and limited knowledge of how they can stay on the correct side of it. In order for cyber security to work in a school environment, staff and pupils alike must understand why it is important to be safe online.

This must not just be in the context of the school, but also of the individual. Pupils are unlikely to be moved to stay safe online if they feel the only consequence of their actions is the school getting fined. By educating pupils of the dangers to them of poor judgement online, such as ransomware locking their valuable files or phishing emails stealing bank details, they are far more likely to take cyber security seriously.

By agreeing a fair ICT Acceptable Use Policy, educating pupils and staff on the details and rigorously enforcing it, you can make great progress in your school towards a safer cyber environment.

Contingency planning

Even if you feel that your cyber defences are relatively strong, a determined intruder is difficult to keep out. Schools have vast stores of personal data and Independent Schools in particular have data on high income individuals – this makes them targets for cyber-crime.

Therefore, it is important to have a plan in place should a cyber-attack occur. Under the GDPR legislation, all organisations experiencing a cyber-breach must notify the Information Commissioner’s Office (ICO) within 72-hours of the nature of the breach, what was stolen, and the measures you are taking to reduce the damage. To comply with this requirement, your school will need an individual that has at least a basic understanding of cyber security to liaise with the ICO directly.

You will also need a strong backup approach in place. It is preferable that you backup every day to a cloud server or an external drive. Once the backup is completed, removing the external drive from your servers and storing it securely will prevent the backups from also being infected. Furthermore, perform tests of your backups to ensure that they work and to give you a rough idea of how quickly you can restore your infrastructure from a backup. If your tests indicate that your backups take too long to restore, you may wish to look for better options.

Removable Media Controls

Many people still use USB thumb drives or external hard drives to store and transport files. However, removable storage media is an extremely unsafe way to manage file transfers. Thumb drives in particular are easy to lose and when pupils and staff can use personal thumb drives to move files around, you have little control over what files they are removing from the school premises, or indeed what files they are bringing in to the school network.

If a pupil or staff member were to bring in a thumb drive from home that had a malicious file on it, that file would have the potential to infect the whole school network.

Ensure that removable media is encrypted and scanned for malware before importing files onto the school network. Many businesses have even banned removable media entirely. A cloud option, particularly one that is built from the ground up with security in mind, such as Citrix ShareFile, is in my opinion by far the safest way to store and share documents.

Be Vigilant

It is not easy to keep on top of cyber security. However, it is so important to understand and to mitigate the risks. By putting the advice listed above into action you will not be completely protected from cyber threats, but you will have a strong foundation of security.

If any school would like further information or consultancy on ways in which they can protect themselves, or ways in which they can reach GDPR compliance next May, please do not hesitate to get in touch with me at schools@entrustit.co.uk or 0330 002 0045.

GDPR - top tips to get compliant

It’s that time of year again, the summer break is over and it is back into the routine for another academic year. Any bursar will tell you that September is an extremely busy time of the year with a seemingly endless list of things requiring attention. In the hubbub of the new academic year, it is easy for tasks to be put on hold, which is why I am taking an opportunity in this edition of ‘educateIT’ to gently remind headteachers and bursars of a deadline that is now two months closer – the GDPR regulation.

I’ve spoken so much with bursars about GDPR recently that I am starting to feel like a broken record, but the reality is that it is so important that it will be on the agenda right through until the 25^th May 2018 deadline and beyond.

After a well-deserved 2-month break, you may be racking your brains to remember exactly what GDPR entails. The General Data Protection Regulation (GDPR) is a piece of EU legislation designed to provide a common data protection policy amongst EU member states. When it comes into effect next May, it will supersede all existing data protection regulations (in the case of the UK, that is the Data Protection Act 1998). Because current data protection legislation differs across member states and was introduced before the cloud and social media, it was clear that modern legislation was required.

No doubt that if you have heard about GDPR, you will have heard the scare stories about fines of up to €20 million for non-compliance. As an independent school, it is unlikely that you could ever face such an astronomical fine for non-compliance, these fines are reserved for the worst offenders. However, it is a safe assumption that under GDPR fines for non-compliance will move up the value chain. For more on GDPR, read my blog from March 2017 entitled “GDPR – What’s it all about and how does it affect Independent Schools?”

During my visits to Independent Schools at the tail end of last term, I was frequently asked when would be a good time to start tackling the issue of GDPR compliance. At that time, I urged schools to begin work as soon as possible – since compliance is not something that can be attained overnight. In the new academic year, with the deadline less than 9 months away, my message is that if your Independent School hasn’t begun the process of GDPR compliance, it should be as near to the top of your agenda as possible.

With that in mind, what are some key considerations an Independent School should make as it progresses towards GDPR compliance?

Firstly, it is a good idea to get acquainted with the Information Commissioners Office. This is the Data Protection Regulator in the UK. Under GDPR, an organisation that experiences a data breach of any kind is obligated to inform the ICO of the breach, exactly what was exposed and what measures are being taken to mitigate damage, within 72 hours of discovery. Failure to do so is an offence and will result in a fine. Furthermore, GDPR requires certain businesses to appoint a dedicated ‘Data Protection Officer’ who is an expert on GDPR. The details are a little cloudy on this at present, but it is quite possible that schools will fall into this category.

The next consideration involves processing of personal data and consent. GDPR gives individuals more control over the use of their personal data. At a recent visit to an Independent School, this topic came up when the bursar mentioned that they perform wealth screening on prospective parents. Whilst this is a savvy business practice, under GDPR withholding personal information for the purposes of wealth screening can only be legally performed with the explicit consent of the individuals in question. Furthermore, the school must keep a record of exactly when consent was given and must make it clear to the individual the basis for which the school requires this information. The individual may also withdraw consent at any time, at which point withholding personal information becomes illegal.

In certain instances, passive consent is allowed. For example, when a pupil enrols at a school, it is implied that the individual gives consent for personal information to be stored by the school for the purpose of providing them with an education and pastoral care.

Once you have collected that data, the question of where that data is stored arises. Whilst many Independent Schools still store all their important data in servers on-site, cloud adoption is accelerating. Popular cloud services such as OneDrive or Dropbox are provided by U.S. based companies and are powered, for the most part, by U.S. based datacentres. U.S. data protection law is not as stringent as EU legislation and reliance on U.S. based storage could lead to compliance issues.

That doesn’t mean that storing data on-site is a preferred option. In almost all cases I have dealt with in my long career in the IT industry, on-site storage options are less secure than their cloud counterparts. The only exception is for organisations that make their cyber-security a top priority, throwing vast amounts of cash at servers, monitoring software and antivirus. A cloud storage option such as ShareFile is a strong offering if security is mission critical.

A final important consideration is that of Social Media and pupil internet usage. This links back to my earlier paragraph on consent. Because most school pupils are under 16, they can never legally give consent online. An Independent School, particularly one that has boarding pupils, acts as a legal guardian for those pupils while they are on school grounds. The school is therefore legally responsible for the information they share online, and the websites and social media accounts they sign up for while on school grounds. Having a stringent acceptable use policy in place for pupils’ internet use is a good first step, but educating the pupils on the dangers of posting personal information online would go a positive step further.

As the GDPR deadline looms, I cannot stress enough the importance of taking action now. In the business sector, GDPR is getting increasing air time and most parents will be aware of the regulation by now. To show that your Independent School is on top of the changes, I recommend a letter to inform parents that your staff are aware of the changes, and that your school is making the necessary steps to reach GDPR compliance by the May 2018 deadline. Proactively reassuring parents that the personal information of themselves and their children is safe will put minds at ease.

Towards the end of the last academic year, I received a number of requests for assistance with GDPR. To Independent Schools with a genuine need and interest, I met with bursars to discuss further. I am continuing to offer this service at the beginning of this academic year. If you would like advice on GDPR compliance, please do not hesitate to get in contact with me on 0330 002 0045 or email schools@entrustit.co.uk

Why Independent Schools must Prepare Pupils for Jobs that Haven't been Invented

Whether we like or loathe technology, there is no doubt that every facet of our lives is being changed by digital transformation.

Technology is changing businesses - we only have to see the impact of Uber on traditional taxis, Purple Bricks on traditional estate agents or Airbnb on traditional holiday accommodation, to understand that the world around us is changing because of the use of technology.

The way our young people socialise and interact with each other has also totally changed in recent years with the use of Snapchat, Instagram, Facebook and a plethora of other social media sites, not to mention the streaming of music and films/TV and the advent of e-readers and the subsequent digitisation of books - so different from my day where we went to a shop to buy a CD or borrowed a book from the library!

Technology has also made the world a much smaller place, with the cloud, virtual learning environments, and virtual meeting environments enabling remote working and real-time communication wherever we are. And - for better or worse - this "permanently connected" status of our smartphones and tablets has also meant for many of us that much of our work lives and our personal lives have become 24x7.

And the pace of change continues to increase. Already Artificial Intelligence (AI) is starting to change the world around us, dispensing with the need for some jobs, while creating the need for different, digitally savvy skills to create and manage the technology. This is a trend that can only be set to continue and extend in coming years. Meanwhile the Internet of Things (IoT) is continuing to evolve, with everything from our building management systems, to our CCTV systems being connected to the Internet. Perhaps soon the fridges in our school kitchens will be monitoring their own stock levels and automatically re-ordering items that are running short.

Embracing technology, and equipping pupils with the skills to thrive in the new digital economy, forms a vital part of preparing pupils for life beyond school. Already there are so many jobs that just didn't exist 10 years ago, and there is no doubt that some of our pupils today will be undertaking jobs in the future that haven't even yet been invented.

This is why it is so vital for schools to embrace technology and build it into every element of school life. Of course, embedding technology into school life does rightly raise concerns amongst the Senior Leadership Team as to how to safeguard pupils in this environment, as well as preventing all the distractions that come with things like social media. However with the right controls, processes and technologies in place, this is very much achievable, as has been shown by many independent schools, such as Stroud School, whom I featured in a recent piece on my blog

If you would like to know more about EntrustIT's ICT strategy and project services, which enable schools to embrace digital technology and embed it into school life, please do not hesitate to contact me on 0330-002-0045 or email schools@entrustIT.co.uk

Preparing Your Independent School for GDPR: Cyber Security Issues

In my recent blog I talked about the importance of understanding your data and securing your information systems from internal threats in readiness for GDPR. In today's article I wanted to talk about the other side of the coin: securing your information systems from external security threats.

We only have to open a newspaper or turn on the news these days to hear about some new cyber security threat or data breach that has occurred. Protecting against such breaches forms an important part of GDPR compliance, since you need to be able to demonstrate that you are taking proper care of the personal data that your school holds.

There are a wide range of factors to consider here, which will include:

1. How is your network secured from threats like malware, ransomware and hackers?
In days gone by a firewall and some antivirus software would largely do the job, but with the constantly evolving threat landscape this is no longer the case and a much more sophisticated suite of school procedures, processes and technologies is needed to provide full protection.

2. What are your procedures for applying security updates to your systems?
New security threats are emerging daily and software vendors are releasing a constant stream of fixes and patches to try and mitigate the risks from these threats. Therefore it is critical that you apply these security fixes to both your servers and your PCs and laptops in a timely fashion. Indeed, the timeliness of updates has now become even more critical since some cyber criminals are now reverse engineering the fixes from vendors such as Microsoft, in order that they can see what vulnerabilities have been fixed, and using that information to directly target those vulnerabilities in organisations who have not applied the appropriate update to their systems.

3. How is your data backed up?
Taking full system backups which are regularly tested is essential, so that you know you could recover data in a timely fashion should your school be hit by a cyber threat such as ransomware.

4. What are your procedures around physical security of your servers and IT equipment? Having good cyber security in place is critical, but if someone can access your server room or acquire a laptop or smartphone containing school data, then the very best cyber security systems can be rendered useless.

5. How do you manage secure disposal of old PC and server equipment?
Equipment that is end-of-life and being replaced will often contain confidential data or emails, and therefore it is important that it is properly wiped, to guarantee that data cannot be restored.

6. How are your staff educated to ensure they are aware of the latest cyber security threats?
It is all too easy to click on seemingly legitimate attachments or web links which may actually contain malicious code, and with new threats constantly emerging, the vigilance of your staff in being able to spot such scams will form part of your defence strategy.

7. How and when are your procedures around cyber security reviewed and updated?
Given the constantly changing threat landscape, it is critical that procedures and controls around cyber security are regularly reviewed and updated

For more information about protecting your school from cyber threats or preparing for GDPR, please do not hesitate to contact me on 0330 002 0045 or email schools@entrustit.co.uk.

Protecting your School's Network Manager from Stress and Burnout

In my recent blog, Why Every Independent School needs a Super-Hero, I talked about the wide ranging variety of roles that we expect our network managers to fulfil, from support provider and trainer, right through to network architect, project manager, cyber security expert and much more besides. 

At this time of year, when for many of us our thoughts are beginning to turn to a welcome break from work, let's spare a thought for our network managers who are often planning for one of their busiest periods in the school year – the summer holidays.  

Whilst we are enjoying the sunshine, many of them will be immersed in technically complex projects to upgrade the school’s network infrastructure. Now don't get me wrong, for many network managers, this is an exciting period of the year when they get to experience new technology and increase their technical skill set.  However, it is important that all of us get a break from time to time, and as employers we all have a duty of care towards our staff to ensure that that is the case.

So, if not during the summer holidays, then when will your network manager get a break this year?  This can be a tricky challenge, since once the summer holiday projects are complete, and school is back in full swing, we need our network managers to be in school more than ever, to provide support, hand holding and training, especially during that back-to-school phase, when invariably passwords will have been forgotten, there will be large numbers of new pupils, some new staff and  some snagging issues from the holiday upgrade projects.  As a result, I see many network managers who become overloaded, and in some cases this can even lead to serious health issues.

One answer can be to partner with an experienced schools ICT provider, who can provide a flexible holiday cover support contract for your network manager, giving network managers the time and uninterrupted rest they need to recharge their batteries, whilst giving schools the reassurance that their ICT systems are still safely supported.  Such contracts can also provide a useful backstop for the network manager at other times, by providing them with extra resources and skills to call upon during what could otherwise be stressful situations, such as getting to the bottom of a particularly thorny problem, or providing day-to-day support when they are tied up on project work.

So while you are relaxing by the pool this summer, do spare a thought for our hardworking network managers.  

If you would like more information about EntrustIT’s support services for schools, including holiday cover for Network Managers, please do not hesitate to contact me on 0330 002 0045, email schools@entrustIT.co.uk or visit our website http://www.entrustit.co.uk/our-specialisms/education/

How would your Independent School cope with 22 Hours of ICT Downtime?

In the wake of British Airways catastrophic IT Failure which left so many passengers stranded at airports at the start of half term, I thought it would be timely today to talk about disaster recovery.

As anyone who has ever experienced network downtime will know, it is amazing how crippling an ICT system failure is to a school, and how far reaching the consequences can be. Not only does an outage create classroom and administrative operational chaos, it can also have serious consequences for the school’s reputation, particularly where there is loss of critical data such as pupils’ coursework, or a breach of security around confidential pupil data.

Whilst many schools I talk to tend to associate ICT downtime with large events such as fires or floods, the reality is that the majority of ICT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable, with the EMC Global Data Protection Index 2016 study showing that the average length of unplanned downtime was 22 hours. Indeed the situation seems to be worsening this year, with ICT downtime caused by ransomware attacks in particular often running into a week or more.

And while many of us can work around a short system outage, when such outages are extending into days or even weeks there can be a serious impact on the school’s operations and reputation. As such, it is critical that the senior leadership team have a thorough understanding of their risk management processes and contingency procedures around network resilience, backups and disaster recovery.

So is it enough to have a disaster recovery plan? Sadly I fear not. I’m sure BA had a disaster recovery plan, but how well did it work when it was used in anger? For many schools, I find the disaster recovery plan that was put together some years ago and has sat in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as our use of technology in education has moved on apace, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

In order to ensure ongoing relevance, I always recommend that schools continually re-assess and test their plans around resilience, backup and disaster recovery, against the operational needs of their school and their changing use of technology. Some points to consider would include:-

• How long could you afford for each of your various ICT systems to be down for? 
• How much data and email, if any, could you afford to lose?  
• When did you last try a test restore of your data or email? Did it work?
• Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results demonstrate that recovery times and data loss met your school’s current operational requirements as defined above? 
• Do your backup and disaster recovery plans meet your forthcoming GDPR compliance obligations? 
• Where are your backups held? Would an incident like a fire or a ransomware attack wipe out your backups as well as your live systems? 
• In the event of a major disaster, what hardware would you restore your backups on to? 
• How would your school operate in the period whilst the systems were down? 
• How would you communicate details of an outage with parents, staff, pupils and the public to minimise the reputational damage to your school?

 If you are unclear of the answers to any of these questions, it may be time to review your processes and procedures around disaster recovery planning to ensure your school is not exposed to undue risk in this area. If you have any questions or would like information on ways EntrustIT can help, please do not hesitate to contact me on 0330-002-0045 or email schools@entrustit.co.uk