Why cyber resilience within schools is a concern for the senior leadership team, not the IT department

As we enter 2022, the cyber threat to the education sector continues to grow. The National Cyber Security Centre (NCSC) continues to respond to an increasing number of incidents and attacks as schools become a popular target for cyber criminals. In response, the Welsh Government has partnered with Tarian Regional Cyber Crime Unit (RCCU) to deliver immersive virtual training exercises for senior leaders in schools.

But why do senior leaders need to engage with cyber?

Firstly, what is cyber?

Thanks in part to Hollywood, the ‘c’ word conjures up images of cyber criminals hiding out in basements, wearing oversized hoodies and masks, neon green ones and zeros flashing across their screens. And whilst many know this is a reductionist trope for the purpose of entertainment, they don’t seek to replace it with a more accurate visual.   

This is because most people are happy to subscribe to the notion that cyber is the domain of an IT department. Anything to do with cyber is perceived to require a vast level of technical knowledge, and since a whole department has already (rightly or wrongly) been ascribed responsibility, there is no pressing personal need to challenge that notion.

However, the IT department is only partially responsible. They can understand and implement the technical controls which enable an organisation to identify, store, and protect electronic data. But they are not responsible for ensuring that an organisation can withstand, or quickly recover from, a cyber-incident or attack. That responsibility belongs to the team who have ownership of business continuity. In other words, the senior management team. In the same way that senior leaders need to be aware of how a natural disaster, a fire, a strike or a power cut could threaten their school, they need to understand the impact that a cyber-attack can have. This is cyber resilience.

Fortunately the technical element can remain with IT, under the heading of cyber security. The two terms – cyber security and cyber resilience – are often confused or rolled into one, but cyber resilience is about an organisation’s ability to withstand or recover from any cyber event which threatens usual business operations. The best bit? It doesn’t require any innate technical knowledge.

How do you develop cyber resilience?

The very first step is a willingness to move away from the notion that cyber is solely a technical beast, and the second is an acknowledgment that cyber incidents and attacks are inevitable. It is no longer a matter of if but when.

Once the right mind-set has been established, the relevant risks can be identified. Common attack vectors include compromised or weak credentials (in which usernames and passwords are exposed to malicious entities) and phishing scams (in which targets are contacted by email, telephone, or text message by someone posing as a legitimate entity). These two attack vectors use social engineering to prey on human susceptibility, and as such, one of the biggest risks to an organisation is its people: in the case of educational institutes, its staff and students.

When developing cyber resilience, it is essential that all operational departments are included from the get-go. Human resources, accounting and finance, marketing, IT, etc. Each department should be made aware of the risks, given the opportunity to explore how an incident or attack could affect them, and encouraged to contribute to a resilience plan. This is one of the reasons why cyber resilience needs to be led from the top; so that a multi-faceted, organisation-wide understanding and response can be developed.

Once a cyber-resilience program has been established, it is useful to simulate incidents to check awareness and readiness. Just as with fire drills, the school should work its way through a series of agreed upon, post-incident steps. Simulations should be run on a regular basis to identify gaps in procedure, and to reinforce good practice, all within a safe environment.

Still not sure where to start?

Working closely with the Hwb team, Tarian RCCU is running a series of virtual cyber resilience exercises for head teachers and senior leaders in schools which will put them at the forefront of a mock cyber-incident and enable them to start developing their own cyber resilience plan. The sessions encourage discussion and shared learning with peers, provide a practical checklist, and instil confidence in the participants.