From education to employment

FE Provider Destroyed by Lack of Audit

Stefan Drew

FE is audited to death

We get regular Ofsted audits and breathe a sigh of relief when we know our curriculum and teaching is good or outstanding. We undergo rigorous finance audits and feel pleased when our beans are all in a row.

A bad Ofsted is damaging. A poor finance audit is serious. But neither will bring a provider to their knees overnight.

The problem that can destroy a provider in a few minutes is ignored. Fewer than 1% of providers will have audited what matters more than finance or teaching and learning.

And where this issue is ignored the above headline could be yours.

Hidden Dangers

Think back a few days to the way the NHS in several parts of the UK was brought to its knees. Routine appointments were pulled. Operations were cancelled and we’d be naïve to think no one’s life was at risk. Fortunately no one died …. this time.

But the NHS cybersecurity breach shocked me.

The problem was partly the lack of investment in IT. But there was a deeper more insidious problem. Routine maintenance had been neglected. Security patches that would have protected the antiquated systems some NHS Trusts were using were not applied. In other cases very expensive equipment had very old software systems embedded in them.

It was, in many cases, only luck that prevented UK FHE providers from being infected with the worm that caused the damage to the NHS. Like the NHS, providers are cash strapped and many have old antiquated systems. Even those with newer systems are not immune.

IT Audits

With the NHS problem ringing in our ears how many FHE providers have instigated a review of the IT security?

I know of only one review taking place; and that was instigated before the recent NHS problems. In the last couple of days, I’ve spoken to senior teams in several parts of the country and the best response I’ve had is that the IT manager is keeping an eye on things. No one I spoke to had a cybersecurity plan. Senior management seem amazingly laid back about this potential problem. And yet they spend inordinate amounts of time and money on Ofsted. I’m not decrying spending time on Ofsted, it’s important. But so is cybersecurity.


One senior manager, with IT responsibilities, told me that the chances of a provider being targeted was extremely low. He didn’t seem to understand that the NHS hadn’t been targeted per se. It was the older versions of the Microsoft platform that had been targeted. It just happens that the NHS had a lot of these systems that were not security patched.

Clear and Present Danger

If readers wish to look back at my previous exclusives on FE News I’ve discussed situations where a provider couldn’t identify where their website was hosted. Another was in breach of Data Protection by sending student data via email without encrypting it. Yet another claimed a very high level of website security, but their website was hosted on a server where the software vendor had not issued a security update in over 30 months. A competent IT manager would be aware of this and of the related dangers.

And the problems continue. One provider in the south is currently using an Intranet that the vendors no longer support whilst a provider in the north of England is currently sending out emails that link to a page that doesn’t exist.

Two providers I know currently have MIS problems where spurious data is being pushed to the website, or worse still, no course data is being sent to the website. The latter is unable to take online applications and recruitment is suffering.

The Cybersecurity Solution

In the same way that finances, teaching and learning is audited I suggest senior teams instigate an IT audit. Just asking the IT team to check all is OK isn’t enough. Some don’t understand the dangers or are quite blasé about them.

In some cases, the IT teams are aware of the problems, but are ignored. FDs and senior colleagues think that IT asking for updated equipment, and software, is just the IT team empire building. It might be, but often it isn’t. Hence the need for impartial audits by external experts.

There are plenty of large external organisations that will undertake audits. But beware those that will use this to sell expensive product and services. Smaller organisations, staffed by people that have run large systems for multinationals, are often a better choice. They have no product to sell, but can provide a project management service should you then need to procure and install new kit. These guys can often also advise on the suitability of staff and help you outsource if need be.  

Short but Bitter

This is one of the shortest exclusives I’ve published in years. I wish I could say it is short and sweet. But the bitter truth is that FHE providers could be destroyed overnight by a cyber-attack.  

I know absolute security is impossible. But surely we should be ensuring we aren’t an easy target when the next attack comes. We were lucky this time ….. next time could see the IT systems going down across the country.   No IT .. no teaching, no admin, no exams, no HR, no payroll, no MIS, no funding … NO provider!


About Stefan Drew: FHE Marketing Consultant Stefan Drew was previously director of marketing at two FHE colleges and for the last thirteen years has worked with colleges, universities and private providers throughout the UK, Europe and the US.



Related Articles