If you’re a College Principal or senior leader in education it’s likely you’ve heard of the #GDPR (if you haven’t you must have been on an almighty sabbatical) and it’s also likely you may think your Director of IT has long sorted it.

If so, you could be facing a rather unexpected problem since your technical team were not, and are not, where the primary risks to data protection reside.

Technical teams will likely get cybersecurity (at least enough to provide a baseline of appropriate assurance) and will have firewalls and wider technical defences already in place (you’d hope). 

Your focus shouldn’t be on the technical staff when it comes to data security so if its senior IT staff reporting to the Audit Committee on this, you’ve got it wrong. It’s everyone else in your organisation, aside from the IT staff, who pose the biggest threat to your data protection responsibilities and the solution to it largely isn’t a technical one.

Awkward truth, but a fact nonetheless. No easy quick fix sadly. All the firewalls and software in the world won’t help you when it comes to data protection.

The bottom line is if you haven’t trained every single member of staff from the Cleaner to a Vice Principal on how to stay safe in a digital world then the following information will be of value to you. It will certainly interest your Audit Committee should the worst happen.

T8b938eabfc34 ico logo 58b938eabfb40 131

According to an analysis of data provided by the UK Information Commissioner’s Office (the ICO) undertaken by CybSafe in 2019 it was actually human error, not malicious criminals, who resulted in more than 90% of data breaches. Let that sink in.

Nine out of ten of all cyber security breaches are caused by human error.

The big message from this analysis for me is that the scale of this human error is increasing, from 87% the previous year and 61% the year before. This trend is surprising given the amplification online safety has had in recent times with the arrival of the GDPR. Additionally research published by Computer Business Review cites just 7% of data breaches as attributable to hostile criminals such as hackers. 

Clearly something is going wrong and a likely area of special interest is how educators are being coached and trained, or not,  in the ever evolving world of cybersecurity and its associated threats. A paper published by Osterman Research suggested that less than half of organisations had trained their staff at all on data protection good practice despite the potential high impact, likelihood and cost of a data breach.

This is something I see all of the time. Typically, not always but often, colleges and universities will hold a CPD event on data protection once then that’s it. Sometimes it may be repeated a year later, often not. As evidence suggests that new emergent data security threats occur on a daily basis,  the flaw with waiting a year to update your training is obvious.

This challenge is not something that a few days of CPD will fix, and the cost of getting it wrong can be catastrophic, as Jeffrey Wong found out.

That’s so Wong

5a5e41e728eecc420c8b4fcb

Jeffrey Wong, the Hawaii Emergency Management Agency’s Operations Officer, accidentally went viral. This wasn’t entirely as a result of the false missile warning being issued by the agency causing widespread panic, bad as that was. No we have heard of Jeffrey Wong for a different reason.

During his unplanned media appearance to explain the false missile warning it was noted that behind him, on a sticky note attached to a computer, was a password.

Given the role of the agency in military defence, this was not good. Really not good.

When it comes to cybersecurity own goals, this takes some beating. It should be noted that there’s no evidence actually suggesting that Wong was personally responsible (although you can bet it felt that way) but the damage was done and it certainly raised serious questions about security at the agency.

It’s an easy human error to make but the consequences can be serious.

Let’s explore some wider common own goals to avoid when it comes to data security.

Gone Phishing

7de7f91b65e9d930ae198c4d04b3c7f8

According to numerous analyses the most likely human error when it comes to cybersecurity breaches are phishing attacks, loosely translated as either a person or software pretending to be someone else in order to secure sensitive information and usually arriving via email. 

I’ve been aware of many close calls when it comes to phishing attacks targeting senior executives (also referred to as whaling as the bosses are the ‘big fish’).

As mentioned one of the possible causes behind the increasing success of such attacks is that cybersecurity training might not have been assessed as an ongoing priority and given appropriate status on the corporate risk register (another thing I see often).

It’s not unusual to find organisations where staff are trained in data protection as part of their induction on joining, then that’s it.

This approach makes an organisation highly vulnerable to cybersecurity issues as threats such as phishing have evolved dramatically in their sophistication as a result of social engineering techniques.

If you were to run a phishing simulation threat assessment in your organisation you may be surprised by how many people fall for it if the test is run authentically (dare you try it?). 

Using a leading cloud based email solution that deploys world leading AI and machine learning in the background to continually scan for evolving threats is also a smart idea as part of risk mitigation.

If you’re relying on technology that runs overnight patches to update anti-virus software, you have unnecessary risks and it’s only a matter of time before the weakness is exploited.

Safety device

Another high priority security threat when it comes to data is the use of corporate devices (such as laptops) where staff may share the use of the device with friends and family when outside of the working environment.

Traditional laptops are especially vulnerable to data breaches of this type and represent a higher risk profile when it comes to viruses than comparable devices such as chromebooks which have no need for anti-virus software since they have built in protection against viruses and malware that is continually updated to defend against emerging threats.

As for portable storage devices like memory sticks, that’s just a no. Ban them and do it now.

As a security specialist was overheard saying at a recent conference, ‘memory sticks are the devil’. When it comes to data security they are indeed.

A colleague or student bringing an infected memory stick into college or university has the potential to bypass anything that your IT specialists can do. Ban them. Did I mention you need to ban them? I think I did.

Password123

The bad news is that the whole concept of passwords is a bad idea when it comes to cybersecurity but we are stuck with them for a while. As such, having a complex password is a necessary evil. That said, based on data from the UK National Cyber Security Centre (NCSC) many of us are still not using intelligent passwords with such gems as ‘Blink182’ and ‘Superman’ used regularly.

The most frequently used password where a data breach occurred was ‘123456’ as used by some 23.2 million people who soon regretted it. Seriously. You may be shaking your head at that but before you feel too smug, read on. ‘Password’ was also included as the, well password, on some 3 million accounts.

If you were thinking of including the names Ashley or Michael with some number combination, don’t. Really don’t do that. Same goes for Jessica or Charlie. 

Football fans also seem very keen to use their team names in their passwords and feature highly on the NCSC list of shame with Liverpool topping the list, followed by Chelsea and Manchester United with ‘manutd’ being a commonly compromised element to passwords. I am assuming that Stoke City doesn’t feature because their fans use superior passwords.

Swear words also featured commonly with ******* and ********** topping the list, so don’t use those.

Bottom line, use a complex password and two factor authentication. Not ideal, but necessary, and don’t write your passwords down on paper marked ‘passwords’ and stick it to the computer you use on a sticky note.

That’s a bad idea also, especially if you're running something sensitive like a missile defence centre.

Prioritise high priority accounts

Having stated that the IT team is not your biggest risk, there is a key responsibility they have to get right around the management of security protocols for high privilege accounts, those admin level accounts that hold the keys to your castle.

Effective security protocols around passwords for high privilege accounts preventing their misuse is essential, especially if your technical teams have kids called Ashley or Jessica. If these accounts are compromised the consequences can be severe so regular security checks and audits are a must.

As a minimum your technical team should follow a least privilege principle when it comes to account management with elevated privileges on a ‘as needed’ basis, not a blanket right.

Return to sender

Cookie Monster Cat

Ever sent an email to the wrong person or one you wish hadn’t been sent at all?

Many people have. In fact it’s one of the most common causes of a data breach (the 4th most common according to research by Verizon) accounting for more than 60% of human error data breaches and it can happen to anyone, including the US Embassy in Australia who accidentally sent out a meeting invitation with a picture of a cat dressed as Cookie Monster in what they described in their apology as a training error.

Whilst this example is amusing it could have been very different.

For sensitive emails encryption is a good idea and many organisations are now also deploying more advanced security solutions that can prevent specific documents from leaving the corporate network.

It’s all about people

Ultimately people will make mistakes but there is no defence for not mitigating against foreseeable risks (again just imagine explaining not mitigating against a foreseeable risk to your Audit Committee, or worse an investigation).

Proactively training staff through a continual process of workforce development around digital skills is not just a good idea, I would argue it is now essential. Additionally IT teams must have access to the right tools to enable them to proactively manage known and foreseeable threats to digital assets.

Making effective use of cloud technology with leading security credentials will also enhance resilience against cyberintrusion and should definitely be high on the menu.

In the context of data protection, as the saying goes, ‘to err is human. To really foul things up requires a computer so when you are dealing with both, effective digital coaching and continual training is essential if you’re to avoid your very own Jeffrey Wong moment.

Jamie E Smith, Executive Chairman, C-Learning

Jamie Smith Newsroom Strap

You may also be interested in these articles:

Register, Login or Login with your Social Media account:


Advertisers

Upcoming FE Events

Advertiser Skyscrapers

Newsroom Activity

CASCAID had a status update on Twitter 1 hour 39 minutes ago

We couldn't agree more, @DeirdreTalks. Thank you to everyone involved. Special thanks to our valued partner,… https://t.co/mgPDYbYvQv
View Original Tweet

Latest Education News

Further Education News

The FE News Channel gives you the latest education news and updates on emerging education strategies and the #FutureofEducation and the #FutureofWork.

Providing trustworthy and positive Further Education news and views since 2003, we are a digital news channel with a mixture of written word articles, podcasts and videos. Our specialisation is providing you with a mixture of the latest education news, our stance is always positive, sector building and sharing different perspectives and views from thought leaders, to provide you with a think tank of new ideas and solutions to bring the education sector together and come up with new innovative solutions and ideas.

FE News publish exclusive peer to peer thought leadership articles from our feature writers, as well as user generated content across our network of over 3000 Newsrooms, offering multiple sources of the latest education news across the Education and Employability sectors.

FE News also broadcast live events, podcasts with leading experts and thought leaders, webinars, video interviews and Further Education news bulletins so you receive the latest developments in Skills News and across the Apprenticeship, Further Education and Employability sectors.

Every week FE News has over 200 articles and new pieces of content per week. We are a news channel providing the latest Further Education News, giving insight from multiple sources on the latest education policy developments, latest strategies, through to our thought leaders who provide blue sky thinking strategy, best practice and innovation to help look into the future developments for education and the future of work.

In May 2020, FE News had over 120,000 unique visitors according to Google Analytics and over 200 new pieces of news content every week, from thought leadership articles, to the latest education news via written word, podcasts, video to press releases from across the sector.

We thought it would be helpful to explain how we tier our latest education news content and how you can get involved and understand how you can read the latest daily Further Education news and how we structure our FE Week of content:

Main Features

Our main features are exclusive and are thought leadership articles and blue sky thinking with experts writing peer to peer news articles about the future of education and the future of work. The focus is solution led thought leadership, sharing best practice, innovation and emerging strategy. These are often articles about the future of education and the future of work, they often then create future education news articles. We limit our main features to a maximum of 20 per week, as they are often about new concepts and new thought processes. Our main features are also exclusive articles responding to the latest education news, maybe an insight from an expert into a policy announcement or response to an education think tank report or a white paper.

FE Voices

FE Voices was originally set up as a section on FE News to give a voice back to the sector. As we now have over 3,000 newsrooms and contributors, FE Voices are usually thought leadership articles, they don’t necessarily have to be exclusive, but usually are, they are slightly shorter than Main Features. FE Voices can include more mixed media with the Further Education News articles, such as embedded podcasts and videos. Our sector response articles asking for different comments and opinions to education policy announcements or responding to a report of white paper are usually held in the FE Voices section. If we have a live podcast in an evening or a radio show such as SkillsWorldLive radio show, the next morning we place the FE podcast recording in the FE Voices section.

Sector News

In sector news we have a blend of content from Press Releases, education resources, reports, education research, white papers from a range of contributors. We have a lot of positive education news articles from colleges, awarding organisations and Apprenticeship Training Providers, press releases from DfE to Think Tanks giving the overview of a report, through to helpful resources to help you with delivering education strategies to your learners and students.

Podcasts

We have a range of education podcasts on FE News, from hour long full production FE podcasts such as SkillsWorldLive in conjunction with the Federation of Awarding Bodies, to weekly podcasts from experts and thought leaders, providing advice and guidance to leaders. FE News also record podcasts at conferences and events, giving you one on one podcasts with education and skills experts on the latest strategies and developments.

We have over 150 education podcasts on FE News, ranging from EdTech podcasts with experts discussing Education 4.0 and how technology is complimenting and transforming education, to podcasts with experts discussing education research, the future of work, how to develop skills systems for jobs of the future to interviews with the Apprenticeship and Skills Minister.

We record our own exclusive FE News podcasts, work in conjunction with sector partners such as FAB to create weekly podcasts and daily education podcasts, through to working with sector leaders creating exclusive education news podcasts.

Education Video Interviews

FE News have over 700 FE Video interviews and have been recording education video interviews with experts for over 12 years. These are usually vox pop video interviews with experts across education and work, discussing blue sky thinking ideas and views about the future of education and work.

Events

FE News has a free events calendar to check out the latest conferences, webinars and events to keep up to date with the latest education news and strategies.

FE Newsrooms

The FE Newsroom is home to your content if you are a FE News contributor. It also help the audience develop relationship with either you as an individual or your organisation as they can click through and ‘box set’ consume all of your previous thought leadership articles, latest education news press releases, videos and education podcasts.

Do you want to contribute, share your ideas or vision or share a press release?

If you want to write a thought leadership article, share your ideas and vision for the future of education or the future of work, write a press release sharing the latest education news or contribute to a podcast, first of all you need to set up a FE Newsroom login (which is free): once the team have approved your newsroom (all content, newsrooms are all approved by a member of the FE News team- no robots are used in this process!), you can then start adding content (again all articles, videos and podcasts are all approved by the FE News editorial team before they go live on FE News). As all newsrooms and content are approved by the FE News team, there will be a slight delay on the team being able to review and approve content.

 RSS IconRSS Feed Selection Page