Interview with a Multi-Academy Trust that passed Cyber Essentials

We spoke with the director of IT for a multi-academy trust about the experience of certifying to Cyber Essentials as well as the technical and administrative challenges in managing the growing cyber threats within the education sector. The Trust requested not to be identified.

The personal views below are those expressed by the professional who was interviewed.

Tell us about your background.

I have a degree in computing, and over 15 years experience working in education and IT. When I first came to work at the trust, I was quickly moved into a senior role and became head of IT. I think the chief executive and senior leaders at the trust saw that there was a growing need to have a centralised IT leader that could get all the schools singing from the same hymn sheet.

The role of director of IT within a multi academy trust.

I think getting your house in order is key. We have three secondary schools in our trust with a centralised headquarters. The team is not huge, there is literally only me plus one IT officer in charge of each school, so three schools with three IT officers. We have recently grown to add two IT apprentices. We also help other schools outside of the trust, schools that might be struggling with technical or security issues, it is a bit like a mentoring service. We currently provide IT support and guidance to a nursery school as well as a to a county council maintained primary school.

The changing security features of software.

In the last one to two years, many schools have been moving over to the newer Microsoft licensing model which is Microsoft 365. In the education space, it comes with a bit more than the Standard/Pro version, for example, Enterprise three (E3) comes with elements of Enterprise Mobility and Security software add ons, whereas the academic version (A3) is the same as E3, but includes Minecraft for students and staff. This is useful because Minecraft can be used to teach children about coding or about cyber security. If you wanted to, you could actually bring a virtual periodic table, and do chemistry lessons inside Minecraft and this obviously got a lot of use during lockdown. The additional benefits that come with A3 or E3 Microsoft software are to do with security. It is no longer just a copy of Office and Windows, you also get the ability to start applying cloud managed security profiles and baselines. Most schools, unfortunately, don’t know how to turn these on.

Microsoft have written a basic guide called ‘the cloud managed PC’ where they explore the setting up of a typical secure advanced threat detector. Unfortunately, this has not been written in a format that a non IT professional could understand. I definitely see the need for a more accessible form of guidance to help schools manage and monitor their devices.

Within our trust, we are planning to move towards using Microsoft’s top security endpoint analysis tools from February next year. We would aim to particularly protect our staff within the business operations as this is where all the money is held. It makes sense that a primary target for hackers is the head of finance or the chief executive.

A word about iPads

During the last 12 months, the Department for Education (DfE) have been issuing iPads free of charge to schools with disadvantaged learners who needed to be able to learn from home. Out of the box, we would assign that device to our cloud mobile device management portal. It costs about five pounds per device per year. So in the case of a small village primary school with about 120 children, you might be dealing with 40 iPads . The children are able to take their iPad and roam between the lessons and also take them home. Our device management software allows us to safeguard them, to patch them and to update them to the latest editions of iOS. If there’s a security update, we can press a button remotely and it updates, we don’t have to be present on site.

There are a-lot of iPads in use that schools bought themselves a few years ago. iPads will go on and on for many years, but, crucially, they stop receiving updates after around 5 years, and that’s a big problem. A typical laptop has probably stopped working by then, but iPads just keep going, and because the batteries aren’t too bad, people think you can carry on using them. In reality, anything before fifth generation iPad shouldn’t be in use. In our schools, we do have iPad minis that are pre fifth Gen but we don’t use them in a connected school setting, so we don’t connect them to our network. They can still be useful, however, when used simply as a camera, but certainly not connected to the Wifi.

The changing cyber security posture in schools.

I’ve been working at the trust since 2016 and over that time, understanding the changing priorities of cyber security has been a journey. For nearly two decades, I’ve been aware of security issues such as viruses, but ransomware certainly wasn’t a big issue more than a few years ago. Just in the last few years, more schools have started to move towards having single sign on and multi-factor authentication. Making staff use a second device as a verified form of authentication has been difficult for some schools due to the cost. In our schools we have given every teacher, an iPad, that uses their fingerprint or their face ID as a form of biometric authentication. It removes the need for a password and it also acts as a second form of authentication for when they’re accessing the school network from home.

What was the motivation to get your trust Cyber Essentials certified?

We were part of the Cyber Essentials for schools pilot which I was very enthusiastic to join. I could see that this was where cyber security was headed, and it was only a matter of time before schools need to start getting certified. As we provide an educational service, we need to be alert to safeguarding. Safeguarding children means also safeguarding their network and their data. What would happen if we lost the children’s data to a hack or a ransom? Cyber Essentials also gives us the chance to grow and improve our standing with GDPR compliance and get cyber insurance that is included in the certification. Previously, we were paying around £2000 a year for cyber security insurance, so we have already made a saving.

When we completed the online self-assessment, we gave a huge amount of detail in all our answers. This meant that we were able to receive a great deal of feedback and suggestions on how to improve from the assessors. Some schools I imagine would give more yes or no answers but would miss out on the opportunity to learn and improve.We didn’t want a badge for the sake of it, I think it’s important to understand why you are going through the process and why you passed.

By encouraging schools to get Cyber Essentials, it will hopefully mean that from a security point of view, schools will no longer be seen as an easy target and good practice will be normalised.

Is Cyber Essentials achievable for schools?

I’d say it is achievable for about 50% of schools. Those that can achieve it, tend to have a very good senior leadership team, and have already put in place the right management structures and line management. It’s about the right people in the right posts with the right funding. If you start to look at multi-factor authentication, it can be expensive if you go with third party tools. So the budget constraints could limit what a school can do. I would hope, if they are a Microsoft school, and they’ve got at least an A3 license, they’ll already get the security features that they need. With that said, I see that things are changing, and schools might ideally need the top license which is A5, as many of the security features that we are using are A5 only.

If a school has barriers to achieving Cyber Essentials, I would recommend working with other multi academy trusts and schools that have been able to achieve it. We have worked with other schools and shared our experiences together. Throughout the pandemic, we have all noticed the increase in cyber attack attempts in terms of firewall probes, port scans etc.

Each year, we learn a lot and hope to improve, now we are compliant, we ‘re not going to start being complacent. We aim to make sure we stay on the ball, continue to educate the staff, and make improvements.

Schools unifying against a common threat.

As more and more schools became academies, they became somewhat disjointed from one another, but now, I feel we’re slowly coming back together again because we’ve all got a common threat. I’d like to see a secure educational website that we could log onto and access the latest news and threat warnings and share discussion forums.

Our schools can easily be impersonated by a fraudster who has hacked into the email account, and this puts the supply chain, the parents and all the other schools working with you at risk. Schools are working together all the time, even if they are not in the same trust. We had a case maybe 18-24 months ago, where the Duke of Edinburgh’s scheme got hacked and because it is a highly trusted source, many people believed the email, clicked on the links and gave away their passwords.

We hope a lot of schools will embrace Cyber Essentials and get on board. Like a vaccine rollout, every school that certifies is better protected, and we are all better protected.