Interview with Cyber Security Lead for Derbyshire County Council’s Education Data Hub, Heather Toomey

In the last 18 months, the education sector has become a target for cyber attacks. This Spring, IASME launched a Cyber Essentials pilot for schools with the Risk Protection Arrangement (RPA).  The goal is to look at the specific issues that face schools in improving their cyber security and achieving Cyber Essentials certification. More than 500 schools across England are taking part in the pilot which is now fully subscribed and underway.

IASME has created material and resources that are specifically for the education sector. The Cyber Essentials Readiness Tool is a free interactive website that allows organisations to work their way through a series of questions. The answers given inform the tailored guidance and step by step action plan which is created for the user. The tool has a separate education sector pathway to it with tailored advice and guidance specially written for schools.  There is also a Cyber Essentials for schools webpage with information and numerous links to guidance. The guidance includes a series of recorded webinars with Q&As about scope, cyber insurance and the five controls of Cyber Essentials in the context of schools.

Working with RPA and IASME on the education pilot was Heather Toomey from Derbyshire County Council. Heather has worked in IT and Information Governance for 24 years, supporting educational settings across England with cyber security, data protection and IT management. These days she can be found working with the National Cyber Security Centre (NCSC), the RPA and Safer Derbyshire on projects aimed at better securing settings and promoting online safety and digital safeguarding.

What has been your Involvement in the Cyber Essentials education pilot?

I was asked by the RPA to work with IASME in  looking at the viability of Cyber Essentials for schools and to write educational sector specific guidance to support schools in self-submitting for Cyber Essentials Certification. The pilot has included free cyber awareness training for school staff. This has been exceptionally well received and has incorporated new training materials from the NCSC. I will also be evaluating feedback from pilot schools to examine the difficulties schools have faced in the process and to consider how we can ensure staff have a positive experience of the certification journey.

The pilot is still underway, are there any clues as to how it is going?

The need for the pilot was evidenced by the overwhelming number of schools who wanted to take part. The schools chosen have been very keen to engage with the process. The pilot has enabled the collection of information and data which will inform on-going decisions around school certification and security requirements. The majority of schools have felt the process was a valuable one.

Regarding cyber security, what is the greatest threat to schools?

Poor cyber awareness amongst staff, insecure working practices, especially around password security, and a lack of incident reporting processes. There is also a belief in the sector that security is the domain of the IT technicians / managers. This is definitely not the case and all staff should play their part.

What has been the greatest challenges in trying to prepare schools for Cyber Essentials?

Not all schools have in-house technical support and there is often a lack of understanding of what services are being used and who is responsible for them. Many schools struggle to ensure that policies and procedures reflect updated guidance. For those schools who have struggled, the main issue has been around the age of devices, especially iPads. Many generation 1 and 2 devices are still in widespread use. 

What advice would you give to schools/ head teachers wanting to improve their cyber security?

Make sure all staff have cyber awareness training.

Make sure there is a contract and service level agreement (SLA) with third party suppliers/vendors.

Ensure that there are incident reporting mechanisms in place.

Review and test the disaster recovery plan.

What other projects have you got in the pipeline?

Derbyshire’s Education Data Hub is delighted to be working on a cyber resilience project for schools, in association with the National Cyber Security Centre (NCSC). This project will incorporate the wider need for schools and educational settings to ensure business continuity in any eventuality and to support staff in taking ownership of their own security to safeguard the school community as a whole.

The team is pleased to be launching additional services to support the early years sector with data protection, cyber security and online safety.

These services will be supported by an additional project with colleagues from Warwickshire LA and the private sector to extend the early years online safety box scheme OSBOX, to include a CYBOX. This resource will be the first hands-on cyber security resource for young children and those with special educational needs.