Charting the risks and opportunities of rapid adoption of EdTech
Learn about the most current online safety and cyber security issues and threats typically experienced by schools and how they can be successfully addressed using technology.
Andrew Williams, Online Safety and Information Security Consultant, South West Grid for Learning
Overview – Charting the risks and opportunities of the rapid adoption of EdTech
Many safeguarding and security challenges in schools can be solved by embracing digital technology. However, keeping abreast of these ever-evolving challenges can be extremely difficult and time-consuming. How often do you find that once you have addressed one potential threat another rears its ugly head? How can you check that what you have in place is robust and continues to be? Organisations such as SWGfL and Scomis are here to help.
As well as learning about the most current online safety and cyber security issues and threats typically experienced by schools and how they can be successfully addressed using technology, you will also find out about the key issues for staff and students that are caused by ill thought-out use of technology. SWGfL online safety and security expert, Andrew gives you an insight into the associated risks and offers hints and tips about how these risks can be mitigated against.
Andrew is an experienced educator with over 10 year’s primary experience and has held roles at all levels of school management in Essex and in Herefordshire. Since leaving teaching, Andrew has worked as the ICT Strategy Manager for a Welsh Local Authority, followed by a regional secondment to deliver training and to support ICT development in 400+ schools in South Wales. In his current role at SWGFL, Andrew fulfils a variety of functions: account manager for The Welsh Government, training delivery, resource development, information security support and advice, liaison with European and domestic partners and more. All of this remains focussed on the safeguarding of children online.
Andrew is passionate about the use of technology in schools and supporting children, young people and adults with online safety and data protection issues.
About South West Grid for Learning (SWGfL)
SWGfL ensures everyone can benefit from technology free from harm. Forming one-third of the UK Safer Internet Centre, SWGfL experts advise schools, public bodies and industry on appropriate actions to take in regard to safeguarding and advancing positive online safety policies.
If you’d like to ensure that your data is safe and secure, then please do get in touch.
Scomis can offer guidance and advice to support you in this important area as well as services that can help. Our encrypted and secure automated cloud backup solutions give peace of mind that critical data is safe in the event of data loss, or a ransomware attack and our Hosted Application Service protects your critical SIMS data within a safe, secure, and resilient environment in our private cloud in Exeter.
If you’d like to find out more contact us.
Other related topics
Find out how our Hosted Application Service helped Martin Post, IT Manager at Crofty MAT provide business continuity by protecting their SIMS data.
Further reading and reference material
ScomisLive is recognised by ISBL as Continued Professional Development (CPD)
Offering over 20 hours of appropriate learning content for School Business Leaders. ISBL members can register their attendance against their annual CPD commitment.
Andrew Williams talks about the adoption of EdTech
ANDREW: My name is Andrew Williams. I am an Online Safety and Information Security Consultant at South West Grid for Learning. We are a not‑for‑profit charity based down in Exeter; I am based in Wales.
The potential risks and harms of technology in education
What I wanted to talk about today concerns several potential risks and harms, and a range of ways we can mitigate against them. I want to look at the notion of duty of care. Duty of care, of course, is something we are all very familiar with. We all understand that we have that duty to be responsible for the children and young people in our care in or organisations and schools around the UK.
I will start off with what is unfortunately a quite difficult story, about a young woman from Surrey called Frankie Thomas. Frankie Thomas sadly committed suicide in 2020 as a direct result of content she had viewed on her school’s iPad. She had additional learning needs and was allowed significant amounts of time unsupervised on technology during the school day.
Now, the school believed that that technology was set up in such a way that she was unable to access content that would be harmful to her, but the coroner’s report and subsequent investigation discovered that Frankie had in fact been able to access a range of harmful content: in her case, content relating to suicide. It was content which led her to replicate the type of behaviours she had been viewing in school as part of her successful attempt to commit suicide. It raises a very challenging question about the extent to which we can supervise young people’s devices and their use of technology during the school day.
How to ensure safety in education
Clearly, we have requirements under keeping children safe in education. We have requirements around the filtering and monitoring that we need to put in place within our schools. It is not just enough to say you have got filtering and monitoring in place. We need to go further than that and we need to be regularly looking at those and monitoring those logs to identify trends in young people’s behaviours before it becomes a problem.
What is interesting is not the stuff that young people are accessing – it is the stuff that we are blocking. So, they might have attempted to hit something, and we have blocked that attempt – we need to look at why that young person is attempting to access that content. How many times have they attempted to access that content? That may be an indicator about the state of mind they have or the content or the risk that they are taking at that moment in time.
It is not just young people that are encountering challenges with the type of information they are accessing online. Report Harmful Content is a free-of-charge content reporting service for anyone aged over thirteen – essentially, they look at eight different types of “lawful but awful” content. One of the things they noted in their report in 2021 was that there was a 225% increase in hate speech. We are seeing an environment where young people are being exposed to increasingly large amounts of potentially harmful or damaging content. In the case of Frankie, that led her on to complete suicide and it directly correlated to the content she had been viewing. If we are in an environment where young people are seeing hate speech, it may lead young people on to replicate that hate speech or suffer adverse effects from viewing that content. It is important that we understand the context in which the young people are operating, and that we take as many steps as we can to mitigate against those risks.
What the guidance is
The DfE’s “Keeping children safe in education in school”, “Teaching Online Safety Guidance”, and “Relationships, Education, Relationships and Sex Education and Health Education” guidance documents are clearly the statutory framework that defines and controls many of the things that we need to do in school. They make it clear that there is an absolute responsibility to safeguarding and promoting the welfare of children and that we should ensure we have appropriate filtering and monitoring in place. They do not quite define what appropriate filtering and monitoring is, but the UK Safer Internet website has lots of information available there. You can search for filtering and monitoring on the safer internet website; it gives you a good set of pointers around the type of systems and the type of information that you might need to have in terms of how your filtering and monitoring works.
They also categorise the various the online safety risks into four broad areas of risk. These are four “C”s: content, contact, conduct, and commerce. The last one is especially relevant; this notion of financial and fraud risk that we are seeing young people being increasingly exposed to. It is something we need be aware of and supporting our young people to understand those risks.
The other thing that it is helpful to be aware of is something called test filtering. One of the things we became aware of is that, for some inspectors, they were going into schools and asking young people to conduct searches on schools’ systems to see if school systems were rigorously set up. Clearly, undertaking a search for inappropriate content should result in that content being blocked but there is a risk of that content being seen. You can click on to test filtering.com and you can take a test and it will test the connection that the device is connected to. It is all for free; it gives you reassurance about the way your systems are set up.
This is our final point around the Assisted Monitoring Service. One of the challenges around filtering and monitoring is that, for some schools and settings, they can feel overwhelmed by the number of captures or tags or blocking attempts that they get in a system every day. So, we operate a system called assistive monitoring which infiltrates into solutions and enables us to see what you are seeing, helps you to triage those alerts and then supports you, prioritising those that have more priority than the other ones. It gives it a bit of a helping hand around the monitoring system.
Cybersecurity and the importance of staying secure
What I want to do is to move on to a different topic: cybersecurity. Now, if you go and ask any headteacher what their biggest risk now is – what it is that they worry about most of all – I am relatively certain that for most headteachers it is not going be cybersecurity. And that, in my humble opinion, is a massive oversight and it is something that we really need to work very rapidly to change.
Cybersecurity needs to be recognised as one of, if not the biggest, risk facing any UK organisation – but particularly schools, further education, and higher education organisations in the UK. That is because the threat assessment has continued to focus on risks of these sorts of cyber-attacks impacting on schools and colleges across the UK. Broadly speaking, the top five threats are personal attacks: attacks that might target you, the individual.
The most common and well-known tactic is the phishing email. It is the single largest vector hitting us in the UK. That is the tactic that criminals are using most often to try and get access to our data and information. Essentially what happens is that you get an email or a text message that will attempt to get you to click on a link. That link then downloads a piece of code on to your computer, and that piece of code starts going around and encrypting all the data. What I mean by encrypting is locking it so that it cannot be accessed. It means that eventually you simply cannot operate as an educational establishment and that is what they want. Once they have done that, they display a message on your system saying that if you pay a ransom, they will unlock everything for you, and you can all go back to normal, and it will all be fine.
What they do not tell you is that, at the same time, they are also copying all that data. Whether you do or do not pay the ransom, it makes no difference to them: they will sell it on the dark web. They will monetise that on the dark web as well as getting a ransomware payment from you if you choose to pay it. Even if you do choose to pay the ransom, it does not necessarily mean that you are going to get all your data back, because increasingly these cyber-criminals are not sophisticated attackers; they are, in fact, low‑skilled individuals who go on to the dark web, buy a package to use that can be monetised, and then deploy it out to different people. They do not have any technical skills. If it goes wrong, it does not matter to them – they have the ransom you paid.
What it means for you, however, is a huge amount of hassle. Losing access to your data is an incredibly potentially time-consuming situation. According to information from IASME, who offer a cyber essential service on behalf of the National Cyber Security Centre, 58% of secondary schools and 36% of primary schools have reported a breach or an attack in the last twelve months. There are plenty of stories out there on web and in the media about schools that have been hit by ransomware attacks; you can go and search for them. I was looking at one the other day – it was four months after the initial attack, and they still had no email. Four months and they still did not have their email systems up and running.
The single biggest thing that we can do to protect against ransomware is to have good back‑up systems which regularly back up our information and keep it in an air gap system. It can be an external hard drive you plug in; that way, it is insulated from any potential internet harm, and you can put that data back in. This does mean that it will not be up‑to‑date – maybe a month old – but at least it is an easier position; an easier situation to recover from.
On the topic of recovery – do check that your back‑ups work. It is very important. It is not just about the data and about recovery of systems; it is about the reputational damage that can be inflicted when your school has been hit by a ransomware attack and the school down the road has not. It might cause parents to choose to take their children elsewhere. From my point of view, one of the most devastating impacts of a data loss is the coursework done by students. Those young people who have been working tirelessly and diligently on their examinations or their coursework: they save them on to your servers and then they get encrypted or lost. That is an important consideration on all of that. It is about focusing on the impact on the students.
Back up your data. Check you can recover your data easily because the cost of remediating against ransomware are going up significantly. The average total cost of mediating a ransomware attack in 2021 is $1.85 million; this is over ten times the average ransom demanded by hackers.
What can we do?
Given that most ransomware attack vectors come through email, through phishing, it is incredibly important that we train our staff members. This data from the UK Government discloses that we are not currently doing a very good job of it. The best organisations are large firms who train their staff members 47% of the time; that is a huge percentage of staff members who are still not having regular cybersecurity training. Among small and medium enterprises, typically only around 30% of them regularly train their staff in cybersecurity. So, train your staff about the personal and professional implications of cybersecurity. Make sure you have an individual email password; a password that is unique to your personal email systems and that is over 12 characters – make it up out of four randomly chosen dictionary words. It makes it easier to remember, but very hard to crack. We need to have 12 or more-character passwords to make good passwords.
You might even talk about password vaults with your staff members too; they are a really good way of managing your passwords. 61% of internet users have experienced at least one threat in the past year. You may have encountered those text messages coming in telling you to collect a parcel at the Post Office, or a lovely call from the HMRC saying that unless you press 2, they are going to serve a warrant and arrest you for non‑payment of tax. Both frauds, and both fake. Training your staff about those will make your organisation stronger because your individuals are less susceptible to selecting those messages and choosing those things, particularly if you have a separate email and separate corporate password that never meet. There is more information available at the South West Grid for Learning; loads of information, knowledge, and access to tools, products, and services we sell at special educational rates.
Sexual abuse and harmful sexual behaviour in schools
The last section before I wrap up concerns sexual abuse. We have a new helpline which we call Harmful Sexual Behaviour, which has come out from the revelations of Everyone’s Invited. You may be familiar with the website which gave users across world an opportunity to anonymously recount sexual harassment attacks. We had Ofsted conduct reviews into the impact that Everyone’s Invited had on schools. Across England and Wales, the trend was the same. School leaders did not know about it; did not want to know about it; did not recognise the issue that existed with peer-on-peer sexual harassment. It is far more prevalent than we would like to think. It impacts young people in a variety of different ways. We do need to be recognising that dismissing people’s concerns as banter or not giving children ways to anonymously report issues to us can lead us to miss a much larger problem.
So, we need to improve the way in which we teach relationship and sexuality education. We need to be more open and give young people a multitude of ways to report problems to us, so they can report in a way that feels comfortable and safe to them. We might explore the use of peer ambassadors as well, where we train specific young people in the school with additional skills so they can support their friends and their peers more easily.
The Internet Watch Foundation released some data in January 2021 which looked at the last three years of reports. There was a 17% increase in the number of reports received by the IWF from 2020 to 2021, arising from 229,000 to 630,000 reports. Reports can contain one or hundreds of individual child sexual abuse images. The IWF are our partners in the UK Safer Internet Centre: their job is to remove child sexual abuse material off the web. They look at these and they categorise these reports and they take appropriate action to remove it where possible. Of the reports they received, 252,000 of those contained child sexual abuse material; that was a 40% increase from 2020. Of those reports, those that were tagged as having self‑generated content – content that has been generated by the individual themselves i.e., by the child – increased by 63%. Further intelligence and research of the caseload they had led them to disclose a three‑fold increase of abuse of seven-to-ten‑year‑olds. The notion that sexual abuse is not happening needs to change. We need to recognise there is a growing problem of sexual harassment within schools across the UK and we need to be effectively, efficiently, and very rapidly listening to children in our care and taking action to try and give them appropriate ways to support them and to de‑escalate the risks and the harms they may be encountering.
One of the ways you can do that is through education. We are very proud that just last week Project Evolve won an award at a recent ceremony for its work around giving you access to online safety materials. Project Evolve gives you lesson activities, resources, work sheets and a knowledge map assessment function, all for free, that you can access at projectevolve.co.uk. We have spent hundreds of thousands of pounds and thousands of hours of work writing content for you across eight different areas of online safety: from things like copyright and privacy through to bullying, relationships, and self‑image. It gives you ways into talking about sexual harassment, sexting, and other associated issues you might discover. Our tool Whisper gives people a way to anonymously report to you at the school and allows you to reply to them; you can have an anonymous exchange of messages to support someone in reporting a problem to you. It is important that we give young people different ways to report problems to us and anonymity is very powerful in this context; because it gives them that opportunity to say something to you that they might not normally say or do.
I have been asked a couple of questions about the topics I have covered. The first one asks whether information on the Cloud is more likely to be hacked than something stored on a school network. That is a good question, and I can see the logic as to why you might think that. I think that the situation is precisely the other way round. Cloud services now are so well designed and so set up that the organisations who operate them, like Amazon and Microsoft and Google, invest large amounts of time and effort into making sure that their cloud systems are kept up‑to‑date, that the equipment is properly patched, and that they’ve got the best security features that they can have enabled at any given moment in time.
What that means to you is that you have to spend less time actually making sure that that is the case. So, if you are using cloud systems, you do not have to worry about patching or maintenance or about physical security – considerations such as whether the door to the server room is locked, for instance – because your data is in that cloud and in that server somewhere else being managed for you. So, I would argue that it is the opposite. Cloud storage is probably more likely to be secure than your local storage.
One caveat to that is that, just because something is on the Cloud, it does not mean that you should not still be backing it up. Go and back it up; take that step to suck that data out of that cloud and put it into some backup storage system to make sure that if Cloud provider A falls over for whatever reason, you still have all that data available and you can upload it to Cloud provider B and continue what you need to do.
It is also worth mentioning that you can use two-factor authentication when accessing the Cloud, so that if you are accessing it outside school premises, you can prove who you say you are. I would also advise that – as secure as storing information in the Cloud is – if you still have data that you do not need for statutory reasons and you have no reason to hold on to it, do delete it. If you were to get a ransomware attack you would not want that data stolen – so if there is no legal requirement to keep data, delete it instead of keeping it. One of the great things you can do with some providers is that you can apply a retention policy to the storage environment and have it manage the data for you. You can mandate that all of the data in a certain category only gets stored for a certain period – thirty days, for example – before being deleted, and the system will automatically do it for you. It can make your life so much easier. We have been hanging on to too much data for too long at schools and we need to change that.
The next question asks how you will know if your school has suffered a ransomware attack, and what should be done. Another good question. Well, I can tell you that – in short – you will know. What will likely happen is that that ransomware piece of code will try and get everywhere it possibly can do to start encrypting data. One of the first things you might notice is unusual behaviour or a slowdown in your devices as it starts to take up resources and take up processing power to go out there and find all the data to encrypt. It is a very easy initial indicator: a massive slowdown of the device. You often will get splash pop‑ups to say you have been ransomware hit which of course makes it obvious.
You also may find if you are clicking on a link and it takes you to a website, there may be spelling mistakes or obvious visual inconsistencies – and it might even at that point say, “we have encrypted you and we are encrypting your data”. One of the best tips is that if you do click and find that there is malware or some change to your computer’s behaviour, shut down the computer and disconnect it from the network as soon as possible, because that starts to limit the extent to which it can spread and start encrypting data. Go and get help. You will not get in trouble with IT if you tell them, “Something weird has happened and I am really worried about it.” It saves hassle, and it saves effort, and it potentially saves money the more quickly that we can deal with this. There is no need to feel ashamed or embarrassed or worried. Just go out there and tell them, “Something weird has happened, I have shut down the computer to be sure, can you have a look?”
It is important for schools not to have a blame culture because if a member of staff does suffer a ransomware attack, it can be tempting to cover it up because people are worried about getting in trouble. But the earlier something is reported, the sooner that something can be done to mitigate against it and protect other staff and other data.
The next question I received says that their school’s IT department has told them that it is not their job to be responsible for online safety – so whose is it? Well, to be frank, it is everyone’s responsibility. I understand where they are coming from. What we want is senior leaders to acknowledge the risk that online behaviours have in terms of impact, potential impact on children and young people’s safety and security. This is a leadership challenge. The problem is that school leaders might not have the technical skills to understand what the technical people are talking about. So, the IT team need to work in partnership with the senior leadership team and with safeguarding; IT is central to what is going on. Look at the change we have seen in EdTech in the last two years: look at the implementation of brand‑new systems and having to use Teams and having to jump into new spaces. You know, we could not have done that without good IT teams around us. What we have done by doing that often is quickly and rapidly adopt new things. So, there’s a really good argument to say as a whole school activity is to go back to 360 Degree Safe and have a look at all of the different aspects we have; there are 21 aspects in there now that will help to assess the extent to which you have got good systems in place and give you targets to aim at to improve your systems.