Schools, security and GDPR….


Recent research, carried out by Sophos on behalf of YouGov, found that about half of teachers believe their pupils know more about IT than they do.  Whilst that doesn’t mean they know more about IT security or even common sense security, it does indicate that there is potential for a large gap in security knowledge and this could be exploited.

18% of head teachers surveyed were concerned about pupils being able to manipulate school systems in order to change or affect data (I am guessing changing grades might be high on this particular wish list) and 34% said data loss was a key concern…of course these are related and given the fact that 52% stated they had no monitoring system in place, also a grave risk. Gaps in security will be exploited by someone; pupils, parents, malign ex staff or ex pupils or criminals.  Given some of the information stored, be it financial, medical, social or educational, focus really needs to be placed on reducing the risk of loss, damage or alteration. If there is no monitoring in place, then you may not even know you have been breached and that must be a major concern.

The General Data Protection Regulation takes effect next May. This represents an opportunity to get your data protection house in order.  Thinking about data protection best practice and how to make yours world class, can only be of benefit to the school’s key stakeholders and contribute to enhancing the overall security posture of the school in relation to information security in general.

We don’t like the idea of GDPR being used as a big stick to threaten organisations with huge fines. Yes, there may be some fines issued for cavalier attitudes to personal information result in serious breach, but if you look at the amount of advice, training, guidance and best practice being circulated it really is an opportunity to learn to do things better.




It’s an interesting topic – body-worn video technology (BWV). Love the concept or hate the concept, people will always see two sides of the coin in their usage. Safety and Snooping. There is obviously a fine line between them but one I was drawn to look into a little further having read an article stating that BWV cameras are now being considered for use within UK schools. One thing is for sure, the school photo is evolving into a talking picture … and not one everyone wants to see.BWV use within UK Police forces has been increasing since 2016. One of the reasons for its adoption is that research has shown the use of the body-worn cameras can dramatically reduce the number of complaints against officers. A study by Cambridge University across 4 UK forces and 2 US forces claimed the wearing of BWV reduced the number of complaints in a 12 month period by 93%, as it altered the way both officers and the public reacted to each other. Is this perhaps one of the reasons it’s being considered within UK schools, the deterrent factor from a pupil/student perspective?

Download the FREE whitepaper from our website.

In January 2017, the National Union of Teachers (NUT) revealed that teachers and other school staff in Wales had been victims of over 4,500 physical and verbal attacks over the last 3 academic years. This was based on FOI requests received from 22 or 27 Welsh local authorities. That’s an average of 1,500 per year. The research claimed that this equated to 8 assaults per day within each school year. A staggering statistic … and this is just Wales! These figures were based upon attacks by pupils, but parents can be just as aggressive, as teachers within my own family can testify to.

So it’s clear that teachers need to feel safe and protected in the learning environment that is their place of work. Use of BWV is one way to achieve that but does it risk having the opposite effect to the one intended and is it beaching privacy rights?

The article I read today from a report in the Times Education Supplement (TES) states that 2 UK schools have been trialling the use of the BWV cameras. One approach is for teachers to wear the cameras on clothes in a permanent film mode. A switch would need to be activated for incidents to be recorded, encrypted and footage saved. This relies on the teacher knowing how to identify a “low-level incident” and be in a position (and remember) to flick the switch. This approach is aimed at reducing low-level disruption and disorder in the classroom, capturing images and showing pupils the error of their ways. I can see that with some pupil’s education and reason would work. But there will always be the hard-core that aim to be recorded for “peer kudos” and thus deliberately agitate teachers or create low level disorder.

A TES poll of 600 teachers has shown that 37.7% of respondents are in favour of body cameras in the classroom, with two thirds confident it will help them feel safer and 10.9% saying they believe it will become compulsory in all UK schools. I get that from the teachers’ perspective. In November 2016 the old debate about CCTV use in schools was still raging on though. Many perceive CCTV use as a positive measure and another deterrent, whilst others believe it could breed paranoia amongst staff, “Big Brother is watching you”. Isn’t the BWV the same thing? If anything more focused and targeted as it is in virtual movement wherever the teacher goes?

In 2012 a report in the Guardian said that there were more than 100,000 CCTV cameras in secondary schools and academies across England and Wales. 5 years on that has to be significantly more. There was uproar at the time because cameras had been placed in toilets and changing rooms at 200 schools. On one had you can see why that was a potential invasion of privacy. On the other hand it is also the location of a high proportion of nefarious activity – drugs, knife swapping etc…

Advent IM, data protection act 1998 Advent IM consultants

Privacy, Data Protection and Human Rights are always a tricky balance where any form of surveillance is concerned. Use of BWVs will be no exception any more than their ‘predecessor’ CCTV was and is. I guess what it boils down to ultimately is the effectiveness of such measures.

Our whitepaper on ‘CCTV in Schools – Is surveillance in Schools appropriate?’ written in 2012 at the height of #cctvinschooltoiletsgate is still relevant today. As we said, in the majority of schools, there is insufficient school staff available to ensure that all areas of the schools grounds can be monitored, particularly where inappropriate behaviour may take place. Furthermore, school management have a duty of care to ensure that everyone that works, studies or visits their premises are safe. So, to protect pupils, deter theft, criminal damage and general crime, the proportionate use of CCTV surveillance has to form part of the solution. Therefore, why shouldn’t BWV do the same? But for any organisation, the use of cameras in any guise has to be beneficial. Is it effective with any of the following?


  1. Deterring crime such as vandalism, violence and bullying;
  2. Helping stop misbehaviour in lessons;
  3. Stopping students “bunking off” lessons;
  4. Combating smoking and drug use;
  5. Helping prevent theft;
  6. Reducing the fear of crime;
  7. Helping deter intruders from entering the school.

If the answer is yes then there is a legitimate and proven benefit for using it that staff, parents and pupils can buy into.

The jury is still out on BWCs in schools in the UK. We undoubtedly have a problem with increasing physical and verbal attacks on teachers within this nation of ours. Whether this will be the answer remains to be seen. Currently 80-85% of schools have some form of CCTV and it’s estimated that nearly 50% of schools in England use biometrics or fingerprinting technology. Some even have police officers at the doors. These help reduce the incidents of items in our list above clearly. BWV may be more effective with our top 4 issues.

So, I leave you with this thought. BWV technology has been in use within American schools since 2015 but mostly they are not worn by teachers, rather school resource officers. These are sworn law enforcement officers or LEOs (yes that’s what it stands for my police procedural drama fans) with a responsibility for security and crime prevention. Given that BWV trials in the UK are aimed at reducing low-level disruption e.g. talking, fidgeting, passing notes etc … not more serious misdemeanours, will this deliver the deterrent we want? Or will it simply serve to increase the persistent low-level behaviours teachers face every day, the “peer kudos” syndrome I mentioned earlier, and detract teachers from the job they are there to do – teach.  Schools Out on that one.

Is Body Worn Surveillance for teachers a good move?

Low level disruption in the classroom is nothing new. Teachers face a daily challenge in keeping pupils engaged and orderly, but it has emerged that two unnamed schools are going to be trialing Body Worn Video (BWV) cameras, on teachers whilst in the classroom.

Back in February, The Independent revealed that a third of teachers surveyed thought they would wear one.

Teachers would be required to notify pupils if they were about to start recording and the contents would apparently be encrypted.

Use of this technology and the resulting output will require teachers and staff to have a much greater understanding of the current Data Protection Act (1998) as it stands and also the upcoming impact of GDPR, when it comes into force next year. The legal implications of the new legislation are serious and expansive. As with all new technology, systems or processes, we would advice a thorough risk-based approach to such an adoption and a thorough training program.

If you need support or guidance on aspects of physical security measures in your school, college or university, or you need a greater understanding of Data Protection and Information Security, drop us a note or give us a call. We don’t sell equipment or software and are entirely independent.




Spring into a physical security review!

school_mailer_2017May or June is a great time to review your school’s physical security controls and processes. Timing-wise, it means you will have the Summer break to do any required remedial work. It sends a great message to to parents, students and would be students about how seriously you take security and you can start the new academic year with peace of mind, knowing premises and security practices are appropriate whilst still providing a warm, friendly open learning environment.

If you are interested in learning more about physical security for schools and other educational facilities, you can visit our dedicated webpage, where you will find a free Whitepaper to download.

If it is data protection/GDPR, information or cyber security you need more information on, we provide specialist school/education services for that too. Click here.

Think twice when you see that email…

busy-receptionA lesson in social engineering.

A school district in Oregon in the US has been engineered out of tax details for around a thousand employees by a hacker using an email scam which purported to be from a School District Superintendent.

The details that have been disclosed to the criminal will probably be used to file false tax reports and de-fraud the Revenue Service. Given the global nature of this kind of activity, there is no reason to believe that this is a local issue, in fact the market place for this kind of information is huge and extremely well used; much money from this kind of activity may go to fund organised crime.

If you are interested in learning more about phishing scams and social engineering please go to our main blog.


Let’s talk about a leavers policy

Advent IM, Senior Security Cosnultant, Del Brazil, takes a look at recent security failures that made the news and could have been managed or prevented with a robust leavers policy and its careful application.

Image result for gmail logoAn American college had cause to dismiss one of its IT Administrators and requested that all college IT equipment be returned.  The employee complied but not before wiping the laptop hard drive and rendering the laptop unusable to the college.  The additional issue associated with the laptop was that the college’s Gmail Admin account password had been stored on the laptop.  This, coupled with the fact that the dismissed employee’s personal email account had been set as the default email used for resetting passwords, caused major issues for the college.  The resulting impact for the college was that their students were unable to access their Google hosted email accounts.  The issue was eventually resolved with the college liaising with Google and having to fully explain the sequence of events and the current situation.  This is a clear example of one potential issue that can occur in the event personnel are dismissed with no formalised/structure leavers process being followed.  If the college had a formalised leavers process in place, the dismissed member of staff would have been required to surrender not only all IT equipment, but also any passwords associated with their their role.  These passwords could then have been changed to prevent the dismissed employee any further access to systems, whilst also ensuring that the college retained the necessary administrator access to maintain their Google accounts.

Currently, the case is being handled by the authorities and courts, as the dismissed individual is claiming that a degree of discrimination had taken place whilst they were employed by the college; however the college is also seeking damages totalling approximately $500,000 which is the estimated cost attributed to the loss of services they incurred.

This recent event has highlighted the need for organisations to have robust starters and leavers processes and/or policies in place in order to maintain access to their systems.

The main focus of ensuring that an appropriate and effective leavers policy and process is in place is to ensure that all equipment loaned to staff is returned and accounted for, whilst ensuring that all network and email access privileges are restricted or removed.  There is a distinct possibility that personnel who are dismissed for disciplinary reasons may wish to cause disruption or destroy information or assets related to the organisation.  This is further compounded by the possibility that disgruntled staff may steal and or release information to competitors or publish in the public domain to cause embarrassment and loss or reputation to the organisation, third parties or even worse potentially, customers.

A good starters/leavers policy should involve the input of a number of departments within an organisation to ensure that the necessary actions have been completed to ensure that the individual concerned has the correct privileges assigned to them prior to taking up post with the organisation, the same can be said when we deal with personnel leaving the organisation.  Departments that could be included within the starters/leavers process may include but is not limited to the following:-


  • HR – To ensure that appropriate vetting and staff records are completed.


  • Line Manager – To ensure that the role to be filled is in line with the employee’s capability and specialisation.


  • IT – To ensure that a user account is created in line with the necessary permissions and file shares approved by the employee’s line manager.


  • IT/Line Manager – To ensure that any necessary equipment is made available to the employee in line with the needs of their assign role.


  • Security – To ensure that the necessary access permissions are provided (door combinations and/or swipe cards).


Another good example of a poor starters and leavers process is the incident involving a Pennsylvania woman, who faced three charges of unlawful use of a computer and a further three charges of computer trespassing/altering data.  The individual had previously worked within the District office as an administrative office secretary from 2008 through April, 2011 and was responsible for managing employee user accounts.   The individual concerned had initially hacked into the children’s school’s District computer system using the schools superintendent’s credentials and altered the children’s grades.  The individual was also found to be using various passwords to access HR systems which facilitated access to personnel files and numerous emails.  In this instance the school failed to not only implement a good starters/leavers policy but also failed to recognise the importance of segregation of duties or carryout any protective monitoring and/or auditing.  In the example stated above not only was the individual permitted to create/manage user accounts without any supervisory checks being conducted but they were also able to abuse their position by either impersonating another user or creating bogus accounts which permitted access to various pieces of sensitive employee data.

It is the author’s recommendation that all organisations, irrelevant of size, should review their current starters/leavers processes along with their methodology for segregating duties to ensure that they do not fall foul of a similar occurrence.  A good audit program and/or protective monitoring solution may potentially highlight any inappropriate use or at very least highlight suspicious/questionable user activity.

Lock up your logins!

A student from Georgia was able to assemble a list of no less than 36 login credentials of staff from Kennesaw State University, in Georgia. Eventually he used the legitimate login of a professor to access the university system and change his grades.

How is it possible to assemble such a comprehensive list of login credentials? Many universities will use protective software to prevent incursion by outside actors but using a legitimate login makes it harder to spot this nefarious activity.

Good password hygiene is essential.

  • Force change on newly issues credentials to make sure there are no default passwords in use on your network.
  • maintain minimum quality levels on passwords – no dictionary words, no names etc
  • ensure logins are not shared or divulged
  • ensure logins are not written on post-it notes or whiteboards
  • if in doubt, ask an expert.

You can read the full story here.


Make sure you delete those logins!

Summer is ended, the new school year is well underway and the squeaking of new school shoes accompanies many kids down corridors. A fresh start for everyone…but has anything changed that you need to be aware of and factor in to your data protection regime?

End of term is usually the time schools can lose staff through churn or retirement. Once they have left, do you have a process of sanisation of their credentials? In other words, is your leavers policy being used and used correctly.

We have heard of at least three occasions when ex school staff logins have successfully been used to access school information and either delete, change or invalidate it. So not only has the information been accessed by an unauthorised person, for regardless of the fact they were once staff and assuming it is them who is logging in, there is the potential to be not only stolen or disclosed, it could also be changed. This might be an exam or test grade for instance.

Contractors or temporary staff logins should also be deactivated and deleted. Don’t allow temporary staff to use other staff logins and make sure everyone, whether temporary or permanent has their own login and has been trained in the school’s Data Protection Policy and your process for enforcing it.





School hit by ransomware

A school in Missouri, US has been hit by ransomware and all operations, including lunch distribution, has been impacted. This is because ransomware, as the name implies, holds files, systems and networks to ransom by encrypting them and preventing the owner/operators access to them until a ransom is paid.  This is normally demanded in crypto-currency like Bitcoin.

File sharingUK Schools should not be fooled into complacency because this has happened in the US, it could happen to a school or educational facility anywhere.  Cyber knows no borders, and cybercrime is no exception: all it usually needs is someone to open the door for it…

Ransomware tends to be distributed (though not exclusively) by phishphishing emails. Training staff in how to recognise and handle phishing emails, is a vital part of combating this cynical and hugely disruptive kind of attack.

If you would like to know more about ransomware and how it works, please click here for our main security blog and a post from a security expert.

We have a selection of security Whitepapers on our website which are all free to download.

Top look-outs for School Cyber Security

Advent IM Security Consultant, Del Brazil offers some observations and advice for schools, colleges and universities, on improving their cyber security.

There is a wealth of information held within educational websites, schools, universities and data centres and these institutions are generally accessible to anyone.  Educational facilities are no more susceptible to attack than any other organisation; however the likelihood of an educational facility to not only lose data or suffer a breach, is relatively high as a result of their current practices and/or security culture.  Any breach of security or loss of information by an educational body and/or facility may result in some form of penalty or undertaking to be imposed by the Information Commissioners Office (ICO). 

Recently there has been a number of Universities found to have been in breach of the Data Protection Act and as such have had to undertake reviews of their current security practices and policies to ensure that there comply with principle 7 of the Act.   This principle states that ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’  Although these universities escaped a monetary fine this time this does not suggest that each and/or every educational body and/or facility will be given an undertaking rather than a fine.  The severity and type of breach and/or loss, will influence the ICO on whether a specific undertaking is appropriate or to impose a monetary fine.  Board members need only to look at the ICO’s website to see what type of actions and monetary fines have been imposed by the ICO; hopefully this will encourage them to raise the importance of security to board meetings.

Below are a number of area that educational facilities should consider….


  1. Personal Information – The vast majority if not all educational facilities, retain a wealth of personal data related to students, employees, board members, trustees and former pupils, which is at risk from interception, alteration or theft.  There is also the possibility that personal medical and financial information is potentially at risk; although these types of information are afforded extra protection, this extra protection doesn’t guarantee that the information is safe.
  2. Home Studying – Just because pupils study from home whether it be a mature student or a regular pupil there are additional complications and/or threats to consider.  Educational facilities have to grant a degree of external access to their internal network resources to pupils in order to facilitate studying.  This external access needs to be correctly configured and managed to prevent pupils accessing inappropriate areas of the internal network.
  3. Physical Security – Educational facilities pride themselves on beingSurveillance Cameraopen and all-welcoming, however this comes at a price.  The relaxing of certain physical security measures gives any would-be attacker free reign to wander around an educating facility to identify key areas which they may wish to target.  The threat may not just be from a cyber-attack but also from an opportunist, such as thieves or organised criminal syndicates.  Considerations should also be given to overseas students who may take an overenthusiastic interest in certain areas of the educational facility as they believe these areas may be able to provide them with information about key services/activities.
  4. Information Sharing – One of the key principles of schooling is the File sharingsharing of information, with the exception of personal and business related information, as this facilitates a healthy learning environment for all.  The down side to this is, how do these educational bodies protect proprietary information and/or intellectual property as there are generally no Bring Your Own Device (BYOD) or Social Media policies in place?
  5. Multiple Technologies – Historically educational facility networks Mobile to laptop same background bluecomprise of a whole raft of different networks and applications being used by different user groups which makes any IT department’s role not only complicated but also very time consuming.  It would be far better to have one network which is correctly configured and managed thus increasing and centralising security across the network, whilst also reducing the amount resources allocated to maintaining multiple networks or applications.
  6. Awareness & Understanding – As with a lot of organisations, there phishis a belief that Cyber Security is the responsibility of the IT department resulting in a number of staff asking What Cyber Security is & why do they have to worry about it.  This is a clear lack of awareness and understanding and in some instances a further belief that their own self-importance is above that of the educational body or facility.  This lack of awareness or understanding may result in poor practices being undertaken or in certain circumstances the security measures are circumvented to ensure that a specific job is done disregarding the potential impact of any breach that may occur as a result of their actions.

Are educational facilities take security seriously enough?  It is the opinion of the author that there is a clear opportunity for improvements to be made whilst also introducing additional security training and awareness.  This additional training should be directed towards all who are associated with the educational facility and should include but is not limited to board members, staff, teachers and pupils. 

security-conceptThere is no one fix or ‘magic bullet’ that will solve or prevent a cyber-attack; however with appropriate training and supporting policies, educational facilities  or  bodies should be in a better position to potentially minimise the impact of any cyber-attack.