Why don't Cyber Security tools work?

The honest truth is they do... it’s how they're implemented that's proving the real problem. I have two simple examples for you; one is easy to fix, the other is much harder and (of course) much more widespread.

Password security

I thought the days of people writing their usernames and passwords on Post-Its next to their laptops was over, consigned to urban myth, but no. Two weeks ago I was in a Primary School and moved a teacher’s laptop to find the apocryphal Post-It note just there.

If teachers don’t think that primary school children don’t have the wherewithal to use information like that, they are putting themselves at risk. That risk is increased in secondary schools where the students are even more tech savvy.

People

A senior school leader I was talking to last month said that they couldn’t get their staff to use the E-Safety and Safeguarding software they had implemented. When asked why, three reasons came up:

  • Many teachers didn’t understand how to use the software.
  • Staff didn’t want to take responsibility for capturing and having to deal with difficult issues.
  • Linked to the second issue, teachers didn't want to increase their workloads.

Tackling these issues can be difficult, but there are four key areas schools should look to improve in order to deal with them.

Policies

Practically all schools have policies on issues like mobile phone usage, safe internet usage, acceptable usage and password policies.  The problem is they are often out of date, or even worse, paid lip-service too and not connected to the reality in the school on a day-today basis.    Policies should be reviewed annually, or after a major incident such as cyber-bulling or a hacking attack.  Ask yourself the “so what?” question in relation to your policies.  Will they really make a difference, or are they just words on a paper that no one reads, implements or cares about?

Training

Staff, pupils and parents all need training, both in the policies and in the tools available to them.  Anecdotally every school has a story about a piece of software that has been bought but isn’t used.  In the vast majority of cases the biggest single reason for failure is a lack of training, not just in the beginning, but on an ongoing basis to ensure it is embedded in the working practices of the staff and the school.  Don’t underestimate the amount of time and effort implementing new solutions will take. 

Some of the biggest successes I’ve heard about recently have been where parents have been involved in the implementation of new policies and tools.  One of the biggest parental fears is cyber-bullying.  If you can get them to understand what you’re doing and why, it has a big impact on them supporting the school.

Enforcement

Some things are easy to enforce, like the regular changing of passwords.  Getting people to change behaviours (e.g. not write them on Post-Its) is harder.  Getting people to use pass-phrases (two or more words relevant to the user, with numbers and symbols are easy to remember and more effective against hacking – e.g. don’t use Pa$$w0rd, try Motor^BIKE43. 

Many schools have staff sign a piece of paper to say they have read, understood and will abide by policies.  Some schools even get parents and students to sign similar documents.  A trend that is increasing in the Private Sector that I think will catch on in schools is giving each individual a quiz to test whether they have understood the material, not just ‘read’ it.  It’s easy to do, and will ensure that people engage if they can’t use the school network or systems until they ‘pass the test’.

Leadership

One thing leadership can do, but don’t often because it can be difficult to spot, is call out, praise and reward positive behaviours.  Praise, reward and peer pressure are as old as the hills when it comes to motivational techniques, but they still work, even in today’s technological world.