Protecting your school from exploitation

The Impero Education Pro programme has many functions, including classroom management software, usage monitoring, and e-safety features that provide support and security across the entire school network. But the company recently came under fire after a security researcher discovered a serious flaw in the system’s design that could expose schools’ sensitive data to anyone who would think to exploit it.
The nature of the data stored in the network about pupils or staff will vary from school to school, but there are key pieces of information that are at risk in any institution. For example, all schools will hold the addresses and contact numbers of their pupils’ families, and this information could be sold on to insurance companies or unwanted sales channels. Data about particular circumstances such as low income or any learning disabilities may also leave vulnerable families susceptible to being targeted by cold-callers and scam companies.

Payroll is also a significant concern, as any flaw in the security system could lead to the leaking of bank account details from all staff, and even the school’s accounts. For independent and fee‑paying schools, this poses an even greater risk, as the financial details of parents are then exposed.

Choose the right supplier
Selecting the best network and internet security provider is essential, but schools have very different and specific needs than those of a business. For example, one of the main differences is that schools are closed for long periods of time over the summer, and very little is done to maintain network security during those breaks. Most schools, especially primary schools, are unlikely to have an on-site IT technician to fix issues as they arise, with clusters of around 10 schools often having to share a professional between them.
When choosing a supplier, it’s important to seek out several sources of advice, not just from the company selling the software, but also from someone impartial. It used to be that there were specialist LA advisers who could support schools in their decision-making process, but many of these roles, simply don’t exist anymore.

Getting the perspective of other schools can also be invaluable. Ask them which security provider they use and why they decided upon their software. You could also ask about customer service and response times when incidents occur, as well as any other issues they may have with the system.

The thing to remember is that these security breaches are more often than not isolated incidents, and when a flaw is exposed, there still needs to be someone who stands to gain from its exploitation.

Who can help?
With an increasingly connected population in and outside of schools, we need to educate our learners, staff and parents on what effective e-safety is and what can be done to implement it properly. There is now a dedicated organisation working to promote the safe and responsible use of technology. The UK Safer Internet Centre is coordinated by a partnership of three leading organisations; Childnet International, South West Grid for Learning (SWGfL) and the Internet Watch Foundation, and acts as a hub for useful information and advice.
E-safety doesn’t mean restricting people or stopping them from accessing information; it’s about striking the right balance between giving our learners enough freedom to explore, while maintaining control.  
When we spoke to Ken Corish, online safety manager for SWGfL and senior manager of the UK Safer Internet Centre, he expressed his concerns around schools relying solely on internet filters to protect their data.
He said: “In my opinion, filtering is such a small move towards protecting children; the key is to proactively teach children digital resilience. Digital resilience is a young person’s ability to maximise the opportunities technology offers, whilst having the skills, knowledge and strategies to keep themselves safe when technical intervention or adult supervision is not always there to do so.”
In addition to promoting digital resilience, it is also important to manage online risks, in order to create safe learning environments for students. Ken explains how these risks can be managed in three simple steps, referred to as the three Cs:
Firstly, schools spend a huge amount of time looking at content, trying to prevent children from coming across harmful or upsetting content, and while this is important, even more emphasis should be placed on the other two C’s (contact and conduct).
In terms of contact, we should be teaching children about who they are communicating with online; who is influencing them and how they manage those online relationships. Meanwhile, conduct is concerned with exploring online behaviour; the impact of unethical and harmful behaviours on self and peers and the wider implications in terms of the judgements others make, based on what a person’s online presence says about them.

Top safety tips
Here are some top tips to help schools protect their pupils online. Firstly, filtering is currently mapped against age, whereas it is more effective if it is based on the usage or behavioural development of a child. Teachers should manage this in order to allow access to the content they and their class need.
Change the culture of your school – if you’re going to educate pupils about how to use the internet safely, you should get their buy-in and help them understand why and how they should use the school’s systems rather than their own.
Encourage conversation amongst staff, pupils and their parents so that all parties feel confident to openly communicate about any incidents that arise. Getting parents onside with this is critical to its success. There will always be incidents; how you deal with them effectively builds resilience and safer independent strategies, something which translates into the home environment too.
Make it very clear what the policy is when an incident occurs and how an issue can be escalated to the relevant management teams.  Pupils should also have multiple reporting routes on which they can rely, particularly in secondary school when reluctance to report issues is more common.

Ask for feedback from your pupils throughout the decision making process; that development ensures a wider ownership that drives a better understanding of everyone’s expectations around the use of technology.

So, where to start?
Using internet filters is a good place to start, but these should be developed to fit with the school’s culture and the behavioural development of its pupils. Dialogue between staff, parents and, most importantly, the children should be maintained so that everyone is confident in openly discussing any incidents that occur. The policy of online safety issues should be made clear when problems arise, and the escalating channels of communication and reporting should be laid out for everyone to rely upon when necessary.
We live in an increasingly digital society, and teachers have an obligation to safeguard children within these spaces. However, children today will already have a great deal of experience with technology, so an approach that capitalises upon this knowledge and promotes the development of a positive attitude and digital resilience will be the most effective method of tackling online safety.

Further information