Teacher tips: Keeping your classroom safe online

Show Notes

In this episode of the Hello World podcast we sit down with Claire Walden, a former primary school teacher, to discuss cybersecurity, safeguarding, and why digital safety is so important.

The conversation offers practical advice for educators and students, such as using "three random words" to create long, unique passwords and implementing two-step verification to prevent the "domino effect" of account breaches. Additionally, the episode explores the Cyber Choices programme, which helps divert technically skilled students toward legal and ethical careers in computing.

Chapters

• 0:00: Introduction
• 4:00: Claire’s Teacher Tips
• 7:19: Building strong passwords
• 8:40: Password management: Different passwords for everything
• 10:17: Two-step verification
• 11:35: Cybersecurity is a safeguarding issue
• 14:27: Advice to help prevent ransomware attacks
• 16:06: Why staff training on cybersecurity is a must
• 17:53: The impact of AI on cybersecurity
• 21:07: Safeguarding
• 22:00: UK Curriculum
• 25:20: Outro

Transcript

Hello world and welcome to the podcast for educators passionate about computing and digital making.

I'm James Robinson, Senior Learning Manager here at the Raspberry Pi Foundation, and this is the second of four episodes released to accompany the latest issue of Hello World Magazine.

This issue explores online safety and security, asking what we mean by those terms and how we can better teach the skills that young people need, to use computers effectively and safely and responsibly.

In today's episode, we're talking to Claire Walden, a Cyber Protect Officer with Thames Valley Police in the UK, who's also an ex teacher, to discuss cyber security in schools.

So over to my colleague Laura to introduce our guest.

Hi, I'm Laura James,

I'm a Learning Manager at the Raspberry Pi Foundation.

And today I'm joined by Claire Walden.

Claire, welcome to the Hello World Podcast.

Thank you very much. It’s a pleasure to be here. Thank you, Laura.

That's great.

Before we get into the details of our discussion, why don't you tell us a little bit about yourself?

I work at Thames Valley Police in the Cyber Protect team.

I've been working within the police now for ...

three and a half, four years, nearly.

But actually, before this, sort of life, I started.

I was previously a primary school teacher, in the south east of the UK.

Did that for, oh, my goodness, years and years and years, 14 years or so.

Before deciding that I fancied a change and, and moved into this world of cyber security and educating people about that side of things.

Wow, that sounds like a big career change.

How did it come about?

And are there many parallels with working in a primary school to working in a police force?

Weirdly enough, yes, there are plenty.

So, it came about because the, the team here in the south east, so it's SEROCU, the South East Regional Organised Crime Unit, were looking for someone with school experience who could help them with outreach work that they were doing, around cyber security advice for, for schools, but also, around the cyber choices side of things.

And I'm sure I'll talk more about that programme a bit later, but it's a safeguarding programme, essentially an intervention program to try and support young people with, well, schools and young people with being safeguarded from committing computer misuse offences like hacking illegally and stuff like that.

Yeah, as I say, several years in and I'm loving it.

And as you say you know the parallels.

Oh my goodness there are so many.

Still everything I do, in my role is, is education and and trying to communicate a positive message and build on the, the glow that I used to get from teaching kids and seeing them light up when they were learning something new is similar to the kind of, expressions and interaction you get with people when you're trying to help them improve their cyber security.

It sounds like you're making a really big impact as well, like seeing many, many more schools than maybe just your own school that you're at.

Yes, absolutely.

So we've reached I don't even know how many, but a lot so far already, particularly this term we've been absolutely snowed under with requests.

Not that I want to stop people, you know, we want more.

We want more.

Keep them coming. But, it's been brilliant.

Is that the way it works then?

Schools request you to come and visit, or do you go and proactively contact schools saying we're available?

We don't go directly to the schools themselves unless they've been a victim of a cyber crime already.

In which case, we will offer our services to them, all of which are fully funded, essentially free, therefore.

Which is always a bonus for schools who have limited budget.

I know.

But what we have done is a lot of outreach to try and get the message out to schools.

Brilliant. Okay.

Thank you for that, Claire.

Let's get into it.

This is a teacher tips podcast.

So what is your first tip for teachers?

I actually am going to cheat a bit here, I've got two.

Okay.

So firstly my main thing is that as a teacher you are teaching in what is now a digital age, right?

And it's never been more important for, for pupils and for teachers to understand these concepts of online safety and online security.

So we need to be, as teachers, encouraging and supporting young people to really fully understand that as they go into this life where there's this ever evolving digital world, they've got to have some responsibility for adopting security and engaging in really good cyber behaviours. as part of that.

Both as, potential victims of cyber crime, but also the potential of becoming offenders of cyber crime as well.

So we do actually have on our website a really great list of useful resources for schools, broken down into different phases of education, so key stages.

And those all encourage cyber secure behaviours and ethical use of computing.

The second tip is really...

I’m probably going to go on a bit here because this is something I’m particularly passionate about now but

Everyone that's a user on a school's network now has got a huge role to play in safeguarding that system.

You know, the wealth of information that schools hold as well as the users themselves.

But schools hold information like financial records, pupil safeguarding data, medical data and loads more besides.

So as part of protecting that, one of my major tips then is around passwords and making sure that your password that you are using is long, strong, well protected and unique to your school account.

So by long, strong and well protected, I mean, not written down on a post-it stuck on your laptop, not scribbled on a piece of paper that you keep in your unlocked desk drawer or tucked inside your notebook or your register.

I have seen all of these in my experience in schools.

Me too!

I've seen them with with not not just pupils, but I've seen it with staff as well.

Yes, definitely. All the time.

And even if that device or that login doesn't have access to sensitive data, a skilled enough individual, which could well be a pupil, can easily then leverage or sidestep into those more sensitive and confidential records as well.

And this is all backed up by research from the Information Commissioner's Office in the UK.

They found that over half of the insider data breaches that were occurring in schools, were being caused by pupils and over 29% of insider attacks were being committed by pupils using credentials they had either stolen or guessed because they were a weak password or had found written down somewhere.

So they weren't hacking in, they were logging in using credentials they had found essentially.

So to build strong passwords then, what the National Cyber Security Centre recommend, they recommend using three random words to build really strong passwords that are easy to remember and easy to type as well.

And these passwords need to be 13 characters or longer.

So one example might be London Beach Music.

Now, what we would suggest then is you put a capital letter at the beginning of each word.

But obviously we know that there are platforms out there that will require you to include those symbols, those numbers, when you're logging in.

So what we suggest is that those are done by adding in additional characters for further password strength, as opposed to those substitutions that we know everyone used to do, like an @ sign for an A.

Everyone knows them.

Cyber criminals know them too.

So we need to avoid those kinds of substitutions.

So instead and you know, we have London Beach Music now we could add in a number and a symbol so we could have London 7 Beach $ Music or London Beach 5 ampersand (&) music.

They get a lot stronger the more characters you add on. So it's a brilliant way of creating and using long secure passwords.

One of the things that my students, when I would do password lessons with them would be like, oh yeah, yeah, I've got a really good password, but I use it for everything.

How do you how do you get across the fact that they need to have different, different passwords for all of their different services, though.

There was research done that showed that adults certainly have over 200 online accounts each.

So if we are reusing that same password across multiple of those or all of those, the problem with this is if one of them gets breached, criminals have ways of running that username and password combination.

So then it will be a domino effect of accounts disappearing, into somebody else's control.

So what we suggest then, certainly for those pupils that are on their own devices already, is that they use something called password managers.

You can have apps that do it for you.

You can have it in-built into some devices.

Password managers are definitely a way of creating, so they can create these random strings if you wish to, and save them within a password manager or create your own and save them within the password manager.

So follow that you know three random word guidance, but it means that you can have separate passwords for each account that you are creating.

Each device that requires a longer password, and keep yourself that much more secure should a password of yours be breached or hacked anywhere?

Because we don't want to be letting criminals in the easy way.

So putting stronger passwords on using those password managers, but also turning on two step verification.

I was just going to say that I was just going to ask, like, would you suggest students use that?

Because then often they have to use their phones for two step verification.

And obviously we don't want phones in classrooms.

So in school, that can be harder to put in place.

Absolutely.

And I mean, there are ways around it, two step verification can be done by things like email.

You know, you can potentially set something like a Pin code as well for them to have as the password.

You can use biometrics, but again that requires the devices to be able to do that. That aspect of it.

So it is tricky to put that sort of stuff in place in school.

But we can definitely encourage pupils to adopt those kind of behaviours in their personal life to protect them at home.

And certainly I would say for staff accounts, it's really important to have two step verification on, particularly where they're able to log in remotely, to the site, two step verification.

So important in this case, because we have seen examples of schools and businesses going down where remote access is being, abused essentially and used where two step verification is not in place on that.

In your amazing article that you wrote for Hello World.

Thank you for that.

I liked your statement that said cyber security is a safeguarding issue.

Can you expand on that?

Schools hold a lot of data and I mentioned that before.

So protecting that kind of data, that personal data, that financial data, that safeguarding data is critical, to safeguarding.

Things like multi-factor authentication, that two step verification I was just talking about, things like patching and update backups to, like those technical backups, those data backups, having a decent cyber incident response plan that everyone understands and can follow.

All of those things underpin safeguarding by helping schools to protect the school's management information system and pupil safeguarding data.

Very recently we actually had a school in our area who fell victim to ransomware.

I was talking to the sergeant of the investigations team just last week.

Pupil personal information, including medical records, safeguarding records about pupils and their families and more, has been claimed by the perpetrators, to have been exfiltrated and leaked onto the dark web.

Oh that's terrible.

It absolutely is.

It's not just about safeguarding the pupil data.

We also need to be safeguarding pupil outcomes by ensuring that learning can continue if there's a cyber incident that occurs.

So yes, the data being leaked is awful and that does happen.

But there are other safeguarding risks as well, staff wellbeing being another one.

And I know that doesn't strictly fall under all of the safeguarding legislation, but if you're not safeguarding your staff's wellbeing, then you're not going to be safeguarding the pupils because they won't be at their best to do their job.

In your article, you actually said, I was shocked, you said that 44% of primary and 60% of secondary schools have had a data breach in the last year.

That's, that's terrible.

And if we drill down further into that data, it was very clear from that, I think it was 9 or 10% of secondary schools are experiencing ransomware attacks, which is a lot.

Another real world example.

There was a school in our area, just before the new academic year began, they suffered a ransomware attack and the staff had over half a term with no access to all of their short, medium and long term plans.

They then had issues, obviously, with administering their year seven pupils who were coming in, they had to inform all the parents of the attack and initially they were saying, we don't know yet if there's been any data breach or not, but hey parents, there's been this breach.

And the reputational damage there as well is huge.

What would be your current advice to a school that was experiencing a ransomware attack?

Report it to police, report it to DFE, and speak to your IT, so liaise with your IT provider, to make sure that you have got backups in place.

And actually that's one of the things that I would say sort of pre-ransomware attack is have the right resilience in place so that if it happens, you've got those backups that you can go to, to retrieve that data from, and test that those backups are working because, you know, you don't want your staff to be half a term without access to their plans.

And it is a whole school thing, isn't it?

I think a lot of people hear the words cyber security and assume, oh, it's just the IT teams problem.

But as you've hinted, you know, it's a whole school thing isn't it?

Pupils, staff, teachers.

I think with cyber security people very much often, and this comes from the conversations I've had with schools, they’re like, “oh, well, we are assuming are I.T providers already doing that”.

But if you're assuming you don't know and what the certainly in the UK, what the Department of Education are now expecting of schools is that senior leadership teams will be owning this because it's risk management essentially.

Risk management is what it falls to.

Yes, your IT team will work with you and put in place the technology, the technical bits that need doing behind it to make it all work.

But the risk is, well, as I've said with those stats, it's quite high.

So schools need to be taking this seriously and managing and owning that risk and understanding it.

We both as ex-teachers, we know how difficult it is to make time for training and development in schools.

You know, time is so precious, isn't it?

What's your what's your take on that?

How would you encourage schools to, make sure that staff training is a priority for this?

Ultimately, this is no longer something to just add as a nice to have.

It's a must.

With everything else in safeguarding, staff have to do their annual training and it's a requirement.

And certainly I would be treating this as much the same.

It's a safeguarding risk, so it's got to be a required piece of training.

So it is really, really key.

And at the end of the day again, would you rather have an hour of training or months, weeks, months, days?

However many it is of disruption from a cyber attack.

You know, we say in the UK that, you know, children are not allowed to have more than five days off school, that's unauthorised to go on a holiday or whatever.

But as I've just said from the examples of the cyber attacks, you know, days, weeks or months of disruption impacting pupil learning, perhaps with school closures alongside it, if if we're not letting children have time off for holidays and then we definitely shouldn't be letting them have time off because we couldn't secure the school properly.

There are ROCUs for other regions, aren't there?

So how do how do schools find out is that on the NCCE website?

If you go to www.rocu.police.uk
, so rocu.police.uk.

You can find out where your local ROCU team are.

Fantastic. Thank you for that Claire.

So let's talk about teaching in the age of AI and how quickly it's evolving.

What do you think the impact of AI is on the cyber security in schools?

So AI is a tricky one.

And I know there are some schools are out there that are using it in some really innovative ways to support learning.

But our interest in our team is very much more on the impact of AI on cyber security and attack methodology.

So we know from what we've seen that AI is not, and I'm going to say currently because who knows what's coming, currently it doesn't seem to be impacting the volume of attacks that we are seeing.

But what it does do is it increases the speed of an attack.

So cyber criminals will, if they're looking for somewhere to target, they generally are not targeting a specific place for a reason, unless it's a revenge piece or anything like that.

What they will be doing is scanning generally for any vulnerabilities.

AI makes this much easier, it can be automated.

But also once an attacker or the AI has found this vulnerability and the attacker has been able to breach the system, they can then use AI to analyse what they find inside the system.

So identify patterns of behaviour that they could copy or exploit.

They can find vulnerable pathways, or logins, or devices, or network locations that they can get into to navigate elsewhere, or to access sensitive data or whatever it is that they're trying to do once they're in.

So that's the bit that the AI is making faster, rather than the human having to do all of this exploration, the AI is able to compile and analyse that data much more quickly, meaning that the criminal can then carry on with their attack.

Okay.

So our advice then is very much still on the defensive side.

If you get the basics of the cybersecurity defences right, you're making it harder for AI to find vulnerabilities because they simply won't be there.

Criminals want, they want an easy target, right?

They want an easy life.

They don't want to put effort and time into it, into breaching the systems and accessing all of that, make it difficult for them.

Make it harder so they won't target you.

I mean, the only kind of comment I have on that is that, we've recently written some, lessons for OAK, and we've been talking about, students using AI and chat bots.

And one of the pieces of advice we've been giving them is to make sure they're not revealing, you know, personal or private information via a chat bot because you don't know where this information is being stored.

Yeah, like you said, it's all about the basics. Getting the, physical security and spotting signs for social engineering and, you know, passwords, great passwords.

Always good passwords.

Social engineering is is such an art and can now be done by these chat bots.

And they'll be asking for your handle, your intro, a bit of personal information, tell us about yourself.

I really would hope that any students of mine would spot this and you know, a big red flag would be, appearing.

You'd hope so.

Yes! This stuff happens.

When it comes to safeguarding.

We also need to be safeguarding pupils from committing computer misuse offences.

Certainly in the UK this falls under keeping children safe in education.

And we have the Cyber Choices program which is an intervention program within policing.

Which helps.

It's a, it's a brilliant program I used to work for it, as I said earlier, and it involves police officers having informal conversations with young people and trying to divert them towards using any skills and interest that they have in cyber, I suppose, attack methodology or anything like that and put it to good use.

So turn it towards legal use rather than illegal use.

And I think that's what sort of education around the Computer Misuse Act is so key, because this is technology that the kids are interacting with.

We need to be teaching them, I mean, the curriculum for computing in the UK as it stands currently says, you know, we will be bringing these children up to be responsible users of IT.

But if we're not teaching them about the legal rights and wrongs, then we're not doing that are we?

Absolutely, yeah, it's such a small part of our curriculum, I feel, personally.

I think in GCSE there is you know, a tiny little bit about network security, but apart from that, you don't really learn about it at all, apart from perhaps a little bit in PSHE lessons, so it's something that I'm hoping gets addressed in the, in the latest curriculum reform that's coming out. Yeah.

And actually on our, on our Cyber Choices pages on our website, there is a lesson plan that can be used with, sort of 10 to 14 year olds, around the Computer Misuse Act.

And it's really, really worthwhile looking at, if that's of interest to you.

And if it's something you want to throw into a PSHE lesson, to do it a bit differently.

But there's also resources, online from the National Cyber Security Centre.

So they have, something called Cyber First Navigators, which is well worth a look, as well.

Another added benefit, I guess, is if we can teach the young pupils about good password cleanliness and things like that, they can then teach their parents and their grandparents when they get home.

So then it hopefully filters out from what we're teaching in schools.

It's so important.

And I ask them to take it home and teach their parents and their carers and the other adults or their older siblings how to do this, because, as I say to them, I'm willing to bet that not all of your parents are using secure passwords and having a unique password on each account that they've got.

And we do actually have a tool that will support this.

And we send flyers out to schools as well.

And this is our police cyber check tool, which I cannot recommend highly enough.

There's three tiers within it, so foundation, improver and enhanced.

And each tier has a few actions within it that you can take to make it harder for criminals to get access to your accounts, and the harder it is for them, the less likely they are to target or turn you into a victim.

Brilliant.

Thank you so much for that, Claire.

It sounds like you're really enjoying your career in the police.

Does it sometimes feel like a, Does it sometimes feel like an uphill battle, though?

You know, like a game of whack a mole trying to, like, stop the threats before.

Before they appear? It does.

And it seems that as much as we try to get people to change their behaviours, and as much as we tell people this is what we need you to do, the problem we've always come across is that people will say then and there, oh yes, I need to make these changes.

They walk away from the session and it gets forgotten about, put to the back burner until they become a victim of an attack, and then it suddenly becomes very important.

And obviously we don't want people to reach that point.

We don't want attacks to happen.

We want to stop them before that.

Well, hopefully the podcast will be broadcast far and wide, and people will be joining your websites and having a look at your resources as soon as possible.

I really hope so.

Thank you so much for joining us today Claire.

Thank you so much, Laura, for having me.

It's been an absolute pleasure to share what I know.

Well, that's it for today.

I hope you found today's discussion useful.

And we've given you some practical tips to use in the classroom.

See you next time. Goodbye.

Thank you Laura.

You can check out the full version of Claire's article in the latest issue of our Hello World magazine, which is out now.

And whilst you're at it, if you haven't already, head to head to helloworld.cc to subscribe, explore our back issues and listen to more episodes.

What are you waiting for?

That's it for today.

But Laura will be back in a few weeks discussing practical tips on teaching online safety and security in the classroom with Chanel Belvin.

Thank you for listening. Goodbye.