In the last few weeks, there's been some discussion on the DfE's "Cyber Security Scorecard" in the education press. More accurately, the discussion has focussed on the absence of any such scorecard in the light of several cyber security incidents this September.

It's no secret that the Education sector is plagued by cyber attacks, we consistently top the charts on Microsoft's Global Threat Activity dashboard with around 80% of all reported malware encounters. IT teams in education run on threadbare budgets, often operating under significant pressure and overseen by education or finance staff with little understanding of what a technical team needs to be successful. This isn't a slight against those professionals, merely an acknowledgement that a successful career as a teacher and then senior leader in a school doesn't provide the knowledge needed to create an environment where your IT team can succeed.

Some schools outsource their IT function altogether and, while that's a very sensible decision for small schools without the scale to run an in-house service, it doesn't really guarantee an improvement. In fact, most of the successful phishing attacks that I see from other schools come from schools with an outsourced IT function. I've taken over networks from outsourced IT companies where every single staff user had domain admin access to the network.

So it's clear that we have a problem. In my view though, it's not one of insufficient guidance. The DfE may not have launched the promised scorecard, but in October of 2022 they published the Cyber security standards for schools and colleges. These are part of a growing set of standards that give clear benchmarks to help us assess what we do. The NCSC also provides a library of resources to help schools understand and improve their cyber security position and has been publishing such advice for years. We have tools such as Mail Check, Microsoft's Secure Score, Google's security checklists, schemes like Cyber Essentials, and a raft of offerings from companies building and selling security products and services.

Another tool to assess our current position isn't going to achieve anything that previous tools (particularly the DfE standards) haven't already. If anything, I can see it being a distraction.

I wrote a piece for the ANME back in January of this year making the case that the DfE standards were an excellent tool to help raise the discussion around technology up to the level of leadership & executive teams. Your IT teams can't make much progress if the leaders in their organisations don't see what they're doing as important. Initiatives will be delayed, other projects will take precedence, over and over. If the implementation of Multi-Factor Authentication is on hold now because of other more pressing issues, it's likely to stay there.

Cyber Security is one of those classic "important, but not urgent" things, right up until something happens and it's too late. We need to create the space for these important tasks before the urgency comes calling. As a sector we have the guidance, we have the standards, it really is time for us to get to work.