Lessons from a Ransomware Attack

This isn’t my usual kind of blog. It’s about how our school responded to a ransomware attack and what we learned. As it turns out, not everyone talks about this so malware attacks on schools may be more of a problem than many of us realise. 

We first noticed attack on The morning of 17th July when we found that several documents on our fileserver were encypted. It seemed at first that only some files on one server were affected, then it became apparent that files on another were also encrypted. We decided to shut down all our servers to halt any spread of an infection. This of course meant that the school had no ICT facility: teachers had no acesss to lesson resources, and there was no access to our information management system.

Our excellent ICT team identified the ramsomware as ‘.Aleta’ and discovered that the infection had occurred at around 6.30am on the previous Saturday, 15th July on a server used by all the schools in our academy group, despite our use of security software. The finance serWe later learned from the police that this type of malware is most frequently spread by remote desktop access protocols.  Our ICT team worked all that day and the next to wipe the system clean and restore files from a full backup made on Friday 14th July. As a result we were only without ICT for a day, although some facilities were only restored on the second day. 

We warned the schools in our Multi-Academy Company and other local schools. We weren’t using email, so we did it the old fashioned way, by phone. It was quite hard to talk to a human being at some schools!  We reported the incident to Thames Valley Police who also urged us to report it to Action Fraud, who coordinate with the National Fraud Intelligence Bureau. In reporting this attack, I learned from the police that not everyone does so, or chooses to report the details to Action Fraud. I can only speculate as to why this is – perhaps they don’t want adverse publicity, or to indicate that there may have been a vulnerability in their systems. Presumably a proportion of victims pay, or why would such attacks continue?  It seemed to us that adding our small piece of the jigsaw to the database of such attacks was the only way we could help tackle them. Action Fraud told me that the perpetrators would undoubtedly be based overseas and there was little chance of bringing them to justice in the short term, but thanked us because every piece of additional information helps build a picture of this type of criminal activity, providing insights into how to counter it. Reporting the details of the crime also enabled the police to give us specific advice on how to deal with it. We didn’t need this help because we had a recent backup we could use to restore our system, but the police do have a database which can be used to decrypt many files affected by such attacks.

We did not contact the authors of the malware and we certainly didn’t pay a ransom, nor would we. Quite apart from the obvious moral argument about paying criminals and so helping fund and encourage their further activities, to do so seemed foolish in the extreme, We didn’t open any of the ‘ransom’ files placed on our network, but found screenshots of the instructions they contained on the internet. We weren’t asked for a specific amount but told that the fee, in bitcoin, would depend on how soon we responded. In exchange for payment, we would be sent a file to unlock the encrypted files. Deliberately launching an executable file sent by criminals didn’t sound like a good idea!

  

Lessons we learned

  1. This is what a critical incident plan is for! It’s essential to have a plan in place to cover the network going down – for example hard copy contact details for pupils, so you can contact home, and of the timetable so you know where everyone should be. Think about how often you access school information on a computer – how would you get that same information without a network?
  2. It pays to back up your network. For our school, a regular backup protocol meant that we could restore our systems and suffered only minimal loss of data. For teachers, the message is to also back up your own files, and keep the copy away from the network and the school premises. We all know this, but do we all do it?
  3. Remote access is used by many schools and can be a real help to staff. Remote Desktop Protocols are a known chink in the armour of network security, however, so how confident are you that you are protected? It’s worth checking.
  4. If it happens, it’s really worth reporting it. It helps tackle this kind of fraud, assists others, and also allows you to access help and support.
  5. We were fortunate in having a team with the expertise to deal with this situation. Are your IT team prepared? Is there any training you need to provide?

I hope that this doesn’t happen to your school and there’s no reason to think schools are particularly being targeted (who would think schools have money?!). It’s best to be prepared though, so I also hope this account of our experience will help others. I’d be interested to hear from other schools who have had similar experiences.

    Action Fraud can be contacted on 0300 123 2040 or via their website www.actionfraud.police.uk which also has a wealth of up to date information on Fraud and cybercrime.

    Advertisements

    Down to Brass Tacks – What Really Makes a Difference?

    Earlier this Month, Steven Tierney (@LeadingLearner) wrote a ‘Saturday Thunk’ post about focussing on priorities in the New Year:  Stop Wasting Time. In it he used the phrase “It’s down to brass tacks on this one.” that got me thinking about the things I think really make a difference. Those aspects of the sharp end of teaching that make a real difference to students and staff, and so turn a vision into a reality.

    Here’s my list. It isn’t about vision, or the ‘big picture’ but rather the things we do that stem from our vision as a school and that I believe are driving improvement day-by-day.

    Attendance:

    • Daily late gate with same-day follow up
    • Call home within 1h of unexplained absence
    • Tutors enquiring after absent students

      Progress:

      • Frequent quality verbal feedback to students
      • High Quality written feedback to students
      • Dedicated improvement & reflection time so students can act on feedback
      • Differentiation including both support and challenge
      • Planning and teaching that responds to student need
      • Targeted support to students with specific needs

        Quality of Teaching:

        • Concern for health and wellbeing of colleagues
        • Collaborative working within and between teams, focussed on a desire to improve outcomes for students
        • Numerous regular opportunities to engage in CPD


        Wellbeing & behaviour:

        • Daily contact with tutor
        • Relationship with teachers – starts with welcome at start of lesson
        • Ready access to nurse / counsellor / chaplain
        • Consistent recognition of achievements
        • Modelling of expectations by staff
        • Consistent use of consequences system
        • Immediate follow-up of incidents by Relevant staff

        Doubtless there are other things that could be added to the list – I’d welcome suggestions of other elements readers think make an impact.

        At the moment our focus at school is to persist with these and to develop other areas including more effective use of collaborative learning in lessons; a future addition to the ‘progress’ list, I hope!

            Let it Go – Achieving a better work-life balance.

            I wrote my original post about using Brandon Smit’s self-regulatory technique to improve work-life balance on 7 January 2016. I updated it at the end of February with my reflections after 6 weeks. In short, I’d really recommend giving it a go.

            Last year I wrote a post, Getting the Better of Email, about my attempt to deal with email more efficiently (it’s going quite well, thanks for asking). In that post I also mentioned planning my day in 15 minute chunks so that when the unexpected occurs, it only derails what I had planned for a few of these chunks.
            The problem is, what to do with the work that gets derailed? I have to reschedule it and sometimes that will have to be for another day. I often find however that it’s thoughts about this planned-but-unfinished work that intrude into my downtime or prevent me from getting to sleep.

            I recently came across this research paper by Brandon W. Smit,  reported in the British Psychology Society Research Digest here that looks at the effectiveness of a simple technique for dealing with this type of difficulty in ‘detaching’ from work.

            Smit asked workers to create plans of where, when and how to resolve goals they had not yet completed at work. Adapting this for teachers this could be:

            “I’ll go into work tomorrow and after morning staff briefing I’ll collate the data I need so that I can complete the CPD evaluation requested for the Governors’ meeting.”

            He found that for a subset of his participants, those high in job involvement (sounds like teachers to me), this simple planning technique increased their ability to detach from work when at home to a statistically significant extent.

            Putting this together with my previous post, I’m going to start the New Year by using the following elements to try and make a clearer work-life boundary:

            • Segment work tasks into 15-minute blocks, or multiples of them.
            • Define clear goals for each of these work blocks.
            • At the end of the day take stock of the goals I have successfully met and any that remain incomplete.
            • Use Smit’s suggested planning technique to decide when, where and how I’ll deal with unresolved goals.

            February 2016 Update

            I’ve been using this idea for about six weeks now and it really does seem to make a difference. Ending my working day by reviewing what I have achieved and writing a single-sentence plan on how I’ll deal with incomplete tasks or unresolved issues does seem to allow me to detach more from work so family time can be family time. I’m also sleeping better – I no longer lie awake thinking about work issues and the number of times I wake up in the night with work thoughts has reduced to only two occasions in the six week period. It’s also helped me be better organised and more able to prioritise.

            The technique doesn’t, of course, reduce the workload, so it hasn’t stopped the fatigue that comes at the end of a hard day! Nevertheless, I’ve found that using this simple exercise each day has made a real improvement in my work-life balance.

            As ever, I welcome your thoughts and comments. If you decide to give this a go, it would be good to hear how it works out for you.

            Don’t Call It Appraisal – Building Better Performance Development

            No, we don’t call it appraisal, and we try not to use ‘performance management’ either. One  of my responsibilities at school is to organise the annual performance reviews for teaching staff. We take he view that the primary purpose of this exercise should be developmental – we aren’t just measuring how well teachers do their job but learning what works best and using objectives to develop our practice as teachers in order to secure better outcomes for children. We also use reviews as a great opportunity to say thank you to colleagues for their hard work and commitment over the past year.

            This year I have given a lot of thought to how we can better align school priorities and the requirement to base performance reviews on the Teaching Standards with the objectives for each colleague. We have linked objectives to the standards since 2012 (using a facility within the School Aspect online management package we use), but for 2015-16 we have chosen to link a couple of objectives, which align with school priorities directly to teaching standards. 

            We have three objectives for all teachers and a fourth for those with a TLR post or on the Leadership Team.

            A. Promote good Progress and Outcomes by Pupils. An objective focussed on elements of this teaching standard and linked to the levels of progress of pupils in a group, the size and nature of which depends on the role of the teacher.

            B. Teaching to Meet the Needs of Pupils. An objective focussed on elements of this objective and designed to improve the progress and attainment of disadvantaged pupils is a school priority. This objective is to close the gap between disadvantaged pupils (i.e. Those who receive the pupil premium) and their non- disadvantaged peers. Again, the size of the group depends on the responsibilities of the teacher.

            C. A personalised CPD objective derived from the teachers self review against the teaching standards and reflection on the past school year. This may derive from the review of objectives from the previous year or from an NQT final assessment. In some cases the development area may be proposed by the reviewer.

            D. A leadership objective centred on an area of responsibility dependent on the teacher’s role. St Gregory’s is a faith school and this objective aligns to one of four areas:

            • Spiritual Capital
            • Mission Integrity
            • Partnership
            • Servant Leadership

            For each of these objectives we record the key actions, intended outcomes and timescale. We also agree the success criteria and evidence that will form the basis of the review. CPD requirements for fulfilling objectives are also recorded. There is an interim meeting part way through the year to check progress.

            That is what we are planning for this year. I’m interested in how this compares with what other schools do and welcome any constructive comments.

            Lesson Observation Feedback

            This was my first post, originally written in November 2014. Following a request, I added an update in April 2016. 

            Lesson observation is a contentious topic. Is it unduly stressful? Should it be graded? Is it even valid? Recently,  I have been trying to give more effective observation feedback. This is in part prompted by Ofsted’s move not to give grades. I have also reflected on training I and colleagues received from Ofsted inspector Mary Myatt.

            Observations are important and one part of the range of evidence informing us about the quality of teaching. I believe it’s most important role is developmental, as a tool to improve teaching rather than just measure it. I therefore tend to the view that giving a grade in feedback can distract from an effective pedagogic discussion. However, I think openness is important: is it right to form a judgement but not communicate it to the teacher? I believe the answer is that single observations are valid but do not in isolation have sufficient reliability to justify a grade. That reliability comes from cross-referencing a range of evidence. A grade can justifiably be attached to this evidence in its entirety.

            However reliable an assessment of the quality of teaching is, it can’t of itself improve teaching. Feedback with the teacher has the power to achieve this. I have found training by Mary Myatt has helped improve feedback I give in the following ways.

            1. Starting with an overview of evidence used to determine quality of teaching, that observation is only one element, although the one where we feel most under the spotlight.

            2. Not using “I” other than in “I noticed…” So as not to give the impression that feedback is based merely on personal opinion.

            3. Greater use of questions and take up time to encourage the teacher to reflect (e.g. What was the intended impact? What could have been done there?).

            4. Providing more opportunities for comment / challenge from the teacher (e.g. Does that seem a reasonable commentary?)

            The extent to which these changes will lead to sustained improvements in teaching remains to be seen,  but there are some positive indications:

            – Feedback conversations so far do seem more focussed around pedagogy.

            – There is a greater openness about observer effects. It is also easier to view these in context when considering a broad range of evidence.

            – Conversations have reinforced the importance of responding to pupil needs within the lesson, including giving sufficient time, in the face of pressures teachers may feel to cover curriculum content at all costs.

            I hope to return to this topic when it has been possible to assess the long-term impact of the changes in the way I and my colleagues give feedback.
            April 2016 Update

            My opening paragraph reads like a piece of history now! No-grade observations are now the norm at my school and, I think, most others. The benefits I listed originally still hold true and I think conversations around teaching really have shifted to being developmental and much more productive. There is now an appreciation among SLT and subject leaders that reliable judgments about the quality of teaching and learning should be drawn from a wide range of evidence. Observations are an important element, along with work scrutiny, learning walks, analysis of progress data and student voice.  We have worked harder to tie our focus for evidence gathering more tightly into our school improvement priorities with a specific focus each term. Recently these have been the quality of feedback to students & opportunities for them to act on it to improve, and meeting the needs of disadvantaged students.  We are now working to improve the quality of feedback that we give colleagues following learning walks.

            I welcome comments and it would also be good to hear about how lesson observation feedback is used in other schools.