Transcript: Cyber security begins at school

The words ‘Transcript: Cyber security begins at school’ with ‘Cyber security’ highlighted in yellow and the other words in white, against a lightly blurred shot of the back of children’s heads in a classroom. A teacher is visible at the front, standing in front of a whiteboard.
(Image credit: Future)

This automatically-generated transcript is taken from the IT Pro Podcast episode Cyber security begins at school'. We apologize for any errors.

Rory Bathgate

Hi, I'm Rory Bathgate.

Jane McCallion

And I'm Jane McCallion.

Rory

And you're listening to the IT Pro Podcast, where today we're exploring how the education sector approaches cyber security.

Jane

Cyber attacks can be one of the most damaging things that can happen to an organization. Whether it’s a data breach or ransomware, falling victim to an attack can be extremely costly and disruptive, and knowing how to react in the moment is as important as knowing how to prevent one.

Rory

Despite this, businesses continue to struggle with keeping employees engaged with cyber security training. In its 2022 cyber security skills gap report, Freshworks noted that 80% of organizations across the world suffered one or more breaches that could have been prevented with adequate cyber security skills. With adults apparently not grasping the importance of cyber security skills, there is a growing argument for introducing them to people while they’re still at school, to ensure no one goes into the workforce unprepared for the threats they may face.

Jane

Today, we’re speaking to Matt Lorentzen, principal consultant at information security consultancy Cyberis, to explore how we can effectively instil cyber security best practices through the education sector and why simulated attacks could be an effective method through which common attack vectors can be taught. Matt, thank you for joining us.

Matt Lorentzen

Thank you for having me.

Jane  

So what can be done to prepare people for cyber threats from a younger age? And how young are we talking?

Matt

Well, it's a difficult challenge, because obviously schools embed technology now all the way through to early years. So it's not uncommon for children 4, 5, 6 years old to be interfacing with computing and having digital identities, managing workloads, interfacing with learning platforms, etc. So we really are talking about people introduced to computing at a very early age.

Jane  

So there's no such thing as too young, then? Like, when we're introducing children to technology, whether that's your kind of early years or foundation stage, should we be thinking about, at least at some level, introducing cyber security skills and training in the lightest sense of the word at the same time?

Matt

Well, there are some initiatives, actually, that people are pushing forward with trying to introduce safe operations online through the use of like early years books, and trying to sort of cover some of the topics about how you interact with people online. But I think fundamental security principles like password management, and what it means to control identities, that's very, very difficult for education establishments to try and embed. You generally see maybe some of the impact of the responsibilities of those credentials being brought in, in secondary school education. It's not uncommon for primary school students to have access, but at the end of the day these are children. And the primary goal of embedding technology in school is really to facilitate learning. And so a teacher that has a classroom full of students, and they're trying to get them to put in some randomized character password to log into the solution is actually restrictive to the goals of the lesson, which is to get people on to a learning platform and start interfacing to support the curriculum. So it's a real challenge. I mean, technology is embedded in every subject now, it's not uncommon for schools to use a number of third-party services to support, assessment, math development, even introduction to things like programming, and all of these platforms require a credential, login, and using solutions online. So password management and understanding that is a real challenge. That's kind of where you see a lot of the threats, because it's not uncommon for an account to have a password which is shared amongst a number of students. It's much easier for a teacher to have something which is the school name, or ‘welcome 123’. Because at the end of the day, the goal is to be able to get people to use the platform, and best practice cybersecurity probably falls by the wayside when you're trying to meet that objective.

Rory

It strikes me that increasing numbers of schools are adopting things like internal email. I mean, at my school we weren't put onto the email system until we were in Sixth Form, but I know that's getting younger and younger. So do you think that there needs to be maybe a broad range of cybersecurity best practices brought in with those systems as well for students?

Matt

Absolutely. I mean, we've seen schools now largely, if you look at them, both primary and secondary, and I think you primary is a particular challenge because of accessing the user base, but even in secondary schools they're using technology which mirrors business, essentially, they're all using cloud platforms now. Office platforms, Google platforms, and that's just the direction of travel. I don't see that changing at all. What's different now is that those are really digital identities these days, and the control of those platforms is really around the internal teams understanding what they want children to have in whatever area. So your Microsoft Office 365 account will give you access to an email solution, and it will allow you to chat with peers internally and share documents in and out. So you know, these things are very much mirrored towards business. The challenge is that it's not as easy to implement some of the controls that businesses put in place. For example, multifactor authentication - one of the conversations I have frequently with people is, “Okay, we know that best practice to protect cloud identities is to implement a secondary factor authentication mechanism like a phone. How do you implement that in a classroom?”. I mean, it goes against school policies, in some cases, for students to even use their own phones, the logistical challenges of being able to implement some of those best practices are very, very difficult to solve. And because of that, they find themselves in this position where it has to be on a kind of a ‘best endeavors’ perspective. It's also worth noting that these are children, and you would expect them to choose weak credentials. And so an attacker only needs one of those instances to then almost become part of a school community, and start interacting with other children or you know that the impact of those types of breaches are significant, really. So it's a really difficult challenge to solve. And then yes the argument is, well, you educate students to be able to choose better passwords, but then that also has a logistical challenge. And, again, the purpose of these platforms to support learning. So if a student gets locked out of their account, how do you facilitate them being able to interact with the lesson and then secondary challenges appear when you try and raise the security bar.

Jane

Yeah, I think all of us would be going out of our minds fairly quickly if we were a teacher and had “Mr. Lorentzen, I forgot my password again”, every third lesson.

Matt

Absolutely. I mean, I've worked in schools. So an IT suite full of people trying to even get on, particularly at the primary level, making sure everybody can log on, everybody's at the same starting point. That's no mean feat in itself. And you know, you can be darting around everywhere just to get people to the point where you’re trying to adopt your lesson plan. So it's a real challenge. But bringing it back, I think the cloud aspects are really interesting because obviously I live in that cyber security world. So I understand the impact of what it means to have an Office 365 account and what you can do with it. But sometimes that kind of gets missed, in that these are now global identities available everywhere all the time essentially. You know, that unified access is a real responsibility for any user, regardless of age, really.

Rory

We've talked around it a little bit, but I'm wondering if you're talking about getting students more engaged, and particularly if you're talking about instilling the kind of best practice that you'd hoped to see reflected in the workplace, what kind of activities, simulations are we talking about here that can get students engaged?

Matt

Well, from a student's perspective, I think people are interested in cyber security as a career. And as I said, I've worked in schools so I know that students are very interested in trying to break things. They are interested in the nuts and bolts, and it kind of appeals to that rebellious nature. So you know, having a good engagement with the student workforce, and trying to identify where people have that interest is good because it's a viable career for them. I think it's important to understand that we can't put all of the responsibility for the security of a solution down to the end users, regardless of whether they're students or teachers, we have to devise the systems so that there is always a secondary control in place that can underpin the failure of a first. That's bringing me back to my example of multi-factor authentication. That's where there are significant challenges, because that would be a great implementation for the control of accounts if a username and password was discovered. Or shared inadvertently, or somebody saw somebody else typing it in because the implementation of the multifactor requirement would mean that the impact of that would be less. We don't have those controls here. So the only thing solution in some parts is monitoring, and I think you have to look at what's the risk, and where do we have controls. I think it's fair to say you have more control over staff accounts, and implementing more stringent controls around how they interact with stuff. But the student population side of it is always going to be a challenge. And I don't actually see that there's a simple solution to that.

Jane  

Because even if you roll out, say, RSA tokens or something - having been a child and teenager in the past - that would have been immediately lost, like, almost the second it went in my bag.

Matt  

Exactly. It's the new spin, isn't it, “I'm sorry, I couldn't submit my homework, because I lost my RSA token”. And those things are gonna get lost, broken. Again, all of these best practices can in some senses be a barrier to that productivity, which is underlining all of this in the first place. I mean, now the modern environment is students do submit email to teachers, coursework is submitted and teachers share, particularly in secondary school, through learning platforms, and work and resources are shared. So you know, becoming part of that community as an attacker provides you with a wealth of opportunities to, you know, interact with people that you definitely wouldn't want attackers being able to interact with, or potentially providing routes further into the organization, maybe even pivoting from cloud environments onto the internal environment. So the significance of students with an Office 365 account, or a Google account, or insert your favorite cloud provider is a challenge, essentially.

Jane

Let's pursue this a little bit this sort of a little bit more. When it comes to schools facing cyber attacks, are they under particular risk? And are they being targeted because they are schools or just because we're targeting everybody?

Matt

I think it's a bit of both, I think it's fair to say that the COVID pandemic, definitely pushed people more towards cloud adoption quickly because it was the same with business you know, we have to provide that. And attackers know that the benefits of cloud are it's more ubiquitous access to people, so there's potentially more routes into an environment that way. We've certainly seen in the last couple of years an uptake in attacks directly at schools, and I think that's largely seen because they're seen as soft targets. The benefit of being able to compromise a school environment for essentially deploying a ransomware attack is that that data is really important. And the disruption to that is quite an allure for attackers. And so we have seen, certainly in the last three years, this rise in schools becoming compromised and attackers using the data that they have access to as a blackmail tactic, essentially, to try and get schools to pay out. And because of that, we've seen more of a national conversation around it. The NCSC have started putting out warnings over the last couple of years about “these are things that you need to prepare for”, we're seeing this more and more and more and more. And as I said, because the technology mirrors business in terms of an attack path, they're very similar. So you know, the impact against the school being subjected to a ransomware attack is more significant because of the data that they hold.

Rory

When I was in sixth form my school was actually hit by ransomware attack, and the whole school network was encrypted. Luckily, we had an on-prem backup, but there was no follow-up from that is something that always strikes me when I think back on that there was no real school-wide discussion around what that was, and why it might have happened. If the only information that was really shared was if you know, asked teachers directly or you already happened to have an interest in what exactly had gone on. Do you think this is as much a maybe a transparency and a communication issue as it is a technology issue?

Matt

Well, it's changing now. I mean, according to the ICO a breach is a breach, it doesn't matter what type of organization you are. I know there's that responsibility to disclose that. And so we're seeing more and more reports about how these environments are getting compromised and what that means. I think you did a piece on your website last year about the Harris Foundation, which was a particularly significant breach, in the sense that they tried to develop some dialogue with the attackers. And there's various news stories around that. What's interesting out of that is the impact, the emotional impact on the affected students because the attackers were threatening to release personal details of the student population onto the dark web. And so you have all of these kinds of secondary outcomes now from these attacks, which are difficult to manage and I guess it's an emerging problem for schools to deal with that they're just not really prepared for historically, this adoption. And I also think maybe there's a bit of complacency, like most people used to think “Well, why would anybody attack a school?” I mean, I've had these conversations with people historically, “Why would anybody attack us, we haven't got anything”? Well, that's actually in my perspective, that's the wrong attitude to have because there's always some level of data. And in schools’ cases, it's very important personal data. You may not have a widget, which is your business USP or any of that but attackers don't care about that. This idea of restricting access to what it is that allows your organization to continue to function, removing that and then forcing you to try and pay money applies to schools as much as it does to normal businesses. So I think it's an emerging conversation but to answer your question directly, I don't believe that they are prepared for the types of attacks that we see, certainly through my daily work with Cyberis if they're not prepared for that type of attack target. And so I think, unfortunately, we will continue to see this trend towards trying to compromise environments and deploy these types of attacks for monetary gain.

Jane

What is the, or do we have any insight on, the profile of somebody who would be targeting a school? You know, is it sort of ‘former student with a grudge’ or, I don't know, this is the only person I can think of or somebody who doesn't understand ROA when it comes to choosing your targets for extortion?

Matt

Any of the above really, it depends. We kind of classify attacks, when we're delivering simulated attacks, it generally falls into insider threats or external access. The insider threat can cover somebody that's been compromised directly, and they're not aware of that and they have access, or somebody that's deliberately gained access through a job or whatever. And you'd be surprised how often that actually happens, where you know, attackers go and get jobs at places that they want to compromise, because why spend all of his time trying to go against stringent external controls when actually I could just become part of the organization? So you know, we see these types of evolutions, but then we have the sort of external attacker groups really. And essentially, I think, it's not difficult to determine through enumeration the types of technologies that any organization is actually using. And from that, you can make a judgment call as to whether you think that that would be a viable attack target. It depends on routes, I wouldn't like to say that all of these attacks come from disgruntled pupils. But certainly, you know, the focus is being able to gain a foothold, elevate through the privileges that they can identify, and then essentially gain some level of administrative privileges to be able to disrupt the functioning of the system for monetary gain.

Rory

We've talked a lot about primary schools and secondary schools. But I'm wondering how this also fits into higher education. I mean, with a secondary school as an example, there is a mandate for a certain level of IT training. And I know that that does vary by institution, but most students go through at least, I think a few years of ICT, computing is definitely on the rise in secondary schools. But obviously, if say at university, there's no requirement to take cyber training and cyber courses in addition to your chosen subject, do you think something like that could be good or a different approach?

Matt

I think we have to be careful that training is the only solution to the problem really. Cyber training is good, and I'm sure you've had to go through your various roles. I know I have, and I'm a security professional. And it's generally best practice, to choose good passwords, make sure you have good backups, and don't click links. I'll come back to that in a moment. You know, if you receive an email from somebody that you don't know, make sure - those are the pillars of how we try and make people aware of the types of attacks. The reality of it is that all of those things can be circumvented. At some point, I could develop an attack chain that would require you to appraise whether something is legitimate or not, and then once you believe that is legitimate and you interact with it, then that is the beginning of my process. So I think that goes all the way through, I think there is an awareness piece that we need to make sure that people understand. And it is that responsibility that they have for this identity, it's not just a username and password you are a piece of the organization, you become a digital component of an organization. And therefore, understanding what you have access to and your responsibilities for that are really important. Maybe a good way would be to showcase more attack chains and how this stuff is possible, I guess that's probably lacking. I presented at a conference not too long ago, a MAT conference, and I took that approach. I said, “Okay, I'm going to show you what happens when the finance department receives an invoice that they weren't expecting, but the pretext of the phishing campaign is relevant” and what that means. And when you start showing people that an attacker can gain interactive session in the context of you and its impact, stuff like screenshots of your desktop, or it's capturing your keystrokes. That's I think, when it resonates with people, this idea that compromised from a phishing attack as an example, and clicking on that thing that you weren't quite sure of, can lead to a pathway that then becomes significant disruption for you or even worse the whole organization. So I don't know whether we demonstrate the attack chains enough. But certainly, I definitely believe that training is useful for keeping the conversation going and making people understand what their responsibilities are. But I don't think that it's the full picture in terms of how we can improve this attack surface.

Jane

You mentioned, a moment ago, simulations. Should we be having within schools a drill, a cyber attack drill in the same way that you would have a fire drill or a lockdown drill or whatever that is for the teachers and for the students as if it's happening?

Matt

Yeah, well that's exactly the purpose of red teaming and simulated attack. And so we work a lot in government and there are various schemes and frameworks that mandate this sort of stuff, and control how it's delivered for the government or the Bank of England finance sectors. There isn't anything for education at the moment that really does that, but that is exactly it. So red teaming is the simulation of an attacker targeting your organization and looking at pathways through that. Sometimes that can be through phishing, and we start from a point of phshing so organizations will say, we just wanted to have a full end-to-end scenario. And we want to see where those steps are possible, but the real purpose of red teaming is actually to understand where your detection points are, where you have opportunities to respond, and what that gap looks like. So we really are trying to exercise that response. So to take your example, a simulated attack would be either a staff account gets compromised, then how does the IT team see this playing out internally? What opportunities do they have to stop it? At what point do senior leadership need to be involved in these instances to make decisions? Maybe they're like, look, we need to pull the plug on the internet here. Because you know, that's a that's a problem. So there are all kinds of internal management structure and these incident response plans and playbooks are well versed in other industries, but that sort of set fire to it, see what burns and how quickly you can put it out doesn't really exist in education to my knowledge or, in fact, any testing, really. We have some appraisal schemes about good practice around edge controls and stuff. But penetration testing or any sort of simulated attack against the education sector isn't really a thing at the moment.

Jane

Do you think that it's down to resources? So I'm thinking not just money resources, but obviously, time resources. I think most of us are aware of the fact that teachers are, their job is not just from when you drop your kids off to when you pick them up, it carries on and they work during the holidays and so on that really kind of throwing the idea of doing a cyber drill red teaming thing at them, it's gonna be like, “we're fine. We'll deal with it”.

Matt

Well, absolutely, I mean, that is it's more a school leadership requirement really. I think in these conversations now we found that they have sort of bubbled up to senior management responsibilities. I mean, actually, if you read through some of the academy handbook stuff which determines how schools are funded through the DfE, and into the trust, there's clauses in there for musts and shoulds. That's how it's determined as to what, you know, constitutes your funding agreement. And, you know, last year, there were some changes to say you must be aware of your cyber security posture and understanding now, so this is elevated to the point of, it's actually a responsibility of the school to understand this sort of stuff. I wouldn't say it would be the teachers, it would actually be the IT teams and the people governing the operations of technology in the schools that would do that. Now, sometimes when we interface with clients, there's only a small number of people involved in that way on a need-to-know basis. And then the idea is that you have a true representation of what the response looks like. So there's all the logistics to be able to deliver this sort of stuff within schools. But ultimately, I don't really see how else you can exercise those security controls without some form of testing. And we've proven this, we partnered with an academy. And we ran a pilot project where we said, look, we work in all of these different sectors. This is our thesis that schools, we feel that schools would benefit from these types of attacks, we feel it's needed. You know, it's the start of trying to understand funding agreements, and how requirements for this sort of assessment would take place. And so we just went full force, and we attacked as we would any. And we demonstrated that we could go from a position of unauthorized access all the way through to the position to deploy ransomware and access various elements of the school infrastructure. And the feedback from the people that were involved in it was that that gave them actual tangible results that they could then go and remediate problems directly with certain things they didn't even know existed, certain things were through third-party provisions, and they weren't even aware of the fact. For example, I could get into all of the CCTV systems. Now, that doesn't necessarily sound as if it's a particular problem. But then when you think of the user base being children, and how you know, the controls we have around performances, and taking photos and getting access to imagery of children, that's actually a significant thing. They were completely unaware that those solutions could be compromised in that way, fairly simple attack chains. But because it's a third party that came in, set it all up, “There you go, thanks very much, it's all done” None of that was ever sort of tested or assessed, it just worked. So and you find a lot of that I think it works, don't touch it, don't break it, don't mess around with stuff, don't touch the computer off, that gives you the internet, because that breaks everything. And so there's still a lot of sort of catching up to do there. And testing is really effective at trying to find those pathways and those gaps that give people as I said, tangible results that they can then go and remediate immediately.

Rory

It sounds like the teams that you work with were very appreciative of the work that you did. But I'm wondering if there's sector-wide, much demand for this from schools at present? Or would there need to be a parallel, maybe, an awareness drive to kind of bring this case to these kinds of educational leaders and IT teams?

Matt

I think it's starting to become an awareness piece now, if I'm honest. I've been focusing on this for the last couple of years. And, you know, we performed this pilot project back in 2021. And I think now it's becoming more of a conversation that actually, how do we actually understand what the security posture is for that? So we are seeing an uptake in people requesting these types of services and understanding. I don't think that this is a nationally-led thing at the moment. Obviously, budget is a challenge, right? When you talk to school leaders they say, “Well, that's great but it's not that we don't necessarily have the budget to spend on this sort of stuff. It's just that we have to prioritize things. So if we spend money here, then we're we don't have money to spend there”. So we have to determine what that is and so obviously, budgets being squeezed is a really difficult challenge for people. But I do think that we will continue to see this need for people wanting to actively test their boundaries. That's not to say that there aren't things that people can do already, there are the cyber central schemes through the NCSC, run by IASME, and really those sorts of solutions aim to give you a good baseline of what your controls are. But I would say that the active point of attacking and trying to determine through penetration testing techniques and simulated attack techniques is still kind of an emerging request.

Jane

So we've spoken a little bit about sort of funding, and I guess what the role of the government or the state level should be, when it comes to cybersecurity training that, for example, knowing what your cyber posture is now is a must rather than a should for having funding and so on. Is there any involvement that private companies should have as well, whether that is from the point of view of training students, training teachers, or running sims? I guess the answer is yes.

Matt

The answer definitely is, yeah, so I would say that working for a… I mean, there’s obviously the commercial. I think the bigger issue is that, let’s the government scheme called the check scheme, as an example. In order to be able to perform testing against government entities, you need to be part of that check scheme, and in order to fulfill the requirements as a company to become part of that check scheme, there are a lot of stringent controls and things that you have to demonstrate that you can meet the criteria to perform that. So what I'm saying is for this high-value national critical infrastructure, really important systems, you can't just roll up with the latest copy of Metasploit and start, like, throwing stuff around. So we need those controls in place, the current state of the education sector is that there isn't any market governance there. So what we see is that there's a danger that there's a need at the moment for this testing. And most people that I speak to actually acknowledge that in some cases want that. And then you speak to some network managers, and they actually know their systems quite well. A lot of the time, actually, pen testing can facilitate that change. So you know, they want somebody to come in and test their deployments and configurations, either to validate what they're doing is correct, or to support a requirement to say, “Well, I would love to be able to do this, but we don't currently have the funding for that, and this is the reason why” and there is an outcome of why I'm saying this is possible. So you know, those types of attacks can really facilitate change at various different levels. But at the moment, there isn't anything to stop pretty much anybody who wants to start providing services to the education sector, from performing these sorts of attacks. And I think that's a dangerous place to be because, you know, there's the whole state of data management and performing these things safely. Understanding your responsibilities around data as a provider, and all the GDPR hoops you would have to consider when doing this sort of stuff. It's not an easy situation. And that's why we have these established schemes, where companies need to demonstrate their understanding. I would like to see that as this requirement evolves we see some level of control there, as more providers are introduced into the market to be able to provide these services to schools.

Rory

I guess I'm kind of returning to a question I asked earlier, but is the ideal outcome for drones of this kind for red teaming like this, that the management isn't the only one that benefits from it, but that at some level, this information is spread throughout the student body, as well? That there is some kind of follow-up, whether that be through an assembly or through individual tutor groups or something that people are made aware of what went wrong, what went well, and why?

Matt

Yeah, I guess so. Because, you know, students are obviously aware of these types of cyber attacks if the systems are unavailable. And as you said, there are conversations there, they are aware of the disruption and maybe understand in a little bit more detail how those types of things happened. You're kind of educating the future workforce by proxy as to the challenges and threats that they face. And as I said, those threats will not change as they emerge out of education and come into the workforce. Because, as I said before, the technologies and the platforms that you see in the workplace are pretty much identical to schools. So, you know, there's some value there in people being able to unpick how things happened. There's some value in testing to be able to sort of reduce the attack surface, pretty difficult conversations around that ease of use against the best practice security controls. For example staff commonly, or quite commonly and let's not give it a complete broad brush, but quite commonly have administrative rights over their local machine. So that means an attacker that gains access in the context of a staff user would have the mechanisms to start making changes and persist on that machine, etc. Now, that's for ease, staff need to be able to get on with stuff and they don't always have the time to interface with IT to get things. Anybody that worked in a school realizes it's a very fluid, mercurial environment. So you know, it's fast-paced but those conversations at least need to happen, the risk needs to be acknowledged as to what that is. Now, if you choose to accept the risk, that's absolutely fine. And, you know, on a daily basis, what I find things on delivery, where actually it's not possible to fix it easily, like dependency on legacy operating systems, all these sorts of things. They're part of bigger projects, which require money. So you have to be pragmatic about how you can fix all this sort of stuff. Deploying and managing networks, particularly at scale, particularly with the user base that schools have is not an easy thing. But understanding where those risks are at least allows you to have some visibility as to where you potentially are exposed, and then make judgment calls as to how urgent you think it is to do that or what else can you do in the meantime, to at least improve your visibility as to what that is. Often, there's a lot of functionality in these platforms that people have, that is probably underused. So, you know, maximizing what you already have invested in is also a good outcome to try and sort of raise the overall security bar. And you have to be careful not to scare people. But the reality of it is no compromise of a student account can actually lead to really bad things. My son hooks into his Office 365 solution, and I know the impact of what that would be gaining access to his account. And that's kind of where people are. And the advice that schools currently are getting at the moment, is really around availability. So if you look at the advice from NCSC and other places, it's really about making sure you have good backups, don't click on links, and enforce MFA. And the problem with that is that we've already discussed it's very difficult for people to enforce MFA and good backups are a priority. So what we see is that the advice is purely around, “Make sure you can get back to your data after things have been compromised” rather than “These are the ways that we actually think that you can proactively prevent, or at least measure how easy it would be for somebody to get access to your data”. And that's pretty much the thing that I'm trying to drive home is the case for testing that all of those other things are warranted and valid as part of IT management programs. But actually, how do we know that fire doors are resistant to fire? We set fire to them, and we work out how long it takes before they disappear. And I think that's the bit that is missing in education at the moment. And the problem which we have is anybody can run around with a flame thrower really. I've had to go through stringent controls and many qualifications and three yearly assessments for particularly difficult exams to do what we do, because we can demonstrate that we can do that safely. And so there's a danger that unless that's kind of understood that people have this need, and they should interface with people that know how to do it, we may actually make problems worse.

Jane

Well, unfortunately, that's all we have time for this episode. But thank you very much to Matt Lorentzen from Cyberis for joining us.

Matt

Thank you.

Rory

As always, you can find links to all of the topics we've spoken about today in the show notes, and even more on our website at itpro.com

Jane

You can also follow us on social media as well as subscribe to our daily newsletter. Don't forget to subscribe to the ITPro podcast wherever you find podcasts. And if you're enjoying the show, why not tell a friend or colleague about us?

Rory

We'll be back next week with more from the world of IT. But until then, goodbye goodbye.

Jane

Goodbye.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.