Preventing access to extreme sexual and terrorist material on the internet is a no brainer, isn't it? After all, most of that stuff's illegal. Well yes. And no.
Schools and colleges, which have greater duty of care obligations than universities to their under-18 learners, will certainly be making use of web filtering solutions as means of protecting learners and to comply with the Prevent agenda.
Mention web filtering to higher education institutions (HEIs), on the other hand, and academic freedom concerns are immediately raised. So the uptake of web filtering in universities is patchy: some do it, some don't, and some don't like to admit they do it in case it's deemed too "Big Brother".
When I've talked to HEIs about this issue, at the outset most think web filtering is a bad idea, but that hard line softens when I explain firstly how sensitive research can be conducted unhindered even with web filtering in place and, secondly, how it can play a role in the welfare of staff and students. With the current media focus on wellbeing in universities, who'd want to compromise on the latter point?
Sensitive research may include subjects such as terrorist recruitment tactics, or sexual psychology. With the right permissions from the university and the authorities, it's possible to unblock content that would normally be filtered out for one person, a group of people or for particular machines.
For everyone else, web filtering will ensure that no illegal material is accidentally seen, which protects the curious and the vulnerable.
Without the right controls in place for sensitive research, a slip-up is all too possible. Let's say a researcher is in their office legitimately looking at some illegal content. She closes the laptop and takes it with her for lunch. In the canteen she decides to check her email account, opens the lid and up pops a graphic image in full view of other diners.
It is an offense to expose other people, accidentally or not, to this kind of content, so my advice is to create a safe space for research. People with the right permission could book to work at certain desktop computers (not laptops) in a certain access-controlled room. To get buy-in from researchers, universities can demonstrate the value for wellbeing: the university recognises such research is valuable and is putting in a process to allow freedom of study, while also taking care of the campus community.
It's not healthy for anyone to be viewing illegal material, so building in care plans for researchers to make sure they are not detrimentally affected is sensible, preferably in partnership with the university's occupational health department. Web filtering solutions have built-in reporting systems that can be set up to help with this. For example, it can monitor and control the time an individual spends looking at illegal content.
As a means of taking care of staff, processes like these are in place at the two organisations in charge of monitoring illegal content in the UK, the Internet Watch Foundation (IWF) and the Counter Terrorism Referral Unit (CTRU)1. Universities could easily adopt similar systems.
Watching your back
Web filtering can also protect an organisation's reputation. Imagine this scenario: an administrator gets an email that looks genuine but is actually a phishing attempt. One click and up pops an illegal image with a message threatening to report the administrator to the police unless they pay up.
Bearing in mind web filtering could have blocked both the dodgy email and the image, the administrator might argue he or she wasn't properly protected by their employer. Similarly, anyone who saw that graphic image on the researcher's laptop in the canteen could also complain.
Moreover, accessing illegal material is an offence likely to be noticed by the authorities, which will spark an investigation. And that would make a great story for the media.
Researchers and their employers can be further protected from suspicion by keeping a record when illegal content is accessed. Earlier in my career, I legitimately used illegal hacking tools because it was part of my job to unlock servers, so I had an unfiltered account. But I would record the tools I was using, when I used them and why, so I could prove I wasn't up to no good if I were ever questioned.
A flexible friend
We've touched on using web filtering as a means of controlling access to illegal web content but the flexibility in most systems will allow organisations to control what is accessed from certain machines and who has access – which is useful in a college where the student cohort is a mixture of under 18s and adults.
Controlling what can be opened on a mobile phone is a bit more tricky, since the owners don't have to connect to the university or college network to use their phone. On the plus side, mobile phone providers block illegal content at source.
Web filtering is not a preventative measure, it's a protection measure. It can help protect a network through its malware detection, it can protect students and staff from viewing distressing and potentially harmful material and protect reputation by keeping institutions on the right side of the law.
Our view is that web filtering solutions can be so flexible and tailored that there is no reasonable argument against using one.
- 1 The IWF and the CTRU monitor content that is illegal in this country and each produces a filtering list, which Jisc's web filtering framework supports.
A survey of nearly 2,000 higher and further education teachers shows that 61% of university lecturers feel technology should be used more in the classroom. Despite this, 14% are never supported to develop their digital teaching skills.
Our latest digital experience insights report shows both further (FE) and higher education (HE) staff want more time and training to improve digital skills, so they can use technology more effectively to benefit students.
The poll also finds that 38% of HE teaching staff rate their university's support for developing digital aspects of their role as better than average, and 26% below average.
Demanding workloads are also impacting opportunities teachers have to improve their digital skills. One lecturer said: "Workload is so cluttered during term time that developing new digital teaching practice in response to student feedback during the semester itself is difficult/impossible."
What staff and students want
However, there is enthusiasm for using technology, with the poll finding that 61% of teaching staff describe themselves as among the first or early adopters of digital technologies for teaching, and that 51% rate their organisation's digital provision as better than average.
The staff survey is a pilot that builds on our student version of the report, which this year collated answers from more than 37,000 students about their experience of technology in FE and HE.
Despite the concerns of some teachers, the student report finds that 74% of HE students are happy with the quality of teaching they receive, although some become frustrated when teachers don't use digital systems competently, especially when this wastes time or reduces access to course materials.
Paul Feldman, chief executive, Jisc, says in a foreword to the report:
"This is the first foray into uncovering the true digital experience of teaching staff in colleges and universities, and gives staff the chance to voice how they are experiencing their digital environment.
"With the skills demands of the workforce being driven by "Industry 4.0" – an industrial revolution fuelled by data and machine learning – it's also important that education leaders fully understand whether their digital environment can keep up with rapid advances in technology and industry, as well as meet student and staff expectations.
"At Jisc we believe that Industry 4.0 can't truly succeed without an "Education 4.0", and that our role is to help colleges and universities make the most of potential of new and emerging technologies. We want to work with colleges and universities to see their digital environment through the eyes of their students and staff and act on that knowledge.
"Our teaching staff insights survey provides additional data to organisations, triangulating with the data from their student insights surveys."
Find out more
John Chapman, head of Jisc's security operations centre, looks back to Jisc's first cyber security strategy and sets out how we will protect our members and the Janet network from cyber attacks over the next three years.
More than three years ago, in March 2015, Jisc published its first cyber security strategy, covering the security products and services that we offered or were planning to deliver over the subsequent three years. While much changed over this period, we broadly met the objectives of this original strategy as we constantly revised our plans to meet the needs of our members.
For example, three years ago we hadn't embarked on our DDoS mitigation programme, yet the security landscape and the need to protect our members better meant we had to quickly develop and implement a national solution to mitigate denial of service attacks. It needed to ensure secure and reliable network access for users and to also enhance the visibility of threats on the Janet Network – helping to increase security for the entire education and research sector.
One cyber security division
At that time cyber security within Jisc was scattered across different departments with operations and development as separate activities. Now, as we publish the next three year strategy, we do so under the auspices of a single cyber security division – formed to consolidate all of Jisc's member-facing security products and service activities into one organisational structure to provide a coherent set of solutions.
This new strategy looks at how Jisc will work to protect our members and the Janet network from cyber attacks over the next three years (2018- 2021). This strategy has been informed by our members through multiple meetings with individual organisations, feedback from our annual cyber security conference and detailed analysis of responses to our annual cyber security posture survey.
More managed security services
In May last year we conducted our first ever cyber security posture survey among our members. This gave us valuable insight into our members' security posture and requirements, providing us with a greater understanding of our members' top security concerns and where you need most help.
The survey has now become an annual fixture to ensure we continuously deliver the cyber security products and services that meet your needs, which this year has seen an increased interest in us providing more managed security services: managed log aggregation and managed intrusion detection services are both of interest to HE and FE respondents.
To help meet this need we will undertake research with a view to implementing a managed security operations centre service for members by 2020, working with institutions to develop a unique sector offering to help protect them in an increasingly difficult environment, both from the number of attacks and the scarcity of skilled security personnel.
Another key finding we are responding to is the significant growth in interest for digital forensics. This has jumped in priority for both FE and HE institutions, so we will continue to develop the Jisc security operations centre by recruiting and training skilled individuals. By the end of 2019 we will look to have developed our digital forensics capability to enable us to undertake more investigative work as part of ongoing incidents.
We expect the next three years to be as turbulent for cyber security as the last three, so we will continue to engage with you to ensure we are protecting you. Cyber threats are not going away and, as funding changes within the education and research sector, we will need to be more agile and innovative about how we all work together to address them.
FE colleges consider DDoS (distributed denial of service) attacks to be among the top five threats to their cyber security, according to our survey of our members earlier this year. They are right to be concerned.
Our data shows that in the first six months of this year, colleges were targeted by 225 DDoS attacks designed to bring down the network.
This represents an increase of 35% compared to January to June 2017. Jisc's security operations centre also handled almost three times as many other security incidents or queries from FE colleges over the same period.
It's notoriously difficult to identify individual cyber criminals but it is accepted that the threat from inside organisations is very real and should not be overlooked. Whether it be intentional or accidental, protecting the organisation from all threats needs to be a priority.
The foundation DDoS mitigation service is provided to all Janet connected institutions as part of your connectivity services. The foundation service is designed to protect you from large scale attacks that could potentially bring down your network connection.
The enhanced DDoS mitigation services are designed to provide more focused alerts and protection for external-facing critical services that could be targeted within your network.
Our security operations centre is there to help mitigate attacks on our members but colleges are responsible for their own cyber space and should not underestimate the potentially huge financial and reputational impact of a network outage.
How can Jisc help you protect your organisation?
As part of your Jisc subscription, you receive our foundation DDoS mitigation service and can apply for access to our cyber security portal. This gives you peace of mind that we will mitigate attacks against your network connection. We detect and filter DDoS attack traffic across the Janet Network before it reaches you – mitigating the effects of attacks on your Janet connection, and reducing disruption and cost.
If you need a faster or more customised DDoS mitigation, or 24/7 response, we now offer our enhanced DDoS mitigation service.
With the enhanced service, you select one of two reaction levels: fast or instant. The fast service triggers mitigation within four minutes while, with the instant service, traffic is routed permanently via the mitigation service, so there is no delay in defence. These automated services react 24/7, helping you prevent disruption from out-of-hours attacks. You can also select pre-configured or bespoke options, as appropriate to your risk and budget levels. With a pre-configured option, you choose from a selection of profiles designed to protect a selection of common services, such as web servers or DNS – using traffic thresholds and mitigation responses designed by Jisc security analysts to be suitable for most needs.
With a bespoke option, you can further tailor your protection, adjusting parameters with the help of a security analyst. For example, you can add protection for external-facing services not normally included in pre-configured profiles – such as an internet-facing file transfer service – and you can customise protection to include or exclude specific domains or URLs.
Together, pre-configured and bespoke options allow more accurate detection of attacks and more effective mitigation.
Jisc's enhanced DDoS service: a no brainer
George Wraith is head of ICT at New College Durham, an outstanding mixed-economy FE college covering the full range of education from HE degree-level courses through to A-levels, GCSEs, apprenticeships and a range of vocational and academic subject areas.
In May this year New College Durham signed up for Jisc's enhanced DDoS mitigation service. It was, says George, a no brainer:
"Cyber security is very much in the forefront of everybody's radar at the minute and last year there were significant cyber attacks on both the Janet Network itself and on individual colleges and universities. If we were to lose our connection because of an attack, the effect on the college would be massive.
We have a small secondary connection we could fail over to but it's nowhere near the same bandwidth so, although we would still have an internet connection to carry on business, our students would lose a major element of their study while we were down and the reputation of the college would suffer.
Given that risk, as soon I heard about this new service from our account manager, Lisa, in March, I was keen to have the initial conversations with Jisc's cyber security team about whether it was appropriate for us. Once it was clear that it was, it became simply a matter of working out what we actually needed and what we could afford.
The Jisc cyber security team and my in-house team went through the options together and decided, based on a balance of technical needs, risk and budget, what was going to be most effective and cost-effective for us.
We went for "fast pre-configured" service options to mitigate our email, SIP trunks and our web services. We discussed the configurable "bespoke" service options and the pros and cons of the other protocols, but those are the ones we centred on as our main needs. We were on board by May – I couldn't get the purchase order out quickly enough. The process was very smooth and very easy. It was all done through video conference so it was just a matter of getting the right people in the room at the various times that we needed to.
Now, I have peace of mind. The monitoring is a key element for me – I'm able to access the cyber security portal on a live basis at any time as well as get weekly reports and see if there has been any mitigation and can find out if there are any alerts on the services in general. So, if something does go awry internally, we can check and narrow the field down very quickly. It's been such an easy service to engage with. It's just there and working, there's never been any issues or problems with it.
Thanks to the enhanced DDoS mitigation service we now have expert coverage of protocols on a more enhanced basis as well as the service Jisc provides across the board. It's meant that I can say to auditors and senior managers that we're doing as much as we can externally with our network providers to mitigate any risks on the cyber security front from an external loss of internet connection or internet services more generally.
I can't emphasise enough that it's a no brainer, especially for any educational institution that's using Jisc services already. To my mind, Jisc has proved itself with the reliability and trust established by the Janet service over the years."
Find out more
With the academic year now in full swing, we're looking for new student partners to help us to transform education technology in colleges and universities.
The student partners initiative launched this summer and the first five volunteers, drawn from both universities and further education colleges, are helping us to further understand the challenges faced by students and the ways in which technology and digital skills impact their experiences of education.
We are hoping to recruit a further ten student partners to offer insights into how digital fits into their learning, life and future career plans, and to help us communicate this effectively to universities, colleges and government. Student's views and experiences will also feed into our future work to make sure that our vision for technology enhanced learning reflects the needs of learners.
The programme kicked off with a training session at our new London office where the student partners set out their motivations and hopes for the initiative:
Brad Forsyth from London is studying BA (Hons) digital film production at Ravensbourne University:
"I have seen first-hand how Jisc's work inspires and makes a difference to young people's studies by keeping the educational system ahead in a changing world, which is increasingly reliant on technology. Opportunities like this to be a voice for students is vital as not all learners feel they are listened to when asking for adjustments which are beneficial to them.
"In addition to discovering the inner workings of the education sector, I want to help spread the word of what this organisation does and put forward productive ideas; being part of what I consider a movement to guarantee learning is accessible for everyone, by providing the correct tools for the skills and needs of all students. I aspire to make changes happen that I feel are overdue and not considered to be a high priority by government and other decision makers.
"Aside from filmmaking, and starting up a photography business, I'm developing an app which will benefit students by narrowing down an occupation that is suited to their talents and abilities. I would like this to take off so that people end up in careers that satisfy them."
Sam Jenkins from Somerset is studying history and the modern world at the University of Winchester:
"Becoming a student partner will enable students at my university through me to have a voice within the development of educational technology. The role will allow me to find out more about present and future digital opportunities for students, to see the behind-the-scenes work of developing these opportunities in action, and to feed this knowledge back to students and university leaders in Winchester.
"Faculty research at my university indicates that employers see digital capabilities as crucial to the day-to-day operations of their organisation, even alongside non-digital competencies like teamwork and empathy. As a student partner, I look forward to seeing Jisc develop new tools and services which gives opportunities for all students to develop relevant digital capabilities, improving the transferable skills which they take into the world of work."
Jake Forecast from Essex is studying BA (Hons) primary education with qualified teaching status at Canterbury Christ Church University:
"I wanted to join this scheme, as I have worked alongside Jisc at various events while I was a Digital Voice Xpert at Epping Forest College and this has inspired me to progress my digital skills further. Not only will being a student partner help me gain knowledge and skills in technology, it will link back to the necessities of my study programme and my career path as a primary school teacher.
"I want to ensure we find ways that allow all students in further and higher education to have access to technology throughout their studies, to promote inclusion. Whist working in the early years and primary education sectors, I have found that we sometimes struggle to help support children with additional needs.
"Taking on this role, I will help to inspire more students to be digitally enabled in society and to improve their education through technology."
Sarah Davies, our head of higher education and student experience, said:
"Jisc has been working to support universities and colleges with student engagement in the digital experience for many years, but it's critical we initiate our own student partners scheme to ensure we can innovate with their views in mind. I'm looking forward to collaborating with them to help shape the development of our future services so we can transform the student experience and help deliver student success."
Students will be involved in a range of activities under the programme, including joining a panel discussion at our events and contributing to research and development.
This programme builds on the work we have led on the change agents' network, which enables staff and students to work together to improve the curriculum.
Anyone interested in becoming a student partner should visit our get involved page for more information.