A college has warned it will have to hand back over £4 million under the Education and Skills Funding Agency’s “spiteful” adult education budget claw back plans.
Leicester College told FE Week it has forecast to spend 53 per cent of its £11 million allocation for 2020/21 – meaning it could have to hand back 37 per cent up to the allowance threshold of 90 per cent announced on Monday.
“The college is unlikely to be able to make up the remaining allocation in the final term of the year,” a spokesperson said, as they believe many adult learners are “unwilling” to sign-up until the vaccine programme has completed.
The Association of Colleges has predicted that most of their members will deliver between 75 to 85 per cent of their allocations, which would mean a total clawback of between £22 million and £62 million.
‘Not clear’ what the implications will be
While the cause of under-delivery can largely be attributed to the various national lockdowns owing to Covid-19, Leicester College has been in continuous lockdown with the rest of the city since March 2020.
“The current year has been impacted by the pandemic far more severely than 2019/20,” the college spokesperson said.
While it is “not clear” what the full implications of this will be, the college said it is “clear” there will be consequences for cashflow, for its capital programmes and future plans for 2021/22.
The college is refurbishing its Abbey Park campus ahead of starting the government’s flagship T Level courses in a number of different areas this September.
Adult education threshold ‘feels a bit spiteful’
The ESFA has come in for widespread criticism for setting the 90 per cent threshold, which will affect grant-funded colleges and councils with AEB, 19 to 24 traineeships, and advanced learner loans bursary allocations.
Julian Gravatt
AoC deputy chief executive Julian Gravatt warned in a blog on his association’s website yesterday that other colleges will lose “six figure sums”.
Plus, he said, it could cancel out funding for the government’s new level 3 entitlement, due to start next month under the new National Skills Fund.
“It is good that DfE has accepted the need for a lower threshold, but a 10 per cent tolerance is not much given the disruptions of the year and will leave some colleges scrambling for enrolments or savings,” Gravatt added.
Sue Pember, formerly a senior Department for Education official before becoming director of policy for adult education network Holex, said during an FE Week webcast earlier this week the threshold “just makes it really hard, and feels a bit spiteful”.
Bob Harrison, chair of adult education provider Northern College and a governor of Oldham College, tweeted following the announcement: “So let me get this straight: The government forces our colleges to close and therefore we are unable to recruit and run our short courses.
“But we have already employed teachers and have fixed costs. Then the ESFA are going to clawback if we don’t hit 90 per cent of target? Its Catch 22.”
Luke Rake, principal of land-based Kingston Maurward College expressed his indignation, tweeting: “And lo! Adult education is killed off completely.
“Couldn’t deliver due to enforced lockdowns, didn’t furlough staff based on ESFA advice, ESFA now tells us we’ve still got to give the money back, having paid wages for a year. Helpful. Thanks.”
But in the announcement on Monday, the agency said the 90 per cent threshold was a “fair representation” of grant-funded providers’ average delivery.
They acknowledged the situation “is still difficult for providers,” but they “have been able to continue remote delivery very successfully during lockdown, having built on the experience of 2019 to 2020 to establish effective contingency arrangements to manage Covid-19 restrictions”.
Colleges that deliver less than 90 per cent of their national adult education budget allocation this year face having their unspent funds clawed back, the Education and Skills Funding Agency announced today.
The agency said this new threshold, much higher than the 68 per cent set for last year, is a “fair representation of grant-funded providers’ average delivery” in 2020/21.
The policy means that only colleges with funding for AEB, 19 to 24 traineeships, and advanced learner loans bursary which hit 90 per cent of their allocations will be able to keep 100 per cent of the money.
Initial reaction from Association of College’s deputy chief executive Julian Gravatt was that “tens of millions of pounds are at risk,” as the ESFA AEB is worth around £450 million to colleges.
Gravatt told FE Week the tolerance is “not much” and would leave colleges “scrambling for enrolments or savings”.
He added: “We’re asking DFE for more information on the estimates that informed the decision and for a reconsideration of the level to avoid pressure on colleges to cut back just when the country needs them to do more.”
ESFA plans to reclaim funds from colleges who miss their adult education budget target by more than 10% in 2020-1 academic year – a period of considerable disruption. Tens of million pounds at risk (ESFA AEB worth c£450 mil to colleges) https://t.co/FVqTrBatGR
Head of policy for adult education network HOLEX Sue Pember called it “very disappointing and doesn’t cover any of the added costs of Covid-safe delivery or the extra support that students needed.
“Decision needs to be reviewed or a support fund created to cover the added costs of delivery. There may be fewer students but they needed more support,” she continued.
In a typical year, colleges are allowed to keep 100 per cent of the national adult education budget funding if they achieve a threshold of at least 97 per cent of their allocation.
Last year this was lowered to 68 per cent owing to the impact of Covid-19, and with national lockdowns continuing, many in the sector thought a similar threshold would be implemented this year.
Situation still ‘difficult’ for colleges
Announcing the new threshold today, the ESFA said: “We acknowledge the situation is still difficult for providers, but our latest data shows that a threshold of 90 per cent is a fair representation of grant funded providers’ average delivery.
“We also know that many grant funded providers have been able to continue remote delivery very successfully during lockdown, having built on the experience of 2019 to 2020 to establish effective contingency arrangements to manage Covid-19 restrictions.”
“Our primary aim is to support providers to continue to deliver as much quality provision as possible, whether that is face-to-face, online, or otherwise remotely,” the update continued.
The agency said it would publish further details for colleges with any questions by the end of March.
And AEB funding rules for the 2020 to 2021 academic year will be updated in April to include this change.
The announcement today only applies to the national AEB administered by the ESFA, not devolved mayoral combined authorities which decide their own funding rules.
One in five colleges were allowed to keep close to one-third of their allocated adult education budget despite failing to deliver any courses for the funding last year, as previously revealed by FE Week.
The threshold only applies to colleges, not independent training providers which will continue to be paid only for what they deliver.
It looks like the Department for Education and the Department for Business, Energy and Industrial Strategy aren’t talking to each other, writes Graham Hasting-Evans
Do you remember the “industrial strategy”? Back in 2017 the government developed an overarching economic plan spanning up to 2027. From this has flowed a number of sector industry strategies.
These industrial strategies, developed by the Department for Business, Energy and Industrial Strategy, set out the impact that digitisation, artificial intelligence, changes in materials, new ways of working and green technologies would have on sectors.
From these, significant changes were identified to develop the required skills in the UK’s workforce: both 16- to 19-year-olds doing traineeships, apprenticeships and T Levels, and also the 34 million in the workforce who need some form of re-skilling.
But what currently is not at all clear is how these industrial strategies fit with the Skills for Jobs white paper proposals put forward by the Department for Education. It is very hard to find joined-up coherence between the two.
‘Heavily academic Board’
Take the white paper’s proposed Skills and Productivity Board. The idea behind this board is to provide expert advice on skills mismatches and how to make sure the courses and qualifications on offer across the country provide the needs of the employers and help grow the economy. It is chaired by Stephen van Rooyen, chief executive at Sky in the UK and Ireland.
Yet it is quite a heavily academic board. I am a fellow of the World Confederation of Productivity Science and in my experience, productivity improvements are achieved through a series of very practical day-to-day changes. It is hard to see how the very academic Skills and Productivity Board will relate to the practically focused industrial strategies developed by BEIS.
Of course, more detail may be yet to come – but the fact the industrial strategy is only mentioned once (in passing) in the white paper is already a cause for concern. Instead, the DfE has created a board without any practitioners on it, other than the chair, and that worries me.
‘Skills improvement plans must be local’
We also need to ask how the industrial strategy is meant to connect at the local level to the Chambers of Commerce, which were set up as the respected voice of the business communities they represent more than 150 years ago, in some cases.
The chambers have been tasked with making sure the white paper’s “local skills improvement plans” are implemented, which means they should help ensure colleges and providers match their courses to local employers’ needs.
How can the chambers do this without knowing what industrial strategies the government has for different kinds of employers and sectors?
Some chambers are very proactive on the local skills agendas, linking to other organisations such as the combined authorities, Local Enterprise Boards, Confederation of British Industry and Federation of Small Businesses. Others less so.
The DfE seems to have failed to realise that there is already a productivity plan out there
Even if the local skills improvement plans are properly linked up to the industrial strategies, I’m concerned the plans won’t have the flexibility to really respond to the local situation.
We need to remember each area will start from a different place. In some areas, maths and English skills will be sufficient, but in other areas there might be major gaps in these basic employability skills.
All areas will have different mixtures of large employers or small employers. Somewhere like Derby is focused on manufacturing, but if you go down to Devon it will be more concerned with tourism and hospitality.
My worry is the local skills plans will be cast from a central template, and local people won’t have enough flexibility to really make them work and match up with local needs and sector-specific industrial strategies. The plans mustn’t be managed from the centre.
Overall, the DfE seems to have failed to realise that there is already a productivity plan out there – it’s the industrial strategy. It’s been completely formulated, yet it appears they’ve not threaded it into the skills white paper.
It looks like BEIS and the DfE aren’t working together. The DfE must think again, and bring the industrial strategies into the heart of the FE white paper.
The public sector apprenticeship target is to continue for an extra year as the majority of bodies in scope struggle to hit the 2.3 per cent starts aim.
The Department for Education revealed on Friday it will be amending legislation to set a new one-year target from 1 April 2021 to 31 March 2022.
The original target, set under powers from the Apprenticeships, Skills, Children and Learning Act 2009, runs from 1 April 2017 to 31 March 2021 and mandates public sector bodies with 250 employees or more to start 2.3 per cent of new employees as apprentices over that four-year period.
The target encompasses schools, local authorities, central government and their arms-length bodies, NHS organisations, the armed forces, and emergency services.
The department told FE Week this new one-year target, which will stay at 2.3 per cent but will not count previous years’ performance, “demonstrates the government’s continued focus on delivering more apprenticeships in the public sector”.
Public bodies fail to hit target
Official DfE statistics published earlier this year shows most public sector bodies have so far failed to meet that bar over the first three years of the target, with an overall average of just 1.7 per cent between April 2017 and April 2020.
The police performed the poorest, with just 0.7 per cent over that period; followed by schools, with one per cent.
Best performing, by miles, was the only sector the meet the target – the armed forces, with 7.9 per cent.
The target only became a requirement for schools in March 2019. FE Week’s sister paper FE Week reported that year how schools were facing difficulties recruiting apprentice teachers.
This has been blamed on the high costs of training and employment, and ministers’ insistence apprentice teachers be supervised in the classroom, and that the profession remain exclusively for graduates.
Education and training apprenticeships, which include teacher and teaching assistant programmes, saw 5,610 starts in 2017/18, rising to 7,890 by 2019/20.
Target progress must be ‘easily accessible’
The guidance from the DfE which revealed the target extension also confirmed relevant public bodies would be still expected to publish their progress towards the target to the department.
The bodies will also have to publish their progress publicly, to “enable the government, the public, and wider stakeholders to understand each body’s headcount and the number of apprentices they employ”.
This information must be “easily accessible to the public, for example on the internal and external facing website of a public sector body in scope,” the guidance reads, as previous guidance on the target has said.
FE Week uncovered last October how scores of multi-academy trusts, councils and hospital trusts had failed to publicise what percentage of their staff had started an apprenticeship in 2019-20 on their websites by the September deadline.
At the time, the DfE appeared to be easing off mandating bodies to publish their guidance, saying it was simply “good practice” to do so.
Under this new guidance, public bodies have six months after the end of the target period to send their data to the DfE and make it public.
Apprentices are often isolated from their peers, and a mentoring and networking service can help reduce drop-out, writes David Marsh
At the start of this month the Association of Apprentices was launched ̶ a membership organisation aimed at providing apprentices with a stronger support and guidance network.
Despite organisations existing for university students, such as the National Union of Students, a community for apprentices has not properly existed until now ̶ an observation that highlights the need to improve parity between higher and further education.
As a group, apprentices are particularly in need of support from their peers – a community where they can share similar experiences and encourage greater buy-in and engagement.
It is also support that not all apprentices have access to. When apprentices go to large organisations they will often have a community of apprentices around them, but those in SMEs and other smaller businesses may be on their own.
‘Input from the Apprentice Council’
The Association is the brainchild of Sir Peter Estlin, the former Lord Mayor of London, and Jason Holt, the chair of the Apprenticeship Ambassador Network, an employer-led body sponsored by the Education and Skills Funding Agency. Both sit on its board.
The other founding partners include the BBC, Blenheim Chalcot, Salesforce, Royal Mail, NHS, exam board NCFE and the organisation I lead, independent training provider Babington.
Two apprentices from the organisation’s Apprentice Council will also become directors on the board, further amplifying the apprenticeship voice.
The Apprentice Council has 30 apprentices, who will help design what the Association looks like going forward. The chair is Joel Roach, an apprentice with Microsoft, and the vice chair is Jasmine King, an apprentice with Flagship Group, a housing association.
Over time, this network will grow and the more experienced apprentice members can start to support newcomers.
‘Add value to apprenticeship offers’
The idea is to build geographical membership networks, so there would be an Association of Apprentices community in Leicester or in Bristol, for example, so that events can be hosted, just as events are held at universities. Our next event will be hosted by the BBC on April 12.
Meanwhile, resources for careers advice and guidance will be created by the founding partners, and mentors will also be on hand to address any risks to engagement and drop-out.
We want to encourage providers to understand more about the Association of Apprentices. Membership of the Association should add value to their programmes by offering a special forum for new apprentices, enhanced access to careers guidance and mentoring programmes.
Meanwhile, the Council will help inform its evolving remit. The intention is not to be a lobbying organisation, but instead provide a robust support system for apprentices. That said, we will definitely be asking members for views and feedback and will share this as insight to support apprenticeships more broadly.
‘Involve training providers properly’
Finally, it’s timely to reflect on what’s needed to create a strong skills system apprentices can flourish in.
Employers play a vital role in FE, and are a central plank of the FE white paper. But while employers should absolutely be part of the future skills puzzle, it may be more apt to frame them as the brains, rather than the heart, of the FE system.
LEPs and Chambers of Commerce also play an important role but they won’t necessarily want to be the delivery vehicle in the same way training providers can be. And employers won’t always have the expertise regarding the complex and wide range of funding streams.
Further, three out of every four apprentices are trained by independent providers. But their role is significantly underplayed in the FE skills white paper, even though these providers have valuable frontline experience and the insight to support employers with their skills, training and recruitment decisions.
Therefore, we must support employers by giving them the choice to work with the providers that best suit their strategic needs.
Only then can we successfully deliver for young people – and apprentices especially.
Staff don’t need to provide cartloads of evidence for teacher-assessed grades, just enough to form a professional judgment, says Jill Duffy
It is widely agreed that teachers and college leaders are facing an unprecedented workload.
Not only are you welcoming students back, identifying learning gaps and doing Covid testing, but results for your students taking key vocational qualifications (like our Cambridge Technicals) this summer will be based on teacher-assessed grades.
Time and again when we listen to teachers and their teacher associations workload comes up as the headline issue.
The issue isn’t new, but with the impact of the pandemic there is a real question as to whether there are enough hours in a day to get everything done.
‘Consistent guidance needed’
It will come as no surprise that there are no simple “light touch” approaches to assessment – what we all do must meet the high bar needed to secure expectations of rigour and fairness for all students, regardless of the qualifications they are taking.
And much will, inevitably, fall to teachers and their colleges to exercise their professional judgment in generating teacher-assessed grades and to put in place the necessary quality assurance.
Nevertheless, it’s important you are supported with guidance that is clear, as consistent as possible across exam boards, and that meets regulatory demands.
We’re doing everything in our power to ensure that the guidance we produce will be simple and timely. So we are working to get guidance out to you about generating teacher-assessed grades for our Cambridge Technicals as well as our Cambridge Nationals next week.
But at the same time, we can only go as fast as decisions are confirmed by policymakers and regulators. There is an Ofqual technical consultation about the vocational framework which closed just last week.
We can only go as fast as decisions are confirmed by policymakers and regulators
We know Ofqual is working hard to publish the outcomes next week, which is when we plan to publish fuller guidance on how grades for our key vocational qualifications will be arrived at.
‘Some tips for now’
But there are some things we think we can and should say now about Cambridge Technicals, our popular post-16 qualifications.
For students completing this year we will be asking for grades at qualification, not unit, level. This is a change from the approach we took in 2020 and should help to reduce your workload.
Our approach will be to allow you as much flexibility as possible, just as with A-levels, in identifying sufficient evidence by which to judge a student’s performance.
There is no requirement for the evidence to cover all of the content of a qualification. We don’t expect cartloads of evidence, virtual or otherwise ̶ just enough, and no more, to inform a professional judgment.
The evidence you use can come from multiple sources and in different formats. For example, a recorded discussion would be viewed as a useful piece of evidence.
Your professional judgment will be supported by our performance descriptors, which indicate the level of performance required across the qualification.
There will also be no requirement to submit work for moderation. We are continuing to accept your requests for moderation of Cambridge Technicals units until March 29 and we will conduct virtual external moderation visits, where a college wishes, until the end of April.
We will allow teacher-assessed grades for your students who intended to complete a smaller qualification this year and have arrangements in place, so they can “top up” to a larger qualification next year.
‘Updates coming soon’
We will be asking you to submit your teacher-assessed grades to us by June 18 this year using the same grade submission system that we used in summer 2020. We’ll provide training, step-by-step guidance and FAQs as a refresher.
I hope this gives you some idea of the approach we will be taking and reassurance that we are committed to supporting you in the process of generating and submitting your teacher-assessed grades this summer.
Look out for our updates in the coming week. And we are, of course, always happy to hear your comments and concerns.
The Office for Statistics Regulation has reprimanded the Department for Education over the data published for its new Skills Toolkit.
The body, an arm of the UK Statistics Authority, wrote to the DfE’s chief statistician Neil McIvor earlier this month to raise issues with the figures.
OSR deputy director for regulation Mary Gregory expresses concern in the letter that the DfE is not clear that users of the toolkit could be coming from across the globe.
She also pulls the department up on its use of unpublished data about the Skills Toolkit in multiple parliamentary questions.
The DfE has now agreed to implement a series of improvements in the data’s publication and committed to following the statistics authority’s “Code of Practice” through its publication of “experimental statistics”. Compliance with the code is only a requirement for official statistics.
The letter follows multiple FE Week investigations which have led to the DfE admitting previous data claims were inaccurate.
Significant overcounting has led to revised estimates of “registration” claims in the published statistics which continue to include web hits and could be coming from anywhere in the world as the course providers do not filter for geographical locations.
Earlier this month, FE Week also revealed how some course “completions” were being counted when users spent three minutes looking at one of the online resources.
The course content has not been developed by the government, but more than £1 million has been spent to develop and promote the skills toolkit “platform”. It launched in April 2020 and consists of a web page on the National Careers Service with short course descriptions and links to the external websites.
The government says the free educational content being promoted aims to help people who are out of work to boost their digital and numeracy skills during the pandemic.
Education secretary Gavin Williamson described the free online courses as having a “transformational impact on so many people taking furlough” during a speech in October.
The DfE now publishes “experimental” Skills Toolkit data alongside its monthly apprenticeships and traineeships statistics release. The publication does point out the limitations of the data and makes clear that reporting of registrations and completions varies by each provider.
But it does not explain how the data for each course is counted, nor does it inform users of the geographical coverage.
‘We have been clear about the caveats and limitations of this data’
Responding to the OSR’s letter, a DfE spokesperson said: “The Skills Toolkit was set up in response to the pandemic to ensure people have the opportunity to learn new skills. Right from the beginning, we have been aware the providers that supply the courses apply different methods to collect and measure usage.
“For these reasons we have published ‘experimental’ statistics which reflects the need to publish data while we seek to develop them further as we establish what data our users need. We have been clear about the caveats and limitations of this data. The UK Statistics Authority provides this designation of ‘experimental’ for exactly those purposes.”
The OSR says in its letter that the Skills Toolkit data is published under the “additional analysis section” of the publication which “may not be clear to users looking for these data in the release”.
It also acknowledges that the section provides users with “some of the limitations of the Skills Toolkit data”.
However, “not all limitations of the data are included. For example, they do not currently inform users of what the geographical coverage is,” the letter reads. “It is important to clearly explain the relevant limitations of the data and statistics to aid user understanding, and these should be regularly reviewed as the statistics are developed.”
The DfE spokesperson said they will implement “further improvements” to address these concerns in its next release.
Director of corporate operations, Learning Curve Group
Start date: March 2021
Previous job: Chief operating officer, Corndel
Interesting fact: At age 21, she planned and organised her sister’s wedding in Pakistan for 500 guests.
Iain Hatt
Principal, Wiltshire College and University Centre
Start date: August 2021
Previous job: Deputy principal for curriculum and quality, Wiltshire College and University Centre
Interesting fact: During the last 12 months, he has become a keen runner and is looking forward to completing his first marathon – once it is allowed.
Margaret Greenwood
Chair, All-Party Parliamentary Group for Adult Education
Start date: February 2021
Concurrent job: MP for Wirral West
Interesting fact: She previously worked as a teacher of English in secondary schools, FE colleges, and adult education settings, and as a basic skills tutor.
Andrew Slade
Principal, Oaklands College
Start date: August 2021
Previous job: College principal, South Thames College
Interesting fact: As a part-time sports psychologist, he has worked with a number of elite athletes, who have achieved national and international titles.
FE Week tells the inside story of the cyber attack that shut down one of Birmingham’s major colleges, and finds out what others can do to protect themselves from similar threats.
At around 3am last Saturday, an alert rang out around South and City College Birmingham’s key staff and managers that the server had crashed.
The news reached principal Mike Hopkins later that morning, while he was training to cycle this year’s Tour de France for the charity Cure Leukaemia.
“We went in to find out what’s going on, to see all hell was breaking loose,” he told FE Week. He called it a “very high-level, automated” attack, committed through an unknown “backdoor” into their system. The college believes it had something to do with administrator’s rights.
The hack was what is known as a ransomware attack – where criminals restrict access to computer services until the victim pays up – as it “effectively encrypted all our systems and files, everything”.
Mike Hopkins
This meant staff could not access services such as human resources and finance, so: “We’ve had to adopt alternative arrangements of systems to raise orders, pay bills, etc.”
However, it has not affected the college’s banking, and payroll has been adapted. No ransom has been demanded yet, but Hopkins has been told the perpetrators usually demand £2 million in the cryptocurrency Bitcoin.
One of the first things they had to do was secure their computers from being infected, as “turning one on would have caused real difficulty”.
SCCB is one of the biggest colleges in England, with eight campuses and centres across Birmingham, so it was a “weekend’s job,” Mike said, of staff racing around unplugging every machine.
Apart from that, there was “nothing at all we could do but shut down the college”.
Without access to emails, social media was relied on to get the word out for its 13,000 students to not come to lessons on Monday morning and to stay at home for a week.
1/3 TEMPORARY CAMPUS CLOSURES❗️The college has suffered a major ransomware attack on our IT system, which has disabled many of our core systems. Our campus buildings will therefore be CLOSED TO STUDENTS for a week from Monday 15 March to allow our IT specialists to fix the issue.
Online provision has been able to continue as the college can access Microsoft programmes such as Office and Teams, and now their emails.
This week, the college has called in IT security specialists IP Performance and education technology experts Jisc to establish what has happened.
Action Fraud, the National Cyber Security Centre, the Information Commissioner’s Office and funding bodies have also been contacted.
The college is still not entirely sure how the hackers got in, and whether any information has been stolen. “The key to begin with,” Mike said, “is making sure we get to the bottom of exactly what they’ve done where they have got into, and that you don’t leave a backdoor in”.
‘It’s an absolute pain in the backside with Covid’
From Thursday, a number of students came back on to campus, including those on practical programmes, those who cannot access IT due to a language barrier and some vulnerable learners.
A full return to face-to-face provision may not happen for many weeks, Hopkins warned. The college is continuing to give students laptops and internet dongles to rent but will be increasing the numbers of students back each week.
Hopkins praised neighbouring Birmingham Metropolitan College (BMet) for allowing SCCB to use its facilities for accountancy exams scheduled for this week.
“If anybody thinks that colleges can’t and don’t work collaboratively, here is one of the best examples you can possibly get that we do.”
Hopkins is not sure when his college will return to “normal,” as having asked this question on Tuesday, he was told “how long is a piece of string?”
Firstly, the college has to establish what has happened, and each of their “tens of thousands” of machines has to be checked for infection – this first stage is expected to take until Easter.
“It’s an absolute pain in the backside with Covid,” Hopkins said, and their onsite coronavirus testing centre had to be put on hold and students were instead sent testing kits to use at home.
However, as an experienced college leader, Hopkins refuses to be intimidated by the attack: “I have this fundamental view there’s no such thing as insurmountable problems.”
One downside is “I’m not sure there is anything to be learned from it,” Mike said, as after having analysed attacks at other institutions “we thought we’d done everything that we could”.
“But you can’t stop everything because the very nature of the college is that we’ve got, like most colleges, an array where our staff and students can access their user areas remotely.” He did, though, believe this attack was “different”, owing to the possible use of administrator’s rights.
“Covid, in some sense, has helped us because there has already been that massive shock to the system, so people are used to dealing with difference and are certainly used to working at home.”
Colleges ‘sometimes don’t have a clue about their IT systems’
While Hopkins and his team were able to act quickly on their breach, other colleges have in the past been caught quite unprepared for a possible cyber attack.
Stefan Drew, a marketing consultant to colleges, with experience working on related IT systems, cites one college he worked with where the staff did not know where their server was: not IT, not marketing and not the web developer.
“I actually found it, in the end, in a basement of the college on a table. It was above the line where it had flooded a month or two before.
“That shows you how, really, people don’t have a clue what’s happening in their IT systems sometimes.”
He puts this under-preparedness down to a lack of knowledge and accountability for colleges’ computer systems.
For instance, there is a “naivety” among colleges that think they would be better off designing a website in-house, rather than commissioning a dedicated company.
Stefan Drew
So, “when somebody in the college designs this bit of software, with no experience whatsoever, it’s designed with all the individual’s idiosyncrasies. If they leave, someone looks at it and says: “I haven’t got a clue what they did with this, let’s start again”.’
Meanwhile, a website designed by professional developers will be regularly tested, including by so-called ethnical hackers – who attempt to break into cyber systems to help inform the owner and others.
The plug-ins on a website, of which enquiry forms are examples, are also tested; but Drew warns that if these are not regularly updated after being installed, they can be used as a backdoor into a website.
“If you’ve got a backdoor into the website, the next question I ask is, what does that website connect to, and can that be a backdoor into other systems?”
Gathering data from the management information systems (MIS) is one risk he poses.
A good example he found was where a college’s website could read the MIS system, but as “read-only”, so information cannot be sent out of the system.
Outdated software can also be a problem once a system has been hacked: another college Drew worked with was using a little-used content management system for its website, for which he could only find seven developers that could help if things went wrong. This means that the college “is over a barrel” paying for help if the website breaks.
Plus, the system could be easier to hack into as it would be tested less frequently. Furthermore, if servers are not backed up “regularly”, he says, the data could become corrupted, or recent data could be lost if a back-up from before it was inputted needs to be used.
Drew recommends colleges have a process for checking their IT systems and for ensuring that process works as well.
Penetration testing, where companies are hired to try and hack into systems on a regular basis, is also recommended as although it is “not that cheap, it’s cheaper than having some hacker get in and hold the college to ransom”.
Ten tips to avoid cyber attacks
To help colleges avoid falling victim to hackers, FE Week asked Midlands-based IT experts Infuse Technology for their top tips on preventing cyber attacks…
1. Define a starter process
Ensure that the appropriate and necessary permissions are granted for new employees and foster a culture of information security awareness.
2. Define a leaver process
This should include removal of all access rights in a timely manner for departing employees, including cloud access.
3. Patch your servers and PCs
‘Patching’ repairs a vulnerability or a flaw that is identified after the release of an application or software – they are intended to fix bugs or flaws that create security vulnerabilities.
4. Two-factor authorisation (2FA)
Two-factor or multi-factor authentication requires users to provide a secondary form of verification in addition to a primary form, such as a fingerprint or one-time passcode, before accessing accounts.
5. Implement an effective disaster recovery strategy
Failure to prepare for the worst can lead to irreversible damage.
6. Utilise device management to safeguard sensitive data
Limiting access to devices that hold sensitive data can reduce the risk of a cyber attack. As part of this, appropriate staff training and preventative measures should be put in place.
7. Review data storage
Whether your data is stored manually on premises, or stored digitally in the cloud, ensure employees are storing and sharing data in a secure, confidential way.
8. Remove generic accounts
Eradicate generic accounts whereby the password does not change, or multiple users have access.
9. Minimise access privileges to data
Review who holds login privileges, ensuring access is only granted to those who require it as a necessity.
10. Defend your email
Ninety-five per cent of threats infiltrate systems via email – one of the best defences in minimising such threats is by educating staff, ensuring they select strong passwords and know how to spot the signs of a phishing attack
