The most common entry points for cyber-attacks are either due to weakness in technology or weakness in people. In this article, Daniel Smart outlines why focussing on both are essential to mitigate potentially catastrophic circumstances.
N.B. This blog is based on an e-book we published recently entitled: “Cyber Security – Briefing Notes for Education Executives.”
Download the full document here >>
Education: increasingly a target for cyber crime
You’d be forgiven for thinking that education is a relatively low priority target for cyber attackers. After all, if your core operation is not handling money, why would schools be of interest to these modern-day crooks?
Whilst some opportunistic thieves may try to fool unwitting staff members into paying fraudulent invoices or parting with credit card details, the threat to educational organisations can actually be far more significant.
This time last year, the UK’s National Cyber Security Centre published enhanced guidance for the education sector in response to an increased number of cyber-attacks on education establishments.
So why should education organisations take robust action to avoid joining a rapidly growing list of cyber-crime casualties?
There’s an obvious financial cost of cyber-attacks
The financial implication is often the first thing people consider. Paying a fake invoice may be considered to be an expensive mistake, but the repercussions of such theft can quickly escalate.
A full-scale cyber-attack, where criminals encrypt your systems and then demand money for access to be re-instated, can be financially debilitating. Ransomware demands regularly hit seven or eight figures, with attackers collecting an average of $100,000 USD per attack over the past four years. It’s a daunting number which continues to rise.
The unique threat faced in education
One of the unique impacts we have to protect against in education is obviously the negative effect on student learning.
Think how your organisation would cope in the following scenarios:
- If your email services are unavailable;
- Connection to your MIS server is lost and you are unable to take registers or access key student information;
- The cashless catering system goes down;
- Your students can’t log in to access their learning resources (or remote lessons);
- Laptops, interactive whiteboards, printers and office PCs become inaccessible;
- Your phone system can’t be used;
- The door entry system is not operational.
Now, in the context of a serious cyberattack, consider that all of these happen at the same time. It would be absolutely devastating.
In fact, there is a relatively recent example in the UK where a Multi Academy Trust’s systems were hacked and encrypted and the Trust had no option, while they took steps to recover the situation, to shut their schools for a period of two weeks, simply because it wasn’t safe.
Even if every pupil was on 100% attendance prior to the attack, two weeks of lost learning time is going to take everyone below 95% attendance and they are going to start falling behind.
And this is something that cyber-attackers, who are becoming increasingly sophisticated in their approach, are acutely aware of.
The frightening reality of data loss
But to my mind, the most alarming of all threats posed by cyber-criminals relates to the huge amount of personal data that schools, and particularly multi academy trusts, process.
You curate a vast dataset set of information about the children in your care: their age; gender; religion; grades; where they live; who their parents are; who has custody; their email addresses; phone numbers; peer groups. That’s before we consider detailed safeguarding records, social care indicators and other incredibly sensitive fields. All of these details can be put together to form a detailed picture of each individual.
The sad truth is that cyber-criminals are not only interested in extorting a ransom, they are also acutely aware of the power of your data, in part or in its entirety, and the value of that data to certain despicable groups on the ‘dark web’.
This would be a loss of control of your data that certainly has the potential to cause “physical and material damage” to any student or employee, and be a significant data protection and safeguarding failure.
Ransom – to pay or not to pay?
Another alarming thought, is that you are dealing with criminals, so how realistic is it to expect that you would get your data back, even if you paid the ransom? It’s not a guarantee. In fact, there are many examples of organisations which have paid an initial ransom only to be met with demands for yet more money. There are yet more cases where organisations have paid an additional ransom and still not had their data returned.
This is clearly the worst case, and a nightmare scenario. But I think it’s safe to say that in the moment your data is stolen, it’s already too late. The disruption to the school is significant. And let’s not forget the impact on parents. While it’s certainly a hassle, it’s still possible to change bank details and mobile phone numbers. Some other information is unfortunately impossible to change. And this realisation can have a catastrophic impact on the level of trust parents have in your organisation, not to mention its wider reputation.
Our approach would be exactly as is advised by the authorities – not to pay any ransom, simply don’t engage with criminals in a way that’s going to encourage them further. And it goes without saying that prevention is better than cure…
Minimise the threat – create a culture of security
There is an inherent limit to what you can realistically achieve with the resources and budgets you have available. Cyber security is such a large area that it’s hard for most educational organisations to keep up, and that’s before you get into things like availability and disaster recovery plans if your datacentre is compromised by ransomware.
Where the stakes are so high, we believe that all education organisations need to take a two-pronged approach: firstly, ensure your IT provision is as robust as possible; and secondly, focus on increasing staff and student security awareness.
Technically addressing the cyber-security threat
- Using well established cloud platforms for your core systems
Office 365 has a dedicated security team working to proactively find and close security weaknesses, assuring end users the safest and most protected experience. They also handle such significant volumes of email that they can proactively detect and block new email threats emerging.
- Reducing DIY IT
Our Learning Cloud uses Microsoft Azure data centres to ensure that services are always available from multiple locations within the UK, with automated security patching by Microsoft ensuring that zero-day attacks are prevented almost immediately, and the overall probability of cyber threats is reduced.
- Ensuring your IT supplier has been ‘cyber-security audited’
Your chosen IT partner should be using a Crest Approved cyber-security specialist to provide independent auditing and testing of their cyber-security measures and technical processes.
- Providing governance and monitoring of your IT estate
Detecting suspicious activity across your digital estate is a key part of protecting against attack, not only by spotting attempts to break into your network but also by detecting activity that indicates a successful break-in is trying to spread. Centralising this monitoring is the only way to spot what are otherwise small and innocuous activities that only betray themselves when seen together in context.
Building a culture of security
- Ensure cyber-security is a board level consideration
First of all, cyber security should permeate every area of your operation. It should be a central tenet of your IT and digital transformation strategy. It should feature in your employee handbook. You will have to approve key policy and rule-based decisions. For example, do you automatically deny access to files from everywhere outside the UK?
- Staff awareness training
As the cyber-security landscape continually changes, make sure your staff are upskilled in how to identify potential cyberattacks, avoid falling victim to them and how to educate their students to protect themselves too. At Our Learning Cloud, we embed training into everything we do and our cyber security training is hard-hitting, because everyone needs to know the facts and understand the implications. Then we get into the detail: how to set up multi-factor authentication; how to spot, block and report phishing e-mails; best practise for keeping social media secure.
- Plan for an incident
Like any other material risk to your organisation, prepare and practice how you would deal with a cyberattack. Plan for the worst-case scenario. Send ‘test’ phishing e-mails. How quickly will you be able to recover your data? Is everyone clear on the process for managing the response to any attack?
I would argue that the stakes involved in cyber security in education are higher than in most industries and unfortunately, the threat of cyber-attacks is growing year-on-year.
Our Learning Cloud is built on the experience of seasoned education and IT professionals, with the support of leading cloud infrastructure and security suppliers. Contact us to understand how we can help your organisation achieve greater security peace of mind.
This blog article is based on an e-book we published recently entitled: “Cyber Security – Briefing Notes for Education Executives.”
Download the full document here >>