Cybersecurity is more of a threat now than ever before. Hardly a day goes by without yet another high profile organisation being in the news due to a cyber-attack: TalkTalk, Yahoo, Tesco…the list goes on.
Schools may think that fraud and data theft are a headache only for larger organisations but they also face risks due to the sensitive nature of pupil data held on their IT systems. Examples of specific cybersecurity risks schools face include:
- Securing access to pupil data held on school management information systems
- Exposing internal systems to the Internet, with the use of parent and pupil portals linked to a school’s website
- The insider threat from pupils trying to gain access to data or bypassing security controls, such as web content filtering systems
Cyberattacks slowing down the collection of fees could be costly and there is also the risk of reputational damage – will parents be willing to hand over large sums of money to a school which has been attacked due to weak security controls or processes?
Key risk areas
Risks are varied but can broadly be categorised into three areas:
- Increasingly prevalent and sophisticated viruses and malware
- Theft or loss of sensitive data, especially relating to pupils
- Humans! From the failure of procedural controls, through to insider sabotage
The latter is compounded by the growth of social engineering, a term used for manipulating people into giving out information. This is an increasingly sophisticated and frequent method of cyberattack, generally executed by:
- Phishing: increasingly sophisticated standard email fraud
- Spear phishing: an individual or team is actively targeted (likely to be the Bursar)
- Whaling (aka CEO fraud): those with the most control are targeted, e.g. the Bursar or Head
Potential outcomes of an attack
Financial gain is often the motivation for cyberattacks. We have heard of several organisations in recent times where technical or procedural controls have failed and payments have been made to fraudsters’ bank accounts (in one case, involving well over a six-digit sum!)
Financial costs include professional fees after an attack - usually specialist solicitors and/or cyber incident response team/s. Breaches of the Data Protection Act can become costly with fines payable of up to £500,000, increasing to 4% of global business turnover under the new General Data Protection Regulations from May 2018.
Defending against attack
It’s not all doom and gloom, though - there are some practical steps that can be taken to reduce the risk of cyberattack.
Emails and devices
- Train your staff to spot fake email addresses and treat attachments and URLs with caution
- Ensure laptop hard drives and USB sticks are encrypted – particularly if they hold personal or financially sensitive data
- Manage how school and pupil data is shared. Emails are easy to hack, so is it safe to allow staff access via mobile devices? Mobile Device Management tools can enforce the use of device PINs and provide remote wipe features in the event of theft or loss
- Eliminate risk by demanding that passwords for all systems are different and provide staff with a reliable password manager to store them securely
- Consider protecting logins with two factor authentication. Like online banking, two pieces of authentication are required to log in, greatly reducing the risk of identity fraud
- Antivirus software needs to be installed on all endpoint devices and regularly updated. Also consider the risks from using mobile devices and use similar software to protect them
- Email and web gateways are a key entry point for malware. Increasingly ransomware attacks are being used, often through macro enabled Word or Excel files. Controls should be deployed at the email gateway to either ‘inspect’ such documents, or at least quarantine them
- Ensure staff understand the sensitive nature of the data they have access to (particularly with enhancements to the Data Protection Act introduced as part of the forthcoming General Data Protection Regulation).
- Policies, procedures and technical control processes need to be reviewed regularly and an independent IT security audit can help establish any gaps
- If budget is stretched, consider the Cyber Essentials scheme. This is government backed, designed to aid against common cyberattacks and shows parents that your security systems are of a high standard
Schools need to seriously consider their cybersecurity position and whether it may be worth strengthening their defences. Given the sensitive nature of the data held on IT systems, it is particularly prudent to ensure staff are alert to the consequences of an attack, but this is only half the battle. Implementing the correct technical controls at an early stage and reviewing policies regularly could prevent this.
haysmacintyre will be including a slot on cyber security at the Independent Schools Conference on 1 February 2017.