When a data breach occurs, organisations must demonstrate to its supervisory authority the mechanisms they have in place to manage the GDPR. In the UK, the authority is the ICO.
This process of ensuring the correct systems and structures are in place to manage cyber security is also a requirement for organisations to become GDPR compliant. And the on-going maintenance of those systems reassures board levels that they are effective.
In addition, the GDPR mandates third party assessment of those governance structures.
A critical part of compliance is having the confidence that your ICT systems, operating policies and processes are robust, given the types of data processing activities and cyber security vulnerabilities your organisation will come up against.
Considerations for GDPR
Article 32 of the GDPR requires schools to evaluate the technical and operational risks of systems, taking proportionate mitigating actions.
Within a cyber security context, school leaders need to understand the primary areas of concern to determine the most appropriate way to manage risks.
Below, we’ve highlighted three common school cyber security vulnerabilities, and how to manage them effectively.
School websites are easy platforms for cyber security breaches.
Most recently, one of the schools we work with was using a well known website content management system (CMS), and we identified two critical issues.
- We gained admin credentials to access the management console of the website.
- We compromised other systems that were visible via the website.
Through our other experiences, we’ve found that website CMS platforms have other common vulnerabilities. For example, we’ve been able to compromise systems by using our own code and log-on scripts through substitute log-on pages. This has then given us access to all the credentials of users – sharing all data.
Web application security
There are other systems that will be regularly accessed via a website or web portal. In many cases the application provider hosts them. A few examples include LMS’s, VLE’s, Alumni, Safeguarding and MIS platforms.
These systems are open to the same risks posed to websites.
A key difference between systems is that, in some cases, students can comprise them.
For example, a student is capable of compromising a VLE system and gaining access to all other user data.
Web facing systems
Every school is likely to have servers that act as the gateway to the internet. And these systems are published to the internet via an IP address.
Examples of these systems include locally hosted emails, VLEs and CMS systems and filtering platforms.
System vulnerabilities relate to the firmware, operating systems or public information the systems publish (depending on configuration).
To manage the vulnerabilities correctly, schools can assess the public facing IPs and systems, conduct a vulnerability assessment, and perform a more in-depth external penetration test.
Ensure your data is protected
To conduct internal tests you need to access your schools network port or wireless system.
Our team recently worked with a large independent school with a complex and robust architecture, and was able to gain domain administrative access within two hours, with little existing knowledge of the school network and basic hacking techniques.
By conducting regular, full system, vulnerability assessments and annual internal penetration tests, risks can be minimised.
Overall, it’s important to remember that all websites and systems are vulnerable and require regular, annual assessments.
To manage the security of these systems effectively, you should also consider all the types of data shared and stored.
Article 32 1a and Article 32 point 3 of the GDPR regulation states that it is a mandatory requirement for organisations to understand the effectiveness of IT systems and to adhere to an approved code of conduct.
By successfully completing the Cyber Essentials certification schools can demonstrate that they are managing their IT systems correctly. Also, by partnering with an appropriate, professional IT support provider, they can ensure the right processes are in place.
At 9ine, we remove all IT and data protection risks and help schools comply with the GDPR.