In this blog we reveal some of the most common cyber threats to the education sector and explore questions such as who is committing cyber crimes, what is at stake, where the risks lie and why schools are vulnerable? We provide some simple steps that schools can follow to minimise their vulnerability to cyber crime. This blog is based on a recent 9ine webinar, presented by Ian Hickling, Cyber Protect Officer at the East Midlands Special Operations Unit.
What are the three biggest current cyber threats for schools and are there different types of cyber crime?
The three biggest current cyber threats for schools to be aware of are phishing, denial of service (DDoS) attacks and ransomware. But did you know that there are two types of cyber crime: cyber enabled crime and cyber dependent crime? Cyber enabled crime is traditional crime that is enhanced in scale or reach via the use of technology. This can include online fraud, grooming, malicious communications and cyber bullying. Cyber dependent crime involves a criminal element using a digitally enabled device such as a computer or smartphone to target another device. In the latter category, technology is both the target of the crime and the tool to commit it. Examples of cyber dependent crime can include ransomware, malware, remote access tools and Denial of Service (DDoS) attacks.
What does cyber crime really look like?
Whereas the perpetrators of cyber crime are often portrayed as hooded and masked youths hunched over a laptop, the reality of cyber crime is quite different. Most successful hacks are highly organised and committed over a long period of time; some hackers can exist unnoticed within systems for up to nine months. Cyber crime provides significant incentives for criminals e.g. if a hacker has access to 500,000 emails, even if they are only 1% successful at targeting victims and gaining £200, they have already made over £1 million!
The time it then takes to detect a data breach varies hugely depending upon the industry, and largely depends on the level of resource given to protecting IT infrastructure. In the entertainment sector for example, it takes an average of 287 days to detect a breach, whereas in healthcare the time taken is only 103 days. The level of investment in IT systems and cybersecurity really makes a difference. Read more about the common characteristics of a data breach in 9ine’s recent blog How to Plan for a Data Breach in Your School Network.
Join Mark Orchison for 9ine's Roadmap webinar as he leads a lively discussion of the roadmap and vision ahead and recent accomplishments including 9ine's new, intelligent platform for managing risk and compliance in schools.
Why are schools vulnerable?
There are many reasons why schools are vulnerable to cyber crime. These can include:
Holding valuable and interesting data on school systems, such as parental financial information, employment details and home address.
Having limited budgets to protect critical infrastructure, increasing the perception that schools are easier targets than other organisations such as financial institutions.
A lack of training and awareness among the senior leadership team and staff.
The legacy of old IT systems, many of which have weaker protections.
Where does the risk come from?
In a recent TeacherTap poll of 5,000 respondents, over 28% of teachers admitted they shared a password! The threats are not always external. Below represent some of the sources that internal risks can come from, with some being a greater threat to the education sector than others.
- Poor systems administration with regard to departing colleagues or role changes.
- Disgruntled or overlooked staff members.
- Former employees who may still have access, and enact vengeance on the school
- A lack of training and awareness of cyber issues
- Tech savvy pupils who obtain staff passwords.
What is social engineering and how is it used to target victims of cyber crime?
Social engineering also plays a significant role in cyber crime. Hackers use a variety of social engineering tactics and personas in order to achieve their goals. These social engineering tactics include impersonation, urgency, obligation, authority, flattery and fear.
Hackers impersonate a respected authority such as a bank or school and use tactics like spoofed emails or telephone calls to attempt to obtain personal information such as bank details. Urgency involves demonstrating a requirement for quick action from the victim, usually triggering fear, which reduces the time to thoroughly examine what is being asked of them. The hacker may also attempt to convince a victim that they are under obligation to do something, either by law or through some contractual obligations etc. and similarly to urgency, the hacker’s desire is that the victim acts in haste to comply, and doesn’t think too much about what is being asked.
A hacker may use false authority with the objective of masquerading as a legitimate actor, making the requests they make of the victim seem routine, legitimate and ordinary, e.g ‘hello my name is xx and I’m calling from xx.’ People are likely to be sceptical about communications of unknown origin, however, using flattery, polite and friendly language and tone, places the victim more at ease. This technique makes the victim more likely to comply. Lastly, fear is often used to spark panic amongst the victims. By using threatening language such as ‘you will lose all your account access unless you click this link immediately,’ the objective is to create such urgency in the victim that they do not think carefully.
How does a cyber criminal gain access to employee information?
Exposed data can be harnessed for crime, and for a cyber attack to be successful, hackers need as much information about the organisation’s employees as possible. Social media provides a plethora of information about individuals' job roles, hobbies and interests. Location services can provide a mass of detail to potential hostile actors. Thousands of apps ask for location services, with many then sending this data on to third parties for the purpose of personalisation in advertising. Smart devices within the home, such Amazon Alexa actively record speech to improve service provision. All around us technology is recording and monitoring our location, it’s important to recognise this and protect our digital footprint. All of this information represents an invaluable cache of information for hackers.
What are the cyber risks associated with bring your own device (BYOD)?
Unsecured devices are a huge challenge for all networks, staff will bring in personal devices which may not have the highest level of cyber security, and are especially susceptible. It's essential to educate your staff on the importance of maintaining high levels of cyber protection. A known technique is for criminals to throw USB sticks into the school grounds, in the hope that students and staff will find them and out of curiosity access the content, granting hackers a pathway into school systems. Before disposing of devices such as old USB sticks or laptops, ensure the network administrator has erased any data that may still be stored, otherwise you heighten the risk of exposing yourself to cyber crime. Read more about this in 9ine’s blog, Cyber Security In Schools Removable Media Data Loss and Malware.
What can you do to minimise your vulnerability to cyber attacks?
1. Take ownership at a senior level (hire a consultancy such as 9ine or show senior leaders the NCSC website)
2. Understand your own culture and bigger risks in the school (is it pupils, staff or an external threat?)
3. Establish access control policies
4. Check that third party providers have a strong cyber security culture
5. Ensure you use secure configurations and patch management
6. Encourage reporting and discussion of near misses - this is best practice and highly recommended amongst all staff
7. Engage and educate staff
8. Follow trusted sites and people to keep up to date
If your organisation lost access to key infrastructure and systems could you and your school cope? Do you have a tested plan in place? Having a widely known and regularly tested cyber incident response plan is essential for all organisations, and should be well known by senior leadership and all needed actors including the school Data Protection Officer. Only by preparing for what is a when not if scenario, can we all be best prepared for when that attack does happen.