Cyber security is a growing issue in schools. Not only are cases of cyber crime increasing, but the regulatory framework around data protection means that schools now need to be sure that they are tackling risks associated with cyber security.
Supporting schools on a day-to-day basis, our team regularly sees gaps and issues in the configuration and management of IT systems that leave staff and students open to security risks. Recent examples include phishing, exploitation through ransomware, trojans and spyware.
As the leading independent authority on Education Technology, we are fully aware of the issues that need to be considered by schools in order to address cyber security risks. The good news is that the steps required are not particularly complicated - it is largely a case of introducing a robust process and an effective methodology.
This article explains the considerations facing schools, the action that can be taken to combat cyber crime and how this will also help prepare for changes in the compliance landscape.
Consideration #1 - Identifying the immediate threats to your school
A common starting point is to clearly understand the immediate threats to your school. To do this you need to understand how your IT systems go together, how they work, the access users have and what devices are being used. This information then allows you to determine the types of threats that your school might be susceptible to.
The assessment that you need to complete must include the following:
- Device access to your network from internal and external gateways
- Age, configuration, management and support of your firewall and filtering platform
- Segregation of network traffic and devices
- User and administrator authentication management
- Operational management of patching through policies, procedures and quality audits
- End-point security management
- Virus protection and management
- Security of web or device applications such as those used on a tablet
Why poor visibility of threats is a problem
Should you suffer a cyber security breach or attack and not have completed the above, you are likely to incur significantly higher costs and longer downtime. Having your systems documented is the only reliable method of conducting a comprehensive assessment of risks and carrying out successful preventative measures.
When a breach occurs, this information will enable you to manage the threat in an efficient and systematic method. In all likelihood, you will also require external support. If this level of documentation is in place, those offering support will be able to rectify the breach and minimise the impact rapidly.
We recommend taking a structured approach to documenting all aspects related to the above to enable an effective assessment of the risks to your cyber security. This assessment then sets the foundation to develop and embed your cyber security management plan. The exercise will also support general operational good practice, disaster recovery planning and CPD for your internal IT team.
Consideration #2 - Managing the hacker “within”
Cyber security is one of the fastest growing industries in the UK. The need to stay ahead of the game is recognised by the government and the Department for Culture, Media and Sport recently announced funding of £20 million for UK schools to train students in cyber security.
It is therefore likely that students with an interest in IT may take up hacking as a hobby. For example, there are communities of hackers who voluntarily hack corporate systems to identify weaknesses, then get paid for telling the organisation of the security flaw.
A recent BBC report details the rise of teenage users becoming involved in cyber crime, commonly starting out in game-cheat websites or hacking forums and progressing into illegal cyber crime.
It reveals the online tools available are free to download and so easy to use that many youngsters progress to cyber crime without the feeling of guilt, able to hide behind a digital persona and steal from the comfort of their bedroom.
Students who are interested in hacking may, therefore, ditch the traditional Saturday job and choose ethical hacking as an easier way of making pocket money, or decide there’s more interest in hacking their own school’s systems.
All school leaders therefore need to have the confidence that their internal systems are sufficiently robust and secure in order to fend off an internal hack. An internal hack could come from a school PC, tablet, through the WiFi or someone plugging their own device into a network port.
There are instances where devices can be used to mimic WiFi access points, tricking devices to connect to them instead of connecting to the school’s access point. This enables snooping on all traffic going through the device and can provide access to usernames and passwords.
We recommend that schools understand the vulnerabilities within their network. This means understanding all internal entry points and the access levels of each user group and device type. The configuration of each network device should be documented and tabulated to enable a data-driven approach to assessing areas of risk.
Through a comprehensive assessment, schools can identify the risk of each device and user, putting in place preventative policies, processes, procedures and technologies.
Without this there is a high degree of risk that, in the instance of a breach of systems or data, the school would not be able to demonstrate compliance with obligations under the updated Data Protection legislation.
Consideration #3 - Tell me I’m beautiful
Flattery will get you everywhere! Social engineering is one of the more complex but ever growing methods of getting access to valuable digital data or assets. Most commonly these tactics are associated with phishing or ransomware attacks, where there is no need to be physically at the school location or remotely hack a weak point in your network architecture.
The targeting of individual users to gain remote entry systems is more reliable, quicker and opens up the opportunity to efficiently extract assets or extort money by denying access to systems or corrupting data. Individuals or people whose contact details are easily and readily available on school websites are most at risk.
More commonly than not, these cyber attacks start with someone phoning the target person with the objective of persuading them to hand over their email address. They are also engaged in conversation to ensure there is a reason to open an attachment or click on an infected link within an email that is sent to them.
The tactics used range from pretending to be a supplier to the school (for example, builder, cleaner, or IT provider) to that of flattery, in order to engineer a situation where that user will unknowingly breach the security of the school.
All of which means that you could have the most technically advanced security systems, policies, processes and procedures, but still have a data or security breach through a simple, manipulated situation.
End user training is imperative to raising awareness of the risk and impact associated with cyber security. There should be a nominated individual who is responsible for coordinating and managing cyber security risks. Through following the recommendations in this article, schools can prepare policies, processes, procedures and relevant training or awareness programmes.
Technical staff who are responsible for the management and protection of systems must have specialists to call upon in order to support the assessment and evaluation of the school’s cyber security risks and issues.
Working with 9ine
As a trusted and independent technology advisor to the education sector within the UK and abroad, schools benefit from our support to efficiently and effectively manage and use technology.
We understand the challenges, pressures and needs of teachers, students and support staff.
We can provide you with a comprehensive Cyber Security and Technical Audit that allows you to understand areas of risk and put in place actions to combat potential issues. This would be completed using a robust approach and methodology that can then be used to report to your governing body on the health of your cyber security planning and protection.
Want to find out more?
This article is intended to provide school leaders with an overview of some of the more common cyber security issues. Each of our clients is unique and we therefore recommend an initial consultation with one of our specialists.