The National Cyber Security Centre in the UK updated their guidance on the 23rd March 2021 regarding imminent cyber attacks on education organisations. The trend for attacking education organisations is increasing and unforgiving. School’s need to remember that cyber attackers are just after an easy payday. The pandemic has exacerbated the cyber vulnerability of schools through an increase in the available attack service, devices and systems not set up for remote management and the focus of IT on enabling distance / blended learning rather than ensuring effective security. Weaknesses in device and system security and management make it easier for attackers to compromise accounts, spread malware and potentially gain access to sensitive information
Cyber security is about protecting networks, devices, programs and data from being damaged, compromised or attacked. As an organization, your school needs to determine the types of personal information that need to be protected, evaluate the risks associated with security of that data, then put in place safeguards/controls that are proportionate to the risks and correlate to the available resources of your school.
Over the weekend of 27th / 28th March 2021 a number of UK Multi-Academy Trusts have had their systems compromised by malware. This has led to their systems becoming unavailable and consequently, security incidents that are reportable data breaches. 9ine’s research in this area has uncovered that amongst our clientele of schools, more than 50% of identified vulnerabilities we found related to update management or End of Life (EoL) systems or software. Another 25% of the vulnerabilities fell within the security misconfiguration category, highlighting weaknesses within the configuration of systems and services. Thus, a school can potentially resolve 75% of the engineering issues through identifying any these sorts of issues and correcting any identified risk. And do so, at little or no cost. A further reduction of 10% can be achieved through effective credential management.
Cybersecurity is often overcomplicated. The basics of a solid cyber posture are easy to understand and fairly inexpensive to implement. For example, a thorough cyber vulnerability assessment will sweep your network, systems, services and devices for known vulnerabilities. A cyber engineer will then seek to compromise those vulnerabilities to weed out false positives. After such an assessment, your school would receive a list of vulnerabilities, across systems, services and devices and a suggested action plan to remediate them. The upskilling in knowledge relating to the cyber vulnerabilities found will inform improvements to operational management of your IT systems and services. For over five years, 9ine has been regularly conducting cyber vulnerabilities for independent schools across the world. That experience has provided us with a unique perspective on the range of threats that schools face. An example report can be requested from firstname.lastname@example.org.
A cyber penetration test is one step further than a cyber vulnerability assessment. The scope of a penetration test is much narrower than a general vulnerability assessment. A penetration test will typically target a specific system or service to identify vulnerabilities that haven’t been identified as such. These are often known as zero day exploits. The benefit of a cyber penetration test is limited to the time your school will pay for a cyber consultant to ethically ‘hack’ your systems. If you have a budget of one day of time, the cyber consultant will only replicate an attacker attempting to hack your systems for 7.5 hours. Two days, 15 hours, etc. Rather than focus on penetration testing, your school should focus on cyber vulnerability and an ‘operational’ focus through creating roles and responsibilities based on a ‘Chief Information Security Officer’ model. 9ine has this expertise specifically gained by working with independent schools and provides education-specific cyber services to schools globally.
Much like the 9ine Data Privacy Framework we have developed a cyber framework for schools to support them in operationalizing cyber security and includes the following components:
- Information systems and security governance
- Security and systems assessment
- Incident & breach management
- Proactive management
- Security & systems controls
- IT projects and packages of work
- Training & awareness
- Risk management & reporting
Working with a trusted partner such as 9ine will aid you to protect your school, enhance your security protections and improve the capability and capacity of your IT team and senior managers, in understanding and managing cyber risk.