In this blog, the third in the series, we explore how schools can implement technical and organisational measures in order to further protect the confidentiality, integrity and availability of your information and information systems. With each blog, we are building upon every stage of the UK’s National Cyber Security Centre (NCSC) 10 Steps to Cyber Security, and in turn, providing our independent recommendations, examples and guidance.
In our previous post, “Network Security - How to Reduce Unauthorised Access and Protect Your Data!” we discussed how securing your internal and external boundaries through utilising industry best practices can help your school prevent or minimise malicious attacks. In our second blog “How To Assess Your School's Vulnerability To Cyber Attacks," we discussed how the continuing effectiveness of these security settings can be qualified through regular penetration testing.
Providing Cyber Security Training
In this third blog, we look at User Education and Awareness, following guidance from the NCSC. This topic focuses on the main interface with your data: your end users. When it comes to cyber security, your staff are your first line of defence. With the right training and the right setup, many of the socially engineered attacks would stop at your staff. The "Users are the Strongest Link" article from the NCSC outlines just this.
By following these recommended steps, you will be able to evidence that your staff are receiving the appropriate cyber security training in order to help protect the school and themselves against cyber attacks. Keeping abreast of the latest cyber threats, and understanding how to best combat them, will demonstrate that the school is proactively working to eliminate or reduce the impact of a cyber attack on your school and its staff.
How can we assess our users knowledge & susceptibility?
To understand if your staff have understood and retained the knowledge provided to them through your training programme, or whether they are susceptible to common attacks such as social engineering, you will need to approach this in a number of ways. Here are a few examples:
1. Phishing Campaigns & Termly Training
Schools and businesses are increasingly receiving more and more general phishing and targeted spear-phishing emails. In conjunction with follow-up training, schools should run their own phishing and spear phishing campaigns, bi-annually, to keep users aware of the latest techniques and the increasing level of sophistication of these attacks. The follow-up training is key and should reiterate that if a user thinks they have clicked on a malicious link, downloaded a suspect document, or provided credentials into a well-crafted website, they must act immediately following the school’s incident response policy and not be worried about any reprimand.
Swift actions should be commended and can save the school thousands of pounds by stopping, containing or limiting the impact of the successful attack.
Cyber attacks within education are becoming a common occurrence. You should plan for when it happens rather than if it happens.
2. Unattended Device Checks
When we walk the corridors between meetings, during data protection audits or when performing a technical and vulnerability assessment, a common scene is an unattended, unlocked laptop or desktop. These may have only been left momentarily but that is all it takes for a malicious user/attacker to either view and take personally identifiable information, install a backdoor to be used later, or compromise the network in other ways.
Some schools have chosen to deploy a series of post-it notes, changing in severity, against the number of strikes when an unlocked device is found. Others change the user's password forcing a call or visit IT (not advisable, but effective). By far the simplest way is just to find the user and remind them, as it is most likely unintentional.
As a minimum, the importance of leaving unattended devices locked should form part of a schools Acceptable Use or Security Policy and should be included in recurring data privacy training.
3. Dumpster Diving (look after your bins!)
Your school may have introduced secure shredders in key departments where sensitive and or personal information is regularly printed. An old but basic way of attackers gaining access to information is through "dumpster diving" - basically trawling through waste to find out bits of information that, once pieced together, could contribute towards a successful attack (never mind a data breach!). If departments have access to a secure shredder and a general waste bin, a random spot check of the paper within the general waste bin will highlight if a member of staff is forgetting what constitutes sensitive information and should have been shredded. Not the most glamorous of tests, but again when walking around schools it’s amazing what information we have found lying around or peeking out of a general waste bin.
4. Incident & Breach Role Play / Q&A
Your school should have policies, processes and procedures around cyber incident management. An easy way to test how effective these policies are is by asking your staff:
- What would you do if you received a ransomware notification on your school device?
- What would you do if you suspected that you had entered your school credentials into a false website?
- Who would you inform if you received a suspected phishing email?
- Is there anything you should take note of in the event of a Cyber Incident?
- ...and so on, taking steps and actions from your policies, processes and procedures.
Your staff do not need to be IT or cyber experts, they just need to have clear guidance on how to prevent or limit a cyber attack and what to do in the event of a cyber attack.
The above are just a few examples of how to regularly test your user's knowledge and the effectiveness of your school's cyber training and implementation of mitigating actions.
What areas should we be looking at?
Your staff are the first line of defence when it comes to cyber security, as a minimum all staff should receive regular training on your:
- Security Policy (to include cyber)
- School Incident Management Policy, Process and Procedure
- School Breach Management Policy, Process and Procedure
- Acceptance Use Policy (AUP)
- Password Policy
- Remote and Home Working Policy
- Removable Media Policy
There are a whole host of organisational and technological changes that can be made to help your users, raise awareness and ultimately protect your network and data from malicious attackers.
So, Where Should We Start?
Given that the majority of your users have enough to do in their day jobs and are unlikely to want to become cyber security gurus, you should approach cyber awareness in a way that is accessible to all users without being overbearing. Raising cyber awareness also needs to provide your staff with the confidence that the school will support any individual who may fall foul of a cyber attack, rather than reprimand them. Providing staff with structured training, systems that are secure, and policies, processes and procedures that underpin the school’s desire to be secure is a benchmark you can test against, year on year.
9ine's Cyber Defence Essentials service starts with a high level technical and organisational cyber security posture evaluation. This allows you to benchmark your school’s current security posture and create a defined action plan to help improve the overall security. Our evaluation is based on the NCSC 10 Steps to Cyber Security, the NCSC Cyber Essentials + accreditation and the EU's NIS Directive, which also uses a cyber framework developed by the UK's NCSC. The organisational and technical assessment will highlight areas that are directly influenced by your users and will lead to supporting policy, process and procedure changes as well as security improvements of technical implementations.
Ensuring that your users feel more confident when protecting themselves and your school’s network is crucial. Adequate training, correctly configured and updated systems, and clear policies and processes around incident and risk management will go a long way to stopping some attacks in their tracks, and will greatly minimise the impact of others.
Your users are one of the many facets within a multi-layered approach to data security, often referred to as defence-in-depth. By following these recommended steps, you will be able to evidence that you are empowering your users, whilst also ensuring that you are taking all available measures to raise user awareness.Due to the success of 9ine’s data protection research at the start of the year and the cyber findings uncovered during the analysis, we are currently conducting further global research specifically into the state of cyber security within schools. The objective being to collate results from a diverse range of schools around the globe and be able to provide an accurate profile of the data and security challenges schools face. The output will help schools and governing bodies benchmark what cyber security means for them and hopefully encourage collaboration and support for the common priority issues and risks identified.
Take & Share 9ine's Cyber Security Survey
School taking part in our research can:
Use the questions within our survey to assess your school's current cyber security controls
Determine a cyber security score for your school
Benchmark your progress towards achieving the NCSC Cyber Essentials accreditation
Compare your level of cyber security against a global network of schools
In completing the survey, you will be supporting further research into the state of the market for schools’ compliance with data protection and cyber security law. In order to broaden our data population and improve the results, please share participation in our research with your colleagues from other schools.
This survey should be completed by a senior member of your IT team or an individual who has a good technical understanding of your organisation's IT practices and strategy. Click below to take part in our research, or share the following link around your school:
The results from our research will be made available in the coming weeks via a downloadable report on our website. For any attending the ECIS Annual Leadership Conference 2019 in Lisbon, 24-27 April, we will be presenting the results and providing insight into what cyber security means for ECIS affiliated schools. If you're coming along, make sure to take part in our survey beforehand!
For more information about cyber training, Internal and External Penetration Tests, our Technical and Vulnerability Service, or other security initiatives such as Data Loss Prevention, Advanced Threat Protection, End-User Email Digest Solutions, and our recommendations on configuring Office 365, please contact firstname.lastname@example.org