In this third blog in the series, we look at user awareness. We explore how schools can implement technical and organisational measures to protect further the confidentiality, integrity and availability of information and information systems. With each blog, we are building upon each stage of the UK’s National Cyber Security Centre (NCSC) 10 Steps to Cyber Security, and in turn, providing our independent recommendations, examples and guidance.
In our previous post, “Network Security - How to Reduce Unauthorised Access and Protect Your Data!” we discussed how securing your internal and external boundaries through utilising industry best practices can help your school prevent or minimise malicious attacks.
In this third blog, we look at user education and awareness, following guidance from the NCSC. This topic focuses on the main interface with your data: your end-users. When it comes to cyber security, your staff are your first line of defence. With the right training and the proper setup, many of the socially engineered attacks would stop at your staff. The NCSC article, Users are the Strongest Link, outlines just this.
By following these recommended steps, you will be able to evidence that your staff are receiving the appropriate cyber security training to help protect the school and themselves against cyber attacks. Keeping abreast of the latest cyber threats, and understanding how to combat them best, will demonstrate that the school is proactively working to eliminate or reduce the impact of a cyber attack on your school and its staff.
How can we assess our users' knowledge & susceptibility?
To understand if your staff have understood and retained the knowledge provided to them through your training programme, or whether they are susceptible to common attacks such as social engineering, you can approach this in several ways. Here are a few examples:
1. Phishing campaigns & termly training
Schools and businesses are increasingly receiving more and more general phishing and targeted spear-phishing emails. In conjunction with awareness training, schools should run phishing and spear-phishing campaigns, bi-annually, to keep users aware of the latest techniques and the increasing level of sophistication of these attacks. Then provide follow-up training after the campaigns to reiterate what they should do if they think they have clicked on a malicious link, downloaded a suspect document, or provided credentials into a well-crafted website. Your users must know to act immediately, following the school’s incident response policies and not be worried about any reprimand or embarrassment (we will all click on a link, or download something malicious at some point). Swift actions should be commended. A swift response will save the school from significant financial loss by stopping, containing or limiting the impact of the successful cyber attack. Cyber attacks within education are becoming a common occurrence. You should plan for when it happens rather than if it happens.
2. Unattended device checks
When we walk the corridors between meetings, during data protection audits or when performing systems and security assessments, a common scene is an unattended, unlocked laptop or desktop. These devices may have been left momentarily, but that is all it takes for a malicious user/attacker to either view or take personally identifiable information, install a backdoor to be used later, or compromise the network in other ways.
Some schools have chosen to deploy a series of coloured post-it notes, changing in severity, against the number of strikes when an unlocked device is found. Others change the user's password forcing a call or visit to IT (not advisable, but effective). By far the most straightforward way is just to find the user and remind them, as it is most likely unintentional.
As a minimum, the importance of leaving unattended devices locked should form part of a school’s Acceptable Use or Security Policy and should be included in recurring data privacy training.
3. Dumpster diving (look after your bins!)
Your school may have introduced secure cross-shredders in key departments where sensitive and or personal information is regularly printed. An old but basic way of attackers gaining access to information is through "dumpster diving" - basically trawling through waste to find bits of information that, once pieced together, could contribute towards a successful attack (never mind a data breach!). Suppose departments have access to a secure cross-shredder and a general waste bin. A random spot check of the paper within the general waste bin will highlight if a member of staff is forgetting what constitutes sensitive information and should have been through the cross-shredder. Not the most glamorous of tests, but again when walking around schools, it’s incredible what data we have found lying around or peeking out of a general waste bin.
4. Incident & Breach Role Play / Q&A
Your school should have policies, processes and procedures around cyber incident management. An easy way to test how effective these policies are is by asking your staff:
- What would you do if you received a ransomware notification on your school device?
- What would you do if you suspected that you had entered your school credentials into a false website?
- Who would you inform if you received a suspected phishing email?
- Is there anything you should take note of in the event of a cyber incident?
- What constitutes a strong password?
- ...and so on, taking steps and actions from your policies, processes and procedures.
Your staff do not need to be IT or cyber security experts. They just need to have clear guidance on how to prevent or limit the impact of a cyber attack and what to do should they suspect that they have fallen foul of an attack.
What areas should we be looking at?
Your staff are the first line of defence when it comes to cyber security, as a minimum all staff should receive regular training on and understand where to access your:
- Security Policy
- School Incident Management Policy, Process and Procedure
- School Breach Management Policy, Process and Procedure
- Acceptance Use Policy (AUP)
- Password Policy
- Remote and Home Working Policy
- Removable Media Policy
There are a whole host of organisational and technological changes that can be made to help your users, raise awareness and ultimately protect your network and data from malicious attackers.
Where should my school start?
Given that the majority of your users have enough to do in their day jobs and are unlikely to want to become cyber security gurus, you should approach cyber awareness in a way that is accessible to all users without being overbearing. When raising the awareness of cyber crime, it should be reinforced that the school will support any individual who may fall foul of a cyber attack, commending their quick action rather than reprimanding them. Providing staff with structured training, secure systems, and policies, processes and procedures that underpin the school’s desire to be secure is a benchmark you can test against, year on year.
9ine's Security and Systems Essentials Service starts with a high level technical and organisational cyber security posture evaluation. This evaluation allows you to benchmark your school’s current security posture and create a defined action plan to help improve your overall security. Our evaluation is based on the NCSC 10 Steps to Cyber Security and the NCSC Cyber Essentials + accreditation. It also utilises the security standards from other recognised security frameworks and methodologies such as NIST and ISO27001, taking the most appropriate/best of breed recommendations from each. The organisational and technical assessment will highlight areas that are directly influenced by your users and will lead to supporting policy, process and procedure changes as well as security improvements of technical implementations.
Ensuring that your users feel more confident when protecting themselves and your school’s network is crucial. Adequate training, correctly configured and updated systems, and clear policies and processes around incident and risk management will go a long way to stopping some attacks in their tracks, and will greatly minimise the impact of others.
Your users are one of the many facets within a multi-layered approach to data security, often referred to as defence-in-depth. By following these recommended steps, you will be able to evidence that you are empowering your users, whilst also ensuring that you are taking all available measures to raise user awareness.
For more information about cyber training, internal and external penetration tests, 9ine's Security & Systems Essentials Service, or other security initiatives that we provide:
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.