Cyber Crime in Schools [Webinar Recap]

In this blog, we reveal some of the most common cyber threats to the education sector and explore questions such as who is committing cyber crimes, what is at stake, where the risks lie, and why schools are vulnerable. We provide some simple steps that schools can follow to minimise their vulnerability to cyber crime. This blog is based on a recent 9ine webinar, presented by Ian Hickling, Cyber Protection Officer at the East Midlands Special Operations Unit.

What are the three biggest current cyberthreats for schools and are there different types of cybercrime?

The three biggest current cyberthreats that schools should be aware of are phishing, denial of service (DDoS) attacks, and ransomware. But did you know that there are two types of cybercrime: cyber-enabled crime and cyber-dependent crime? Cyber-enabled crime is traditional crime that is enhanced in scale or reach via the use of technology. This can include online fraud, grooming, malicious communications, and cyberbullying. Cyber-dependent crime involves a criminal element using a digitally enabled device, such as a computer or smartphone, to target another device. In the latter category, technology is both the target of the crime and the tool to commit it. Examples of cyber-dependent crime can include ransomware, malware, remote access tools, and Denial of Service (DDoS) attacks.

What does cybercrime really look like?

Whereas the perpetrators of cyber crime are often portrayed as hooded and masked youths hunched over a laptop, the reality of cybercrime is quite different. Most successful hacks are highly organised and committed over a long period of time; some hackers can exist unnoticed within systems for up to nine months. Cybercrime provides significant incentives for criminals; e.g., if a hacker has access to 500,000 emails, even if they are only 1% successful at targeting victims and gaining £200, they have already made over £1 million!

The time it takes to detect a data breach then varies greatly depending on the industry and is heavily influenced by the level of resources allocated to protecting IT infrastructure. In the entertainment sector, for example, it takes an average of 287 days to detect a breach, whereas in healthcare the time taken is only 103 days. The level of investment in IT systems and cybersecurity really makes a difference. Read more about the common characteristics of a data breach in 9ine’s recent blog, How to Plan for a Data Breach in Your School Network.

Join Mark Orchison for 9ine's Roadmap webinar as he leads a lively discussion of the roadmap and vision ahead and recent accomplishments, including 9ine's new, intelligent platform for managing risk and compliance in schools.

Why are schools vulnerable?

There are many reasons why schools are vulnerable to cyber crime. These can include:

• Holding valuable and interesting data on school systems, such as parental financial information, employment details and home address.
• Having limited budgets to protect critical infrastructure, increasing the perception that schools are easier targets than other organisations such as financial institutions.
• A lack of training and awareness among the senior leadership team and staff.
• The legacy of old IT systems, many of which have weaker protections.

Where does the risk come from?

In a recent TeacherTap poll of 5,000 respondents, over 28% of teachers admitted they shared a password! The threats are not always external. Below are some of the sources that internal risks can come from, with some being a greater threat to the education sector than others.

• Poor systems administration with regard to departing colleagues or role changes.
• Disgruntled or overlooked staff members.
• Former employees who may still have access, and enact vengeance on the school
• A lack of training and awareness of cyber issues
• Tech savvy pupils who obtain staff passwords.

What is social engineering and how is it used to target victims of cyber crime?

Social engineering also plays a significant role in cybercrime. Hackers use a variety of social engineering tactics and personas in order to achieve their goals. These social engineering tactics include impersonation, urgency, obligation, authority, flattery, and fear.

Hackers impersonate a trusted authority, such as a bank or school, and use tactics like spoofed emails or phone calls to obtain personal information such as bank account information. Urgency involves demonstrating a requirement for quick action from the victim, usually triggering fear, which reduces the time to thoroughly examine what is being asked of them. The hacker may also try to persuade a victim that they are required to do something, either by law or through some contractual obligations etc. Similarly to urgency, the hacker’s desire is that the victim acts quickly to comply, and does not give much thought to what is being asked.

A hacker may use false authority with the objective of masquerading as a legitimate actor, making the requests they make of the victim seem routine, legitimate, and ordinary, e.g., "Hello my name is xx and I’m calling from xx." People are likely to be sceptical about communications of unknown origin, however, using flattering, polite and friendly language and tone, places the victim more at ease. This technique makes the victim more likely to comply. Lastly, fear is often used to spark panic among the victims. By using threatening language such as "You will lose all your account access unless you click this link immediately," the objective is to create such urgency in the victim that they do not think carefully.

How does a cyber criminal gain access to employee information? 

Exposed data can be harnessed for crime, and for a cyber attack to be successful, hackers need as much information about the organisation’s employees as possible. Social media provides a plethora of information about individuals' job roles, hobbies, and interests. Location services can provide a mass of detail to potential hostile actors. Thousands of apps ask for location services, with many then sending this data on to third parties for the purpose of personalization in advertising. Smart devices within the home, such as Amazon Alexa, actively record speech to improve service provision. All around us, technology is recording and monitoring our location. It’s important to recognise this and protect our digital footprint. All of this information represents an invaluable cache of information for hackers.

What are the cyber risks associated with bring your own device (BYOD)?

Unsecured devices are a huge challenge for all networks, staff will bring in personal devices that may not have the highest level of cyber security, and are especially susceptible. It's essential to educate your staff on the importance of maintaining high levels of cyber protection. A known technique is for criminals to throw USB sticks into the school grounds, in the hope that students and staff will find them and, out of curiosity, access the content, granting hackers a pathway into school systems. Before disposing of devices such as old USB sticks or laptops, ensure the network administrator has erased any data that may still be stored; otherwise, you heighten the risk of exposing yourself to cybercrime. Read more about this in 9ine’s blog, Cyber Security In Schools; Removable Media Data Loss and Malware.

What can you do to minimise your vulnerability to cyber attacks?

1. Take ownership at a senior level (hire a consultancy such as 9ine or show senior leaders the NCSC website)
2. Understand your own culture and bigger risks in the school (is it pupils, staff or an external threat?)
3. Establish access control policies
4. Check that third party providers have a strong cyber security culture
5. Ensure you use secure configurations and patch management
6. Encourage reporting and discussion of near misses - this is best practice and highly recommended amongst all staff
7. Engage and educate staff
8. Follow trusted sites and people to keep up to date

If your organisation lost access to key infrastructure and systems, could you and your school cope? Do you have a tried-and-true plan in place? Having a widely known and regularly tested cyber incident response plan is essential for all organisations and should be well known by senior leadership and all needed actors, including the school's Data Protection Officer. Only by preparing for what is a when, not if, scenario can we all be best prepared for when that attack does happen.