Since the beginning of 2018 and through to the lead up of the updated data protection regulations [GDPR] in May 2018, one of the subjects dominating the news is the number of companies losing data, more often than not through failing or lack of necessary cyber security measures.
Data protection and cyber security go hand in hand, cyber being one of the three main pillars of the updated data protection regulation. It is crucial that schools are aware of the susceptibility of both their users and their computer systems and services to malicious or unintentional cyber attacks. Understanding your current cyber posture is key to preventing or at least limiting the impact of a data breach. Whilst supporting state, private and international schools with their path to GDPR compliance, 9ine have introduced the National Cyber Security Centre’s 10 steps to cybersecurity as a good starting point to understanding your organisation's current cyber security posture. These 10 Steps have played a key part in identifying risks to data, systems and users from a cyber attack.
So why schools, and why now?
Attacks are getting more and more sophisticated every day. The advent of readily available hacking tools has allowed even a novice to perform the most basic of automated cyber attacks. With these automated attacks comes a disregard for a victim’s status; whether you are a bank, a charity, a school or an individual, all vulnerable targets are fair game for the attackers. The attacks most people are aware of are phishing emails. These emails are high in volume, do not discriminate against their target audience and rely on only a few users to click on a link or download an attachment for the attack to be successful. These links or downloads can introduce malware or request a user to enter their credentials which can lead to:
Sharing of sensitive information into the public domain
Escalation of privileges to access other systems
Causing chaos and downtime
9ine provides free, virtual leadership training in the areas of data protection & security and systems in education.
Have schools been attacked?
Yes! 9ine have been involved in investigating numerous cyber attacks over that last 6 months. These range from common unsophisticated mass mail phishing campaigns through to highly sophisticated socially engineered spear-phishing (targeted group e.g finance) and whale-phishing (direct attack - the bursar). The most effective, well thought out and executed campaign left two schools short of over £100k. The other campaigns caused mass disruption to users and services, with significant time spent stopping the spread of the issues. Additional time was spent cleaning up the residual mess by mass forced password changes and email communications to all those affected both inside and outside of the schools.
This week, another phishing campaign lead to the successful capture of a user’s school email login details. This resulted in thousands of spam emails being sent from within the school, not only to school colleagues but to external suppliers and parents. Fortunately, through quick actions from the individual and thanks to auditing and alerting measures implemented by 9ine, we were able to quickly assist in stopping further spread of the campaign. Analysis of the logs showed three external connections to the compromised mailbox via the use of a full outlook client. These three session tokens were immediately revoked, necessary even after a password reset, and the connections ceased.
Even with the immediate action from the victim, the analysis of the attack meant the incident needed to be reported to the ICO as a breach. The investigation is still in progress. However, strong user awareness, appropriately configured auditing and notifications facilitated a quick shutdown of a successful attack that could have lead to the compromise of more systems and services.
Schools and businesses need to move from defensive to offensive! How?
In order to shift from reactive measures to a proactive approach you need to ensure that your school has:
Identified all vulnerabilities (point in time analysis)
Categorised and prioritised the risks
Defined actions or mitigating steps to reduce or resolve the vulnerability
Assigned actions to owners
Implemented clear incident response policies and procedures
Regular staff training schedules
Access to the appropriately skilled staff
These actions are supported by the latest consultation from the Department for Education in the UK; something we expect to cascade to British curriculum International Schools in due course. Supporting the cyber security obligations of the GDPR, the guidance touches on the approach to risk identification and mitigation obligations of schools. These obligations, although non-statutory to start off with, will force schools to take cyber security as serious as safeguarding / child protection. A further blog will be posted on this topic in the coming weeks.
Through the 9ine Security & Systems Essentials service, you will have access to an initial organisational cyber posture evaluation. This initial evaluation is further supplemented by internal and external penetration tests. These tests will provide you with a detailed point in time assessment of your current susceptibility to known vulnerabilities. Working with 9ine’s cyber team is one way to add expertise and experience to your school without having to employ additional staff.
The protection of the users and the school’s data does not solely lie with the IT Department. Cyber security is the responsibility of all staff. It is critical that all users within the school community understand the importance of being more cyber aware in both their professional and personal lives. Everyone should feel supported and comfortable in notifying the appropriate person within the school should they believe they have fallen foul of a cyber attack or suspect malicious behaviour.
For more information about our Security & Systems Essentials services, book a meeting with one of our team.
Let’s Stay in Touch
Subscribe to our newsletter to receive product announcements & other updates.