How Secure is Your School from Cyber Attacks?

In the headlines...

Since the beginning of 2018 and through the lead-up to the updated data protection regulations [GDPR] in May 2018, one of the subjects dominating the news is the number of companies losing data, more often than not through the failure or lack of necessary cyber security measures.

Data protection and cyber security go hand in hand, with cyber being one of the three main pillars of the updated data protection regulation. It is crucial that schools are aware of the susceptibility of both their users and their computer systems and services to malicious or unintentional cyberattacks. Understanding your current cyber posture is key to preventing, or at least limiting, the impact of a data breach. While supporting state, private, and international schools on their path to GDPR compliance, 9ine has introduced the National Cyber Security Centre’s 10 steps to cybersecurity as a good starting point for understanding your organisation's current cyber security posture. These 10 steps have played a key role in identifying risks to data, systems, and users from a cyber attack.

So why schools, and why now?

Attacks are getting more and more sophisticated every day. The advent of readily available hacking tools has allowed even a novice to perform the most basic of automated cyberattacks. With these automated attacks comes a disregard for a victim’s status; whether you are a bank, a charity, a school, or an individual, all vulnerable targets are fair game for the attackers. The attacks most people are aware of are phishing emails. These emails are high in volume, do not discriminate against their target audience, and rely on only a few users to click on a link or download an attachment for the attack to be successful. These links or downloads can introduce malware or request a user enter their credentials, which can lead to:

• Identity theft

• Financial gain

• Sharing of sensitive information into the public domain

• Reputational damage

• Sextortion

• Escalation of privileges to access other systems

• Causing chaos and downtime
  

9ine provides free, virtual leadership training in the areas of data protection & security and systems in education.

Have schools been attacked?

Yes! 9ine have been involved in investigating numerous cyber attacks over the last 6 months. These range from simple, unsophisticated mass email phishing campaigns to highly sophisticated socially engineered spear-phishing (targeted group, for example, finance) and whale-phishing (direct attack, the bursar). The most effective, well-thought-out, and well-executed campaign left two schools short of over £100k. The other campaigns caused mass disruption to users and services, with significant time spent stopping the spread of the issues. Additional time was spent cleaning up the residual mess through mass forced password changes and email communications to all those affected both inside and outside of the schools.

This week, another phishing campaign led to the successful capture of a user’s school email login details. This resulted in thousands of spam emails being sent from within the school, not only to school colleagues but also to external suppliers and parents. Fortunately, through quick actions from the individual and thanks to auditing and alerting measures implemented by 9ine, we were able to quickly assist in stopping the further spread of the campaign. Analysis of the logs showed three external connections to the compromised mailbox via the use of a full Outlook client. These three session tokens were immediately revoked, which was necessary even after a password reset, and the connections ceased.

Even with the immediate action from the victim, the analysis of the attack meant the incident needed to be reported to the ICO as a breach. The investigation is still in progress. However, strong user awareness, appropriately configured auditing, and notifications facilitated a quick shutdown of a successful attack that could have led to the compromise of more systems and services.

For more information on 9ine's security initiatives that enabled the above school to reduce the impact, arrange a call with one of our experts.

Schools and businesses need to move from defensive to offensive! How?

In order to shift from reactive measures to a proactive approach, you need to ensure that your school has:

• Identified all vulnerabilities (point-in-time analysis)
• Categorised and prioritised the risks
• Defined actions or mitigating steps to reduce or resolve the vulnerability
• Assigned actions to owners
• Implemented clear incident response policies and procedures
• Regular staff training schedules
• Access to the appropriately skilled staff

These actions are supported by the latest consultation from the Department for Education in the UK, something we expect to cascade to British curriculum International Schools in due course. The guidance touches on the approach to risk identification and mitigation obligations of schools, which supports the GDPR's cyber security obligations.These obligations, while initially non-statutory, will compel schools to treat cyber security with the same seriousness that they do safeguarding and child protection.A further blog will be posted on this topic in the coming weeks.

Through the 9ine Security & Systems Essentials service, you will have access to an initial organisational cyber posture evaluation. This initial evaluation is further supplemented by internal and external penetration tests. These tests will provide you with a detailed point-in-time assessment of your current susceptibility to known vulnerabilities. Working with 9ine’s cyber team is one way to add expertise and experience to your school without having to employ additional staff.

The protection of the users' and the school’s data does not solely lie with the IT Department. Cybersecurity is the responsibility of all staff. It is critical that all users within the school community understand the importance of being more cyber-aware in both their professional and personal lives. Everyone in the school should feel supported and at ease in notifying the appropriate person if they believe they have been the victim of a cyber attack or suspect malicious behavior.

For more information about our Security & Systems Essentials services, book a meeting with one of our team.