Improving Cybersecurity In Independent UK Schools

Cybersecurity can be daunting at the best of times, but it doesn’t have to be. When we speak of the term ‘cybersecurity’, we are actually speaking of a situation when somebody has found vulnerabilities within your organisation’s systems. The education sector is being increasingly targeted by cyber criminals, with 63% of cyber attacks being targeted towards schools. The National Cyber Security Centre recently released a presentation focusing on cybersecurity risks and preventions. This has reminded organisations just how important adequate cyber hygiene is. If you have not yet experienced any form of cyber attack, you must assume that you will at some point.

With this, your organisation must use best practices to mitigate the risks of a cyber attack and consistently strive to comply with GDPR. As the ‘controller’ of your students’ data, it’s imperative to map the processing of the data and use a Record of Processing (RoP) to understand where the weaknesses are in your systems. Poor cyber hygiene can affect a school’s ability to function, its reputation and its legal obligations to keep personal data safe through data regulations.

Where your vulnerabilities may be

Through our research at 9ine, there are some core vulnerabilities that we have found within schools’ systems. These include missing security patches, missing authentication on core systems, End of Life (EoL) systems, weak password policies, security weaknesses e.g. lack of two factor authentication, and missing IT policies such as disaster recovery and incident management. 

We see that 50% of vulnerabilities are due to EoL systems, devices and systems that are at the end of their lifecycle and can no longer receive updates and patches to protect itself from malicious cyber attack. 25% of vulnerabilities lie within the realms of security misconfiguration, highlighting weaknesses in the configuration of the system, these weaknesses are found by malware or malicious traffic seeking to gain access to the system. Another 10% come from weak authentication methods, which can significantly undermine your network security.

Who is behind your cyber attacks?

As important as it is to understand where your cyber vulnerabilities are, it is just as beneficial to your organisation’s cybersecurity to know who might be committing these cyber attacks. Although identifying the attacker may seem like a mostly useless task, it is essential in your journey of understanding the threats that your organisation faces. These include:

• Online Criminals / Hackers
• Malicious Insiders
• Inquizitive Pupils or Staff
• Honest Mistakes

Being aware of who is causing these incidents as well as where they are happening will help you ensure that the relevant mitigating procedures are in place to prevent them. 

Having a risk based approach to cybersecurity

Here at 9ine, we are strong believers in mitigating your risks and preparing for cyber incidents so that when they do happen, you can be prepared to resolve them as quickly as possible. Taking a risk based approach to cybersecurity is crucial to how your organisation will react when a data/cyber incident occurs. 

Evidencing the risks throughout your organisation is imperative, if you have successfully mapped your data and have a RoP you can identify where the incident has occurred in your system and deal with it efficiently. Implementing these procedures is essential in the instance that somebody issues a subject access request. If you have not evidenced and mapped your data processing, the time it takes to retrieve the user’s data increases exponentially, wasting valuable staff time. Investing your time in data mapping can save you wasted time and energy in the future. 

Services that 9ine provides for cybersecurity

At 9ine, we offer a handful of cyber protection services, such as:

• Cyber incident response and management with the 9ine app 
• Management of your cyber risk and data protection obligations with the 9ine app 
• Cyber vulnerability and penetration assessments (single school and trust wide) 
• The ‘AA’ education cyber incident response
• O365 / google cloud services assessment 
• Security & systems essentials to build capability and capacity in your trust 
• Advisory support in contract review of any outsourced IT managed service providers 
• Complimentary cyber workshop session to discuss your challenges and the support that may be required. 

9ine’s cybersecurity services and vulnerability assessments will help you to understand where your risks are and how to mitigate them proportionately. Propagating these ideas of mitigation and cybersecurity throughout your organisation will assist you to be better equipped should a data incident occur.