It’s been six months since I last wrote about cyber threats to schools and colleges; I thought that it would be interesting to find out what has changed since then.
In mid-September the NCSC (National Cyber Security Centre) issued an alert to the UK education sector due to the increased number of ransomware attacks on the sector. Ransomware is a malware that prevents users from accessing their data by encrypting it. The criminals that carry out the attack then issue a ransom note demanding payment to release the data.
The NCSC reported at the time that ‘More recently, there has been a trend for cyber criminals to also threaten to release sensitive data stolen from the network during the attack, if the ransom is not paid’.
It’s not just the potential loss of data, but the impact on schools and colleges in terms of time and resources needed to re-enable their critical services.
Three main access points were identified in the alert:
- Remote Desktop Protocol – this is the main protocol that enables employees to access their office desktops. If these are not secured it allows the cyber criminals to access the school devices.
- Vulnerable Software or Hardware – unsecure or unpatched (you’re not signed up for automatic software updates that would address known security issues) are often used by attackers to access the networks.
- Phishing mails – Emails that encourage users to click on seemingly harmless, but actually malicious, links or opening attached files.
To make their attacks more effective, criminals have also been seen to:
- Sabotage backup or auditing devices to make recovery more difficult.
- Encrypt entire virtual servers.
- Use scripting environments to easily deploy tooling or ransomware.
The NCSC recommends that ‘organisations implement a ‘defence in depth’ strategy to defend against malware and ransomware attacks’. Read more on this here.
They also suggest that the following questions should be posed by the governors and school leaders:
- Does the school have a list of the different organisations that provide its IT services?
- Does the school leader know who manages or coordinates the IT within the school?
- Has the school identified the most critical parts of the school’s digital estate and sought assurance about its security?
- Does the school have a proper backup and restoration plan in place?
- Do the school’s governance and IT policies reflect the importance of good cyber security?
- Does the school train staff on the common cyber security threats and incidents that schools experience?
- If the school temporarily lost access to its data and/or internet connection would the school still be able to operate?
- Does the school know who to contact if it becomes a victim of a cyber incident?
This is just an overview of the questions to provoke some thought; for full details of the questions to ask and answers to look for see this link.
In my original blog I noted that in the 2019 School Cyber Security Audit, teachers and support staff did not feel very knowledgeable when it came to cyber security. The survey highlighted an appetite for more staff training. The NCSC have now produced a free e-learning training package. This is easy-to-use and takes less than 30 minutes to complete. The training introduces why cyber security is important and how attacks happen, and then four key areas.
- Defending yourself against phishing
- Using your passwords
- Securing your devices
- Reporting incidents (“if in doubt, call it out”)
The training can be accessed here.
Arranged in a series of short videos, the training is hosted on the NCSC website and no login is required. The package is free to use, and includes a short quiz at the end, with links to further reading. The training is a good introduction to cyber security issues so I suggest you try the training yourself and then roll it out to staff.
Support for teachers to deliver cyber safety lesson
The insurer Ecclesiastical has produced their own Cyber Ready Toolkit, a lesson plan resource to support teachers in delivering cyber safety to children. The primary outcome for pupils should be an awareness of cyber issues, with the secondary outcome being exposure to new problem-solving techniques (Design Thinking). It will enable students to come up with their own solution to solve cyber safety problems and gain creative confidence because they followed a process that allowed them to be the leaders and decision makers. The documents can be downloaded here.
For further information on this topic, you can read this research paper on Fraud and cybercrime vulnerabilities in Independent Schools by Crowe, KYND and the University of Portsmouth.