While many schools are concerned about the advent of the General Data Protection Regulation (GDPR) and what it means for the collection and holding of data, permissions and consent, they may be overlooking its key purpose: to keep data safe. This is particularly relevant at a time when schools are increasingly becoming targets for cyber criminals. According to recent research by specialist schools insurer Ecclesiastical Insurance 20 per cent of educational establishments have been targeted. While universities, on the whole, are better equipped to defend against attacks, schools are significantly more vulnerable; due largely to the ‘soft target’ presented by teachers and parents who are ill-equipped to deal with online fraudsters.
The report concludes that naivity is a key problem with many school communities still being largely unsuspecting of how cyber criminals operate. This presents very real implications for the safeguarding of data and children and, by default, adherence to GDPR. Security around social media is a particular problem, providing potential hackers with detailed information with which to bait their phishing hooks.
Common attacks include phishing scams where individuals are tricked into providing information which allows criminals access to the school system. Data theft is sometimes the goal and children’s medical records are, for example, reported to be lucratively traded on the Dark Web, providing details for fraudulent official documents. Sometimes the intention behind the attack is, however, purely financial with emails requesting payments providing links to rogue websites. A new type of scam has also developed called ‘whaling’ where finance directors or bursars are conned into transferring thousands of pounds into fake accounts.
Private schools are particular targets due to the high fees and in 2017 Insurance Times reported a scam where parents were sent fake emails which conned them into sending fee payments into the criminals’ account. In these instances, private schools are particularly at risk of damaging their reputations.
Yet, in institutions which trade in education, it is education regarding online safety that is the main problem. This is because, no matter how effective the online security strategy, it is the human element which most commonly leads to system breaches. Continuous and constant education – including awareness and training programmes – need to be in place to reduce the risk.
A key element is education around social media. Schools and educational trusts should prioritise providing strict guidelines for social media postings and other forms of publishing. This is because phishing expeditions frequently start with social media. Hackers use the information posted online to send relevant-sounding emails which create the impression of being legitimate, encouraging people to open and act upon them.
Phishing scams also enable hackers to gain access to the internal school systems. While these may be well-defended on the perimeter with firewalls and access restrictions, a simple phishing exercise can con individuals with restricted access into divulging further information. Once inside the system, cyber criminals may encounter little in the way of additional defences.
Phishing scams and social media are just one element of the problem facing schools. There are many important aspects to adhering to GDPR and building a robust online defence and we will be posting further blogs on this topic. If you wish to receive these please follow us on Linkedin.