In 2017 the Independent Schools’ Bursars Association (ISBA), which supports over 1,000 senior management staff in schools, stated that cyberattacks in schools can no longer be considered ‘isolated incidents’. ISBA’s Chief Exec David Woodgate went on to say that he is concerned that fraudsters are ‘one step ahead’.
He is absolutely right. While schools lag behind universities in their approach to cyber defence, cyber criminals are constantly evolving and refining their skills. Unlike most people employed in the education system, they do not have day jobs to distract their focus. So what can school authorities do to protect against such ingenious criminal minds? Here are six important things to consider.
1. Accept responsibility
Firstly, school boards must embrace the responsibility. A Department for Education spokesperson recently reiterated that ‘schools are directly responsible for the security of all digital information they collate, store and retain.’ This does not, however, simply refer to the IT department but should extend to the board of governors, the school administrators, the staff, the pupils and the parents. Above all, however, it is the senior leadership that is responsible for safeguarding in schools and, as such, cyber security should be on the agenda at every meeting of school governors and senior teams.
2. Know your system
Knowing precisely what hardware and software is being used on the networks is important but senior leadership should also ensure that configuration changes are authorised, documented and implemented appropriately. It is crucial that only approved users can make changes. Software updates and security patches should also be implemented quickly, and systems monitored for unusual activity which could be an indication of an intruder. Criminal incidents should be reported to the police. Breaches must be reported to the relevant statutory authorities within 72 hours under the terms of GDPR.
3. Control user profiles
Access to sensitive information should only be given to specific individuals. Wherever possible, the ability to share information should also be limited to these specified people. Where individuals are provided with access, their privileges should be managed, and they should be provided with the minimum level of access required to do their job. When staff leave, their access should be revoked promptly.
4. Protect the system
Strong firewalls and internet gateways should be in place to protect school networks and these should be constantly monitored and regularly tested.
It is essential to ensure that antivirus software and security mechanisms are up to date and that protocols for frequent password changes and the use of multifactor authentication for sensitive information is enforced. This means that if a criminal does obtain access to a system, their progress is stalled by encryption tools.
It is not just the internal system which requires protection. Consider the physical security of a system: the hard drives, internet routers, servers and other devices on which data can be stored. School equipment can be targeted by thieves during holiday periods so any device holding sensitive data should be encrypted and stored in an appropriate security cabinet constructed for the purpose.
It is also advisable to limit the use of public-cloud-based services such as OneDrive and Dropbox as well as the widespread use of portable storage devices such as SD cards and memory sticks but, if there is no alternative, such mechanisms must use strong encryption and robust key management procedures.
5. Invest in expertise
The school bursar is not expected to be solely responsible for every aspect of financial planning. Professional accountancy firms provide additional resource and support. In a similar way, those responsible for a school’s data protection require support at both the strategic and practical levels from industry specialists.
6. Be proactive
Rather than wait for a cybercriminal to test the school’s defences, be proactive: conduct regular penetration testing on the system. When done correctly, this is not an off-the-shelf exercise, but employs a synergy of automated and manual testing to deliver the best results. A specialist consultancy will be able to scope the exercise and conduct the testing in a cost-effective and non-disruptive manner.
Red Team engagement can prove highly useful to further investigate vulnerabilities that have been identified. By using simulated exercises around social engineering, all staff can be briefed on best practise, and their role in the team, should an incident arise. The intelligence gained from these exercises means that a proactive and robust defence can be developed, protecting your data as well as your reputation.
To discuss improving your cyber resilience, contact the SRM team on 03450 21 21 51
To receive regular blogs on topics relating to information security, follow us on Linkedin.
To find out more visit our website.
Or read more: