Cyber-crime is on the increase and is becoming a serious issue for schools and further education providers. In the US the education sector ranks third on the list of sectors most vulnerable to the attention of cyber criminals – unfortunately the UK is not far behind.
Schools and further education providers often leave computer networks and IT assets unguarded and names and email addresses of teachers and key staff can often be found in the public domain – hence why this sector is becoming a new target for increasingly sophisticated cyber-criminals.
Are smaller organisations less vulnerable?
A survey from Kapersky Lab recently revealed that three quarters of organisations surveyed believed they were too small to be of interest to cyber-criminals. We find that schools often fit into this way of thinking or believe that – as there is no direct financial benefit to cyber-criminals – education providers will be safe; this is not the case. In Japan, in 2016, 444 school networks were taken down simultaneously by one student who launched a damaging cyber-attack. There was no direct financial benefit to the cyber-criminal but the financial effect on the schools will have been significant.
A new alternative to setting off the fire alarm?
In most cases we find that cyber-attacks come from students looking to delay a test, to carry out a personal attack on other students, staff members, or on the school itself. With schools increasingly using management systems and relying on sophisticated IT software, a cyber-attack can be extremely costly to put right – for example, the cost of installing additional security to prevent a recurrence or the support sometimes needed to work through the damage to the reputation of the school – particularly if sensitive student data has been breached.
The success and increasing number of cyber-attacks are often down to out-of-date systems where firewalls, anti-virus software and security patches have been installed but aren’t updated, or are left unchecked
Building your school’s firewall
We know that schools and further education providers are often time poor and simply don’t have the resources that businesses do. This can mean that they often struggle to put in place the adequate protection against potential cyber-attacks.
The success and increasing number of cyber-attacks are often down to out-of-date systems where firewalls, anti-virus software and security patches have been installed but aren’t updated, or are left unchecked, leaving the school or education provider vulnerable to an attack.
Being aware of the resources available to help your school, and the legislation that affects it, can help you to protect your school – and, importantly, your data. You may find the following information useful.
Current Action Fraud alert
Worryingly, there is a live alert from Action Fraud – the UK’s cybercrime and fraud reporting centre. The alert warns of the dangers of fraudsters posing as officials from the ‘Department of Education’ – not ‘for’. The cold callers ask to be given the personal email or ‘phone number of the headteacher, claiming that they need to send over sensitive guidance about mental health or exams which cannot be sent to a generic school account.
The new regulations mean that any school or further education provider that experiences a data breach from 2018, and does not comply with the new requirements, will be subject to fines
If this information is provided the email sent will include a zip file – potentially masked as an Excel or Word document – containing ransomware. Once downloaded this encrypts files and the fraudsters demand money from the school – in some cases up to £8,000 – to unlock them.
Data Protection Regulation
In 2012 the European Commission revealed the draft of its European Data Protection Regulation which will directly affect schools and further education providers. One of the most significant changes is the requirement to notify the Information Commissioner’s Office of any serious data breaches within 24 hours, with all affected individuals to be notified at the same time.
The new regulations mean that any school or further education provider that experiences a data breach from 2018, and does not comply with the new requirements, will be subject to fines.
The advisable safeguarding measure is to ensure that you have the right level of cyber and data insurance protection in place
Are you adequately covered if the worst happens?
In the UK, a research and educational network known as JANET which connects 19 different regional universities and a large proportion of Secondary Schools was the victim of several denial-of-service attacks. This sophisticated attack rippled through these networks resulting in degradation to services and performance at institutes across the country.
So, are you prepared for a data breach or an interruption to the systems in your school? Do you have the right protection and insurance cover in place if test or exam results are altered or the registration process is taken down by a malicious cyber-attack?
The advisable safeguarding measure is to ensure that you have the right level of cyber and data insurance protection in place. Cyber and data insurance will provide your school with financial protection from regulatory awards, fines and penalties imposed against you for data breaches. It also covers potential third-party damages and the costs associated with an investigation in relation to a potential breach or notification.
As well as financial protection, cyber and data insurance cover extends to provide your school with full support from a team of IT forensic, legal and PR experts who are on hand to protect your reputation, investigate and diagnose the attack and they will aid you in getting your systems secure and safely up-and-running again.