I once again have recently read of a group of schools suffering from a ransomware incident. It is sad that this has happened and even more so as we head to the release of exam results over the next few days. So, what can schools do to try and stay safe?
Accept you can never do enough
I think this is very important. Although IT teams will seek to keep things as secure as possible given the available resources, including budget, etc, it only takes a single moment where a user isnt focussing and falls for a phishing email. Equally, if you are being targeted by a skilled and determined cybercriminal, it is likely they will succeed in gaining entry to your network. A favourite phrase of mine is that the school/organisation needs to get it right in relation to cyber security every single day whereas a cyber-criminal only needs to get it right once. This needs to be understood particularly at governor and senior management level. We need to approach cyber from a risk management point of view, concious that risk will always exist and therefore all we can do is to seek to be aware of the risks and to reduce them where possible.
Staff awareness training
I am putting staff awareness training near the top of my list of things to consider given almost every incident or breach has human involvement near the beginning, with this often being weak credentials or a user falling for a social engineering attack such as a phishing email. As such one of the key defensive measures is to engage all staff and make them aware of their responsibility for cyber security, the risks and what they can do to limit these risks. It is very much about making everyone that little bit more aware and cautious but not making them so scared or frightened that they then don’t report issues or concerns.
The slot in inset training or at the start of the year is insufficient. The awareness training needs to be throughout the year and delivered on an ongoing basis. I find short 3 to 5min videos are ideal for this as they take limited amount of time and due to the limited time need to be quite focussed on a single risk or behaviour. But even this then needs to be augmented possibly with tips and tricks in regular emails or in any briefing/newsletter the school might produce. I find using real life examples, including phishing emails actually received, also helps as it adds context. It is also critical to ensure that all users know what to do where things go wrong, such as where they spot unusual activity on their account or where they believe they may have given their credentials away following a phishing email.
The basics: least privilege, Backups, email filtering, warnings, etc
Am not going to cover the “basics” in any great detail as am going to take them as read. Schools should however be ensuring access to systems is provided on a least privilege basis, thereby ensuring only those who really need access to specific data have access. Backups are also key especially against ransomware, so having off-site or disconnected/cold backups in particular where there is no or limited potential for a cyber criminal to access and corrupt backups should they gain access to the school network. Email filtering is another basic to consider, hopefully reducing the amount of spam and phishing emails which make it through, and also protecting users against malicious links or attachments. Linked to email, is the adding of alerts to prompt users when accessing emails, such that they can see where users are external or providing prompts ahead of allowing attachments to be sent. These little prompts might just reduce the number of accidental data protection incidents which may arise.
The above are just some of the basics which come immediately to my mind; They are far from extensive but just hopefully give an ideas of some of the things we should be making sure we are doing to protect school systems and data.
Move to the cloud
There was previously a concern regarding the security of the cloud and a false belief that keeping data on premise was more secure. Now I will admit that there may be some data which is better on premise, however for the majority of data, I believe the cloud is the best place. In our schools we cannot match the tools and expertise which cloud providers have to protect the data they store. For example, the benefits that Advanced Threat Protection brings where you are storing data in Office 365. Equally the benefits in terms of eDiscovery tools in the cloud in relation to Subject Access Requests is another reason why the cloud is preferable that trying to store your data on site.
As I said at the outset, we need to accept that we can never do enough, meaning an incident is inevitable. With this in mind it is critical to prepare for these inevitable incidents. This means at the very least running through desktop scenarios and examining the actions and processes which you will need to put in place. This will hopefully mean that when an incident occurs you are more prepared and staff know what to do. In particular it is important to test your backup recovery processes. Having backups is only worthwhile if you can get them back when needed so we need to ensure we are able to do this when it counts.
Cyber security needs to simply be something we all do in schools. It needs to be something all staff are aware of in terms of their responsibility for cyber security, what they should and should not be doing and also, and possibly most importantly, what they should do when things go wrong. It is also very important to create a culture where concerns, accidents or issues are reported quickly without fear of blame. Creating the correct culture is far from easy and also takes significant time but with time and effort we can get to a point where staff talk about cyber concerns and issues, where cyber becomes a normal part of discourse in the staff room and around school, and where all are engaged with how they fit in, in terms of securing school data and systems.
The cyber security future for schools is in some ways certain and in others uncertain. It is certain we will continue to see increasing levels of threat. It is uncertain how these threats will evolve as cybercriminals seek to respond to the measures schools take to protect their data and systems. We need to accept this and do all we possibly, but more importantly reasonably, can to secure school data and systems. We need to be regularly reviewing our cyber security measures, practices and training and adjusting them to respond to changes in cyber threats, our schools processes and systems and the general environment we operate in.
The importance of “reasonableness” mentioned above cannot be understated as the IT teams of schools need to be able to sleep at night rather than to be constantly worrying about cyber threats. With this I would like to share a phrase I have used in the past which sums up my view on cyber security in schools: The need for a “healthy paranoia”.