Schools are becoming a hackers delight as they have significant revenues, a general lack of cybersecurity and, a low perception of information security.
Couple this with an open door of published information such as names, email addresses, and other personally identifiable information of the key contacts within the school (Headteacher/Bursar/Administrators, etc.). It makes building a targeted spear-phishing attack, or similar, very easy to do. Link all this to a general lack of security awareness within the staff and leadership teams, restricted budgets to spend on data security systems, and it is clear to see the reasons why hackers are ‘rubbing their hands with glee’.
When budgets are allocated, it is clear that a large percentage (sometimes over 90%) of the available money is spent on staff salaries, leaving very little for all the other costs a school face. So, it is not hard to understand how some services within the school slip down the priority chain, data security being one of these.
The cost of recovering from a data breach, or ransomware attack, can run into hundreds of thousands of pounds, far outweighing the cost of deploying data protection measures. Therefore, deploying sound cybersecurity systems is essential.
The constant issue when considering any data security solution is where to start and how deep to go. For example, is a closed network, to stop the ‘bad stuff’ getting in, the way to go, even though in doing so, it makes gaining access for collaboration harder? Or, should endpoints such as PC’s laptops, servers, etc., be protected so any ‘nasty stuff’ is blocked and not allowed to spread? Of course, both strategies are sound, but a better approach is to have a blended security strategy that protects critical areas and users differently from non-critical ones.
Any security review should start with classifying what data is critical or has value and then assessing who and what needs access to that data. An example would be data backup. Not all data is vital, and if lost due to a ransomware attack, it is cheaper to start from scratch rather than spend money on immutable storage or system cleansing to remove the ransomware, and by the way, a ransom should never be paid! So, in this scenario, data defined as ‘critical’ would be backed up, the storage size scoped and appropriate security measures deployed for protection.
Another area of school security that is lacking is when new applications are introduced. Very rarely are these assessed for their data protection or network connection. This is not only poor data security, but it is a breach of GDPR, as any new application introduced should have a Data Protection Impact Assessment (DPIA) completed. A DPIA should identify any sensitive data, where it is stored and by whom, and if it has sufficient controls to stop unauthorized users.
The open nature of a school environment is an area that seems to have merged into the IT infrastructure. Generally, the pupil network is separate from the teaching network, and sometimes, even the administration network is separated from the teaching network. This is all good separation of duties and a key factor for good data protection.
However, schools and colleges frequently do not go the extra step to manage privilege access controls to protect system administrator accounts. And often, neither do they use two-factor authentication to improve password or log management, alerting key staff members of any suspicious activities. These are nearly always overlooked when schools use cloud-based services, as the perception is that the cloud will handle all these services, but they are not.
"...schools and colleges frequently do not go the extra step to manage privilege access controls to protect system administrator accounts"
When we look at on-premise systems, although there might be a separation of drive access on a server, PCs and other devices often have no administrator profile, leaving the device open to any user to add applications. Or, the administration password is the same on all devices and known to everyone, even external support companies. This leaves the device open to multiple attacks and, it becomes very difficult to identify the culprit while investigating the breach.
Such instances equate to weak management of the infrastructure. Often, this will have developed, uncontrolled, over the years before school IT departments were aware of the risks. As a result, making changes to overcome the historical weaknesses becomes difficult and gets pushed back as a task.
Today the question is not ‘will we be hacked?’ but rather, ‘when?’. School leaders need to ensure any new applications or data storage is fit for purpose, has the required controls to protect the data and school from fines due to compliance failure and the costs incurred to recover from a breach.
It is also vital to avoid the bad publicity which any form of data security incident inevitably brings, closely followed by subject access requests (SAR) coming from parents and carers wanting to know what data was held before the loss.
Educators must understand the risks of a data breach, spot possible attacks, and ensure the ‘think before you click’ protocol is adopted across the board.