With teachers under increasing pressure due to significant workloads, outdated IT equipment, a lack of adequate funding, and an absence of cyber security training and policies, schools are sitting ducks for cyber attacks and breaches.
Technology has become a vital component in education, so it is not surprising that cyber crime is on the rise – and the threat posed by hackers is a clear and present danger.
According to the government’s Cyber Security Breaches Survey 2022 (CSBS), 70% of secondary schools reported suffering a cyber attack in 2021 – a significant increase when compared to the 58% that reported breaches in 2020.
Secondary schools handle highly-sensitive data, such as pupil records, parents’ financial information and CCTV footage – providing hackers with fertile hunting ground. This type of information can be extremely valuable to cyber criminals as they can sell it to a third party or use it as a bargaining tool for extortion purposes.
The most common type of attack identified by secondary schools in the CSBS was phishing (87%), which is the process of tricking recipients into giving away their password or account details. Unfortunately, many individuals still use the same email and password combination across multiple online accounts. The compromise of this information through a phishing attack can then be used as a gateway to elicit or access the victim’s personal data across other online accounts.
This was followed by impersonation attacks (also known as spear phishing) – suffered by 46% of secondary schools – where emails are sent out imitating senior management or board members, often used to create panic for financial gain.
Cyber attacks including viruses, spyware, malware and ransomware came in third place, alongside denial of service attacks, which, in this context, would overload digital learning environments to prevent access and cause widespread disruption. These can be relatively easy to undertake, even by amateurs, with 15% of secondary schools experiencing these types of breaches.
The CSBS also highlighted that less than 40% of schools had trained staff on cyber security, meaning human error caused by a lack of understanding and knowing how to identify gaps in their protection poses another significant risk to the education sector.
In the case of one grammar school targeted by the Vice Society, the documents were stolen by hackers using generic search terms. For example, a folder marked “passports” contained passport scans for pupils and parents on school trips going back to 2011, whereas another marked “contract” contained contractual offers made to staff.
Using personal devices
‘Bring your own device’ (BYOD) culture is also a major vulnerability in secondary schools. BYOD devices are not centrally managed by IT specialists and rely on individual owners to update critical software and applications in a timely manner to mitigate risks. Furthermore, people tend to be more disciplined when using a work laptop than a personal one, and may also allow others – such as children and partners – to use the device when away from school.
Further common weaknesses include: an absence of policies for using the school’s network and a cultural understanding of what they mean and how they should be adhered to; and increasingly stretched budgets, meaning there is a lack of finances to invest in cyber security software or staff.
From phishing and malware to social engineering and spyware, there are lots of ways cyber criminals can conduct a digital attack and these methods are constantly evolving.
In order to ensure secondary schools are protecting themselves and meeting their legal obligations, they should conduct a cyber and data security assessment. This is a thorough analysis of all information assets and cyber controls, making it an essential first step to understanding cyber resilience, and uncovering any weaknesses and risks that could leave them vulnerable to an attack.
Typically, an assessment will consider every security component to find any possible blind-spots, highlight where systems are vulnerable to breach, and identify whether a breach may have already occurred that could put a school at risk of regulatory action and damage to reputation.
Once an assessment has been completed, the outcome will be a full picture of what is working well, what requires improvement, and what is high risk. Most importantly, it will provide a roadmap of what needs to be done to increase a school’s resilience, make it hard to hack, and limit the risk of a cyber attack.
We live in a world where cyber risk is omnipresent. The most effective cyber attack is the one you do not know has happened, unless it is designed as a ransomware attack. Being lucky to date does not correlate with being lucky in the future – attacks are inevitable – and schools need to ensure they are hard to hack. Cyber criminals do not want to get caught; if it is too difficult, they will find easier and weaker prey.
The most obvious and, arguably, least expensive way a school can protect itself is password management. Currently, there are millions of email and password combinations for sale on the dark web for miniscule amounts. Cyber criminals can use this information to gain access to web portals containing emails, documents, pictures, saved bank account details and addresses, and fuse this with other pieces of information to enable greater social engineering targeting.
Using the same password across multiple accounts or both personally and professionally is a major weak link in a security system. If one site is breached and credentials are exposed, the risk is amplified exponentially if the same password is used elsewhere. However, if your staff change their passwords frequently – at minimum at least quarterly – the chain will be broken.
While a school’s staff are its best asset, if they do not understand the risks and are not properly trained, they can be a huge cyber security liability too. It is very easy to compartmentalise our personal and professional lives. However, they are intertwined digitally. Cyber criminals recognise that because we are not personally mandated, legislated and regulated like businesses are, we tend to let our guard down when at home and be less disciplined.
Providing regular awareness training is one way to mitigate the effects of a lack of funding and resource, and can ensure staff understand why certain protocols should be undertaken when it comes to data protection, and know how to spot potential breaches or weaknesses. This can be something as simple as sharing a handbook with staff that includes information on what to look out for and tips for practising good cyber security hygiene.
We understand the stresses and strains on teachers’ time, and cyber security is another issue to add to the ever-increasing pile. However, the threats and cyber security practices mentioned in this article are equally applicable to individuals in their personal lives as it is in their professional lives.
While becoming hard to hack will make schools more resilient to a cyber attack, no security programme is infallible. If a cyber criminal is committed to their goal, they will find a way, and given that even the wealthiest, most highly-secure and well-resourced organisations are often still vulnerable to attacks, it is not surprising schools are being exploited so easily.
With this in mind, schools should make the assumption it will happen and, therefore, need to have comprehensive incident response and disaster recovery plans in place.
If an attack is successful and an incident occurs, halting it as quickly as possible should be a school’s primary concern to ensure they can minimise its scope and scale. This can be done with by having an incident response plan in place. Both plans need to be regularly reviewed and rehearsed so reactions can be made swiftly to minimise the associated impact.
Should a cyber attack cripple a school, they could be facing some hefty costs – including system repair, learning delivery interruption, delays to schedule, knock-on impact to pupils and parents, adverse media coverage, and financial damages claims and regulatory fines, for example. This can be mitigated by good cyber insurance, but only if the right insurance is purchased with realistic cover and service levels, and having met the minimum cyber security standards for the policy to be valid.
While even the most secure business is not guaranteed immunity, having the appropriate measures in place and being prepared should the worst happen will ensure confident, compliant and resilient staff, which, in turn, create a well-protected school.
If you need guidance or support with making sure your school is hard to hack, then get in touch with a member of our cyber and data specialists.