The education sector has changed dramatically in the last year, as the Covid-19 pandemic has completely changed the face of pedagogy.


Despite the fundamental changes that educational institutions have been forced to implement over the past year in response to Covid-19, digital transformation is a much wider, longer-term trend and one that is set to continue after the pandemic. Schools now recognise the value of online education/hybrid learning as a positive development, offering schools and teachers the opportunity to take advantage of a wide range of invaluable learning resources.


The result of these changes is that technology is now required to enable the delivery of education.

Risks and consequences

A major concern surrounding the accelerated adoption of digital transformation is that it has often occurred without consideration for the associated cyber security and data protection risks.

The potential consequences of a security breach or loss of data in a school can be severe.

 

  • Learning Disruption

The fact is that schools’ increased reliance on the internet and connectivity means that any downtime in the availability of IT services creates immense disruption to teaching and directly impacts the wellbeing and learning experience of students.

 

  • Financial Loss

Schools hold a vast quantity of special category data which is considered to be highly sensitive by the ICO. The release, theft or unauthorised disclosure of this data could result in a hefty GDPR fine of up to €20 million or 4% of turnover depending on the infraction.

Bear in mind that failing to fulfil requirements for processing special category personal data, not having appropriate risk management practices in place (particularly with regard to safeguarding information) and, most importantly, processing a significant amount of personal data without adequate information security measures, falls into these categories. (The ICO fined British Airways £20m on 16 October 2020 for just such a violation).

 

  • Reputational Damage

Whilst the immediate short-term financial impact of a fine from the ICO is an important factor when considering managing cyber risk, the longer-term financial impact of damage to brand and reputation is potentially devastating.

Independent schools rely on the reputation they have amongst parents and prospective parents to generate consistent revenue, while parents are heavily invested in the safety of their children while they attend school. Therefore, any threat to the personal data of pupils could severely compromise the reputation of the school, impacting parents’ decision to enrol their children.

Cyber criminals are not only targeting the personal data relating to children, they are targeting the financial information of parents. If a cybercriminal were to access the financial information of a parent through a breached school network, the consequences for the school could be catastrophic.

Data behind the dilemma

The fact is that schools are being actively targeted by cyber criminals.

The Department of Education and the London Metropolitan Police have, between them, issued multiple warnings that cyber criminals are targeting private schools, taking advantage of students and teachers to defraud parents out of tuition money. One needs only to look at the recent WisePay attack for an example of this.

In 2019, the NCSC and LGfL commissioned a report into the cybersecurity measures undertaken by schools which revealed some alarming figures.

  • 83% of schools had suffered some form of cyber security incident with 35% experiencing periods of no access to important information.
  • Nearly all schools (97%) stated that losing access to network-connected IT services would cause significant disruption yet less than half of schools (49%) are confident that they are adequately prepared in the event of a cyber-attack.
  • For more statistics from the report see the NCSC and LGfL Cybersecurity Schools Audit 2019.

These statistics bear witness to a situation that has been compounded by the impact of the Covid-19 lockdown and enforced acceleration of online/hybrid learning. The trend shows that criminals are specifically targeting homeworkers and students accessing educational networks remotely. (1) It is estimated that industry-wide, cybersecurity incidents increased by 69% between 2018 and 2020 with 46% of organisations reporting breaches between March-July of 2020.

There was a 143% increase in data breaches reported by schools to the ICO between 2015 and 2019, with a total of 1,385 breaches reported in the year 2018/9. These related to the following issues:

  • Improper disclosure of data - 38%
  • Subject access requests - 29%
  • Insufficient data security - 24%

In a six-month period, the National Fraud Intelligence Bureau reported that 48 schools had been targeted by scams – of those, 12 schools lost an average of £145k.

The most common cyber risks

Cloud Security

Most schools are using cloud-based platforms such as Google for Education, Microsoft Classroom, Firefly or iSAMS to facilitate teaching. However, since the Covid-19 lockdown, schools are now almost entirely reliant on these platforms to deliver learning, connect with students and disseminate teaching resources.

Online learning, and the use of cloud platforms to facilitate it, is a trend that will continue post-Covid-19. Hybrid learning will become the new norm (did you like the pun… no? Shame.) with timetables, homework and learning materials (such as worksheets and textbooks) hosted on online platforms. It is vital to secure these connections – this is not a temporary change and prevention is a far better policy than remediation.

 

Unsecured Personal Devices

The adjustments made in response to Covid-19 have broadened the threat landscape for schools. Historically, schools have remained well protected from cybercrime as online resources were accessed through an internal intranet hosted on the schools enclosed network. This is no longer the case. With the growth of online learning, the cloud is now regularly accessed from a multitude of different endpoints outside the school network, from devices which may or may not belong to the school, and which connect using a multitude of different, potentially public, Wi-Fi connections. Almost every student has at least a phone and a laptop, not to mention tablets and smart watches. All this before we even begin to consider the numerous IoT devices employed in schools that connect to the cloud such as interactive ‘smart’ displays.

As much as I miss the days of the whiteboard, the fact is that education is embracing the digital era and schools must modernise alongside with it to protect student data.

 

Malware

Ransomware, viruses, worms and adware fall into the malware category. Malware can result in extortion, fraud, or interrupted operations and is surprisingly common - 30% of schools in the 2019 NCSC study reported malware infections.

This summer the NCSC issued an alert about a surge in ransomware incidents targeting educational institutions. Cyber criminals have been taking advantage of insecure remote desktop protocol (RDP) configurations, vulnerabilities in unpatched software and phishing emails. Once on the network, the attackers seek to move laterally searching for high value machines to encrypt such as backups, network shares, servers and auditing devices.

Whist many schools have procedures in place to resolve these attacks, the initial threat and concern towards staff, pupils and parents is severe because as technology evolves, so do attackers.

 

Phishing

Phishing emails are notoriously common in schools – 69% of UK Independent Schools reported suffering a phishing attack in 2019. In fact, a recent report found that schools are twice as likely as other organisations to be on the receiving end of a phishing campaign.

One of the most effective forms of these are ‘spear phishing’ emails which are personalised emails that target an individual or organisation with the intent to extort, compromise and scam. Details of phishing campaigns are often reported in the news, with fraudsters impersonating members of staff or DofE officials. There are simply too many articles to link to and too many examples to name. Far from innocuous, the risks associated with phishing can be severe - personal data can be breached, financial information can be stolen, and internal systems can be compromised.

Building a comprehensive defence

Cyber awareness and phishing training:

Ultimately, awareness is the best way to protect against phishing and other types of cyber attack. 80% of cybercrime takes advantage of human fallibility, therefore education, regular training of staff and students and the creation of a ‘human firewall’ remains the best method of preventing cybercrime and mitigating the threat of phishing emails. Despite this, only around one third of schools (35%) train non-IT staff in cybersecurity, despite 92% stating they’d welcome more cybersecurity awareness training for staff.

The DofE suggests that ‘as part of the requirement for staff to undergo regularly updated safeguarding training… online safety training should be integrated, aligned and considered as part of the overarching safeguarding approach.

  • Government regulation already requires senior staff members to be responsible for student safeguarding – cybersecurity, data protection and online safety should be addressed as part of this effort.

At norm., we partner with CybSafe, a UK-based organisation which provides regular, bite-sized security awareness training combined with simulated phishing attacks to continually test ongoing awareness. CybSafe even provides those who complete the training with a GCHQ accredited certification.

To complement training programs like these, email threat prevention, which automatically detects and blocks unwanted and malicious email traffic, should also be deployed.

 

Technological solutions:

As we have highlighted, cloud technologies and remote working have increased the threat landscape for schools. Schools no longer operate entirely within an enclosed school network that can be reasonably protected by a firewall and basic anti-virus software. As the online sphere has developed, and cyber criminals and malicious actors have become more advanced, so must the measures that schools are putting in place to prevent this.

The NCSC and the Department of Education have released various articles specifically for the education sector detailing the recommended measures that schools ought to put in place to mitigate and prevent cyber-attacks.

Threat detection and response Near real-time security monitoring for your network, services and devices that can identify and isolate attacks before they neutralise, infect or enter a network.
Vulnerability and patch management Expeditiously detect, patches and secures weak spots in your network before they can be exploited by cyber criminals.
Penetration Testing

Perhaps the most important element in this security trifecta.

Penetration testing identifies and quantifies risks by actively attempting to exploit vulnerabilities in a schools’ infrastructure, applications, people and processes.

It simulates the techniques used by cyber criminals to support the remediation of weak points in your environment by identifying vulnerabilities and determining the likelihood and impact of a breach.

Also see:

 

Cyber Security Incident Response Plan

It is a basic and essential requirement for schools to have a cyber security policy or plan, as was corroborated by the results of the NCSC report, it did however identify that only 45% of schools included core IT services in their risk register and fewer (41%) had any kind of business continuity plan.

A cyber security incident response plan is essential to ensuring the stakeholders, key decision makers and processes are in place to help minimise the impact of a cyber security incident or personal data breach. Specialist providers can also be used to contain the breach, coordinate remediation efforts, gather the required forensic data and liaise with the ICO if required.

The benefits of cyber security

There are numerous benefits to implementing these measures – including, as we have mentioned avoiding the reputational damage, financial loss and business disruption of a cyber-attack.

However, rather than implement cybersecurity and data protection practices as a result of the fear of financial and reputational impact of a breach, it is far more liberating to consider how mitigating these risks can benefit schools. By putting children first and protecting their online safety and wellbeing, schools have the opportunity to differentiate and put themselves in a more competitive position. With a strong cyber security, data protection and safeguarding record, a school protects its reputation, engenders parent loyalty, increases customer retention and child success.

Schools can create a reputation and culture of data privacy and online safety by seeking transparency, including data protection and IT acceptable-use guidelines in safeguarding policies, creating a cybersecurity incident response plan and implementing training for both students and staff.

Cyber security and data protection are responsibilities that are inextricably linked with child welfare and safeguarding. Protecting children from malicious online actors is a duty that schools already take incredibly seriously; the time has come to ensure that our responses and technologies are modernised to accommodate the ‘new normal’.

Click here to sign up to our mailing list to receive future blog posts and other updates relating to the education sector.

Participate in our Independent Schools Cyber Security and Data Protection Survey 2020 and add your voice to the discussion.

IC blog pic

Isabelle Churchill NormCyber Ltd.

Learn More:

Don't leave it there! Learn more about how norm. can help your organisation to achieve GDPR compliance and support the growth of your business.