Schools are ripe for the picking when it comes to IT fraud and data theft – here’s what to be aware of
Schools can be a hotbed of fraud, data theft and malware attacks; why? Because they don’t necessary realise they’re such huge targets. “All schools are considered to be an easy target for fraudsters,” says Ian Buss, of Education Banking, in an article you will be able to read in the December/January edition of EdExec. “In fact, fraud losses incurred by the education sector increased by 280% from 2017 to 2018. In wider society, the Office of National Statistics estimates that over three million adults were victims of fraud in 2018. Despite these facts, hardly any schools I talk to have put their staff through fraud training.
“As fraudsters get more sophisticated and organised, we all need to be aware of the risks to the data and funds our schools control. Around two-out-of-three fraud losses in the education sector are in the form of invoice fraud, with CEO impersonation fraud the next biggest cause of loss.”
Here are some of the issues that can produce problems with your school’s IT, or which can be created through a lack of preparedness.
Opening an infected e-mail
Opening an e-mail and clicking an unfamiliar link, or downloading a strange attachment, can cause you to lose data if it’s not properly backed up – and you may also have exposed the entire system to malware or ransomware. Ensure you have a school-wide protocol/e-safety policy in place for what to do if staff receive a suspicious-looking e-mail and how, if the worst happens, to clean up the ensuing mess.
Pupils accessing inappropriate material
It’s all very well having protocols and systems in place for staff – but what about pupils? Online safety risks are very real, and the school is responsible for keeping children safe online. Again, an e-safety policy is necessary here, and systems which block and/or monitor online activity are a must.
Inability to track all data
Do you know where all of your data is stored? Would you be able to track it down and delete it if necessary? The General Data Protection Regulation (GDPR) came into effect in May 2018 and specifies that organisations must be able to find all data about an individual within a month; they must also be able to delete all information about an individual when requested. Therefore, data must be stored in a place, or places, where it can be found and identified easily, as well as entirely wiped off whatever system it’s on.
How do you make sure your IT systems are safe? Join the conversation @edexec