As we all know, advancements in technology are coming thick and fast! What are the latest offerings to ensure you are keeping your school cyber safe?
CREDIT: This is an edited version of an article which appeared on EdTechnology
Educators are under attack, and the risks of insecurity are well-documented. Schools face the same cybersecurity threats as other organisations, and are each targeted hundreds of times a day by cybercriminals seeking to compromise their systems.
Research shows that one-in-three educational institutions in the UK fell victim to some form of cybercrime last year; more than one-in-ten schools were hacked, had their passwords cracked by outsiders or suffered a successful social engineering attack.
The impact of insecurity can be catastrophic; IT systems rendered useless, access to vital resources denied, and – possibly worst of all for a school – sensitive personal data stolen, exposed and even put up for sale on the dark web.
Under the new GDPR rules, organisations can be fined heavily if they fail to take adequate steps to secure their systems and the Information Commissioner has advised schools to be particularly vigilant around information security. It has warned that unauthorised access to personal information would be particularly harmful to pupils, parents and staff – all people with a right to seek compensation if the loss of their personal data causes them damage.
Action Fraud, the UK cybercrime and fraud reporting centre, has warned schools to be wary of cybercriminals claiming to be from the ‘Department of Education’ (sic). This follows a series of incidents in which bogus emails were used to infect school computer systems with malicious software which prevented legitimate users from accessing them.
While these risks are relevant to any organisation with personal data and computers, schools are particularly exposed to several other risks relating to online safety, including:
- Exposure of students to sexually explicit, racist, violent and extremist content.
- Inappropriate contact from people who may wish to abuse, exploit or bully them.
- Students themselves engaging in harmful online behaviour.
Best practice for safeguarding schools online
Guidance published by the Department for Education in September 2016 requires that school governors and managers put in place ‘an effective approach to online safety’ in order to ‘protect and educate the whole school or college community in their use of technology, and establish mechanisms to identify, intervene in and escalate any incident where appropriate’.
What an ‘effective approach’ looks like is somewhat subjective and can differ from organisation to organisation. Research has shown that the most secure organisations use technology where appropriate, supported by clear policies and, most importantly, extensive user-education.
There are several steps that schools should consider in order to enhance their resilience to cyberattacks and safeguard their students, staff and computer systems:
Take ownership at senior level
The government’s statutory guidance requires that a member of the senior leadership team is made responsible for safeguarding in schools; cybersecurity and online safety should be taken just as seriously and should be discussed regularly with school governors and at leadership team meetings. Appropriate policies should be implemented and enforced by the senior leadership team itself.
Establish a strong online perimeter
Schools should establish strong boundary firewalls and internet gateways to protect school networks from cyberattacks, unauthorised access and malicious content. Cybersecurity controls should be monitored constantly and tested on a regular basis.
Update content filters, constantly
People are usually the weakest link in organisations. In schools there are many young internet users with curious minds who need extra protection. Content filtering systems need to be updated constantly as tech-savvy students can create new ways to circumnavigate filters with incredible speed.
Establish solid access control policies
Schools should establish effective processes for managing user privileges to their systems to minimise the risk of deliberate attacks and accidental breaches. Users should be provided with the minimum level of access they need to do their jobs. When staff members leave the school their access should be revoked promptly. All records should be kept up-to-date to prevent exploitation of old accounts.
Check third-party providers thoroughly
Schools should ensure they vet, thoroughly, all third-party platform providers used to ensure their approaches to security and safety are at least as stringent as their own. Access to students, parents and guardians should be granted by teachers themselves using email addresses provided in person.
Ensure secure configuration and patch management
Schools should know precisely what hardware and software is being used on their networks and ensure that configuration changes are authorised, documented and implemented appropriately. Devices should be set up so that only approved users can make changes. Software updates and security patches should be implemented quickly when released by manufacturers.
Monitoring and incident management
Schools must monitor all of their systems continuously and analyse them for unusual activity that could indicate an attack. Criminal incidents should be reported to the police and other relevant authorities.
Invest in cybersecurity and online safety education
The Department for Education requires that students are taught about online safety as part of safeguarding activities. Schools should ensure members of staff understand the risks and are fully aware of its security policies covering acceptable and secure use of systems. There should be regular sessions to ensure staff and students are aware of new phishing or spoof email attacks.
Don’t forget physical security
Schools should maintain cybersecurity defences that are appropriate to the importance and sensitivity of the systems and data requiring protection. Planning for these should include the physical security of hard drives, internet routers, servers, printers and other devices on which data can be stored. School equipment is often targeted by thieves, especially in the school holidays, so any device holding sensitive data should be encrypted.
Consider personal devices
The National Foundation for Educational Research has found that three quarters of teachers believe smartphones make it easier for student to access inappropriate material at school. Nine-in-ten secondary teachers said their pupils had experienced cyber-bullying. Schools should have clear policies around mobile technology and how it is used on their premises. Students should be taught about acceptable use of their personal devices, how they interact with each other on social media and where to turn for help.