Dan May, commercial director at ramsac, explains the ways in which schools can improve their treatment of data to limit leaks and breaches
It’s all too easy to think that cybersecurity only applies to banks and big businesses but such thinking is exactly the sort of thing hackers want as it means they can catch you unawares.
Last year, Durham Sixth Form paid out over £1,000 when it was hit by a ransomware attack. More recently, over in the States, the Louisiana governor declared a state-wide emergency after three local schools were hit by cyberattacks. It’s not a question of ‘if’ anymore – it’s a question of ‘when’.
So, before you get hit by an attack, make sure your defences are in order – and that means having the right policies, the right technology and the right culture.
Establish best practices
Access control policies
Establish effective processes for managing user privileges to your systems; this will help minimise the risk of security breaches. Only provide users with the level of access they need to do their jobs. You should also keep a record of who has access to what and keep this up-to-date – you don’t want systems being accessed from old accounts. Before allowing third parties to access your systems, make sure they are fully vetted and check to make sure that they are as diligent with their security as you are.
Monitoring and incident management policies
Schools must monitor all of their systems continuously and analyse them for any unusual activity that could indicate an attack. Cybersecurity controls should be monitored constantly and tested on a regular basis. Create a process for regularly reviewing your databases and access traffic, along with a system for resolving any issues that arise.
Roll out IT security
Ring-fence your school business
Establish strong boundary firewalls and access points to protect school networks from cyber attacks, unauthorised access and malicious content. Make sure you have a secure email system and that access to this is limited to internal use as much as possible.
Configure devices carefully
Schools have a lot of hardware and software to keep track of. In addition to being expensive when stolen, computers are also key access points to your network; it pays to keep track of them. Make sure each device is configured correctly for its needs; any changes to configuration should be authorised and documented appropriately.
Practice effective patch-management
Software patches and updates are designed to improve protection and efficiency – however, they aren’t always good things. Back in January 2019, an update to Windows 7 caused widespread network issues; it effectively rendered thousands of devices unusable – so, before rolling out updates to software, check to make sure it is going to be beneficial to your devices.
Keep content filters up to date
Schools are often full of internet users with tech-savvy and curious minds – this is a potentially dangerous combination when it comes to protecting students. Keep your filters up-to-date and keep on top of any innovations – you can be sure that students will try to bypass your filters. There is a lot of content on the internet that students should not have access to, and part of the problem is knowing what to restrict. While the broad filters catch most things, like games and pornography, take the time to think more broadly and creatively and make sure you’re filtering everything.
Consider personal devices
According to a recent study 75% of teachers believe smartphones make it easier for students to access inappropriate material at school and 90% of secondary teachers said their pupils had experienced some form of cyberbullying. Set a clear policy for personal device use while at school. Take the time to educate students on the acceptable use of their devices at school. With regard to teachers and staff, consider whether or not you are introducing a ‘Bring Your Own Device’ (BYOD) policy; such a policy should outline the safe use of personal devices in relation to secure access and data storage.
Don’t rely on cybersecurity alone
School equipment is often targeted by thieves, especially in the school holidays. Physical security protects your data by literally preventing people from getting their hands on it and includes your CCTV, locks, fences and all other means of limiting physical access to your school and your school’s data.
All the firewalls in the world won’t save you from someone walking out with your server. In 2015, a thief forced their way into the server room of children’s charity Plan UK; they stole five servers containing information on 90,000 supporters including names, addresses, contact details and bank account numbers.
Deploy the ‘human firewall’
The government’s statutory guidance requires that a member of the senior leadership team is made responsible for safeguarding in schools. Appropriate policies should be implemented and enforced by the senior leadership team; this means that either a member of the senior team needs to be IT literate, or the IT manager takes on this role. As senior team members, it falls on SLT to promote and encourage a culture of cybersecurity so that staff become a ‘human firewall’.
Being the ‘human firewall’ means making the right judgement every time an email is received or a decision is made to connect to a network. Seek to create a culture that is curious and cautious, a culture which rewards staff who take the time to pick up the phone and double-check with IT that the email they sent really was from them.
Educate your staff
Being the ‘human firewall’ also requires training. The Department for Education requires that students are taught about online safety as part of safeguarding for schools but all staff should receive training on cybersecurity – especially heads and other senior team members because they are the staff most likely to be targeted by phishing scams and other forms of direct cyber attack. Roll out a programme of cybersecurity training for your staff, and make resources available to people to refer back to.
Schools are as vulnerable to cyber-attacks as any other organisation. It’s essential that you have the policies and systems in place to protect your staff, your data and the students in your charge.