Understanding the Cybercriminal Mindset: Protecting Your School’s Data

Man hacker penetrates protected space by sticking hand through laptop and stealing confidential data

In this insightful article, Tammy Buchanan, a seasoned IT manager-turned-data protection practitioner, shares her experiences in improving cyber resilience and recovering from cyberattacks in schools

I’m a rule follower, compliance officer and protector of systems, which makes me fascinated in the work of threat actors, hackers and cyber criminals. As an IT manager-turned-data protection practitioner, I’ve helped improve cyber resilience and provided support in the aftermath of cyberattacks.

I’ve helped restore systems and network drives hacked via a headteacher’s poor credentials. I’ve supported IT managers recovering from a cyber-attack, desperately trying to get their school back online. But by far the most eye-opening was listening to Alex Wood, a former cyber-criminal, speak about the ‘fraud mindset’ and how he executed his crimes.

Crime Isn’t Always About Money

Sometimes it’s just about the mayhem for publicity or beliefs. Thinking your data has no value to a hacker is a mindset that will make you a victim of a cybercrime. A cybercriminal will quite happily spend the headteacher’s salary, sell a copy of the SIMS database on the dark web, steal staff identities, or encrypt your single central.

Despite the new KCSIE guidelines and the DfE Digital Standards, cyber security is often low on the list of priorities in schools. Organisations may never know that a hacker was lurking and secretly harvesting information for some time prior to an attack.  Too late to stop it, files and systems are encrypted by ransomware, and payment is demanded for the key to unlock the systems.

We are also increasingly seeing criminals then blackmail organisations, demanding payment or they will release data onto the dark web, a double-edged attack.

The Perfect Target

In schools, most attacks are via phishing emails when someone clicks on a link which looks familiar and even the photo of ‘Mrs. Smith’ in the header looks real. Other frequent attacks are via a poor username-password combination, usually from someone in SLT or a student.  The extra risk here is that SLT will have access to more data, including special category data, over other staff. They make the perfect target and entry route with their elevated user access status.

There is a mistaken belief by schools that they need a technical person and a large budget to successfully be cyber resilient, but that really isn’t the case.

Don’t assume that your data isn’t worth anything.

This is one of the biggest mistakes that schools make – not knowing what data they have or where it is and underestimating the value of it to someone else.  Understand what data you have and behave as though it has value. Ensure you only keep the data you need (data minimisation principle) that way, if you do have a cyberattack which results in a data breach you won’t have the embarrassment of having to contact ex-staff and ex-parents to say you lost their data when you shouldn’t have had it.

Not All Threats Are External

Clicking on a phishing email or having poor credentials is termed ‘an insider’ threat.  Ensure your staff are trained to understand good password hygiene and know what to do if they suspect a phishing email or if their account has been hacked.

Turn on MFA for All Staff (Including Governors)

The most common arguments I hear are ‘staff will be upset’, ‘staff can’t have their phones in class’, ‘staff are already stressed’. Don’t your pupils and staff deserve the same security as your Netflix and PayPal accounts? A cybercriminal is absolutely banking on your ‘kid gloves’ approach, and knows how to take full advantage, it’s how they make their living. Don’t create a vulnerability you don’t need to. Good password hygiene is good practice but configuring MFA is best practice.

Train Staff and Raise Awareness

Ensuring that all staff who have access to the network have annual cyber training is a requirement of the DfE Digital Standards for schools and colleges. There is free training available from the NCSC.  Cyber criminals don’t take days off, in fact they work harder when everyone else is on a break. At Data Protection Education we primarily see cyberattacks reported when schools return from a break.

Hackers will exploit vulnerabilities in your systems so empower and support your IT team to run with devices and systems that are up to date and within their support window. Have a cyber and business continuity plan where everyone knows what to do in a cyber disaster by referring to the DfE Cyber Security Standards for Schools.

The magnitude of work, time, effort and cost of a cyberattack and subsequent data breach will far exceed the challenges of implementing the cyber-basics in this blog. Let go the belief that cyber security is exclusively for ‘techy geeks’ and have an open and simple conversation with your IT staff or provider about improving your cyber-plan to protect your valuable data.

Don’t forget to follow us on Twitter like us on Facebook or connect with us on LinkedIn!

Be the first to comment

Leave a Reply