Image by TheDigitalWay from Pixabay

Taking steps to prevent cyber incidents

From online lesson plans to storing personal data, technology is key to education settings running smoothly. However, cyber risks must be managed to prevent incidents, including ransomware attacks, disrupting education. By following five practical steps, leaders can significantly reduce their chances of falling victim, writes Sarah Lyons, Deputy Director for Economy and Society Engagement at the National Cyber Security Centre.

Over the past 18 months, many schools and colleges will have seen their reliance on technology change during the pandemic, with new IT practices and online services required to keep staff and students connected and to ensure core business can continue.

However, regardless of whether you’re working remotely or in the classroom, your institution’s networks, devices and data play a crucial role in everyday business running smoothly. Given this dependence on technology and connectivity, it’s important for senior leaders to have an understanding of the risks they face and their education setting’s cyber security.

Unfortunately, we know cyber criminals attempt to take advantage of networks at schools and colleges, and the National Cyber Security Centre (NCSC) has reported an increase over the past year in education institutions being hit by cyber attacks – specifically ransomware attacks, which can have very severe impacts including costly remediation and forcing institutions to close.  

The issue of ransomware and cyber security generally may seem to be an overwhelming challenge for senior leaders, but institutions can significantly reduce their chances of falling victim to an attack and limit adverse impacts by following the NCSC’s practical advice.

Understanding the threat

It’s important to remember that not all cyber incidents necessarily start with malicious intent. For example: a teacher might write down their email password on a post-it and leave it by their laptop to help remember it – but this could still be exploited, potentially allowing unauthorised access to data in their emails. However, one of the main external threats to schools and colleges comes from cyber criminals and ransomware, in particular, is a growing issue facing organisations in all sectors.

In a ransomware attack, malicious software (or malware) is deployed on a system preventing you from accessing it or the data held on it. Those responsible will usually send a ransom note demanding payment to recover the data, and more recently cyber criminals have been threatening to release sensitive data if the ransom is not paid.

While it may seem unexpected, schools and colleges can seem like attractive targets to criminals because settings hold plenty of sensitive data, including names and addresses of students and parents, bank details and medical records. Cyber criminals are often motivated by financial gain and act opportunistically, targeting organisations where they think they have most chance of successfully extracting a ransom.

As a new academic year begins, we strongly encourage senior leaders to take the opportunity to review their cyber security practices and protections – and to take action as necessary. By following the five key steps below, leaders can help to defend themselves online, prevent disruption to students’ education and keep day-to-day operations running.

1.    Bringing senior leaders on board

It’s a common assumption across organisations that cyber security is ‘just’ an issue for IT specialists. But that’s not the case, and staff in education institutions will use a variety of networked services, from teaching resources to canteen payment systems, from door access control systems to telephony.

Cyber security is therefore essential to the overall operation, and it should be strategically managed by governors and boards of trustees. To help start these conversations, we have published questions for senior leaders and governors to discuss about cyber security so they can create a strong foundation from which to build up their school or college’s resilience.

We have also published a blog post about what board members should know about ransomware specifically as part of our Cyber Security Toolkit for Boards.

2.    Invest in staff training

When it comes to protecting your networks, people can be the strongest first line of defence against attacks so it’s vital all staff members – regardless of how technical their role is – are shown what good cyber security practice looks like and what suspicious signs to look out for.

Our free school training package covers both of these points, by using real case studies of cyber incidents at schools to illustrate common threats and then offering tips on how to defend against them: staying alert to potential scam messages, using strong passwords, securing devices and reporting concerns.

3.    Talk to your technical experts

Whatever the arrangements are for the provision of IT systems and support at your setting, it’s important for leaders to speak to their provider about the measures in place to mitigate ransomware attacks.

Our technical guidance on mitigating malware and ransomware attacks offers steps to take to help prevent attacks and further pointers can be found in our updated ransomware alert to the education sector.

As a more general guide, education settings with dedicated IT support can find guidance in our Ten Steps to Cyber Security and schools and colleges might want to consider getting Cyber Essentials certification, which recognises organisations that have five key controls in place to reduce the risk from cyber incidents.

4.    Make and practise incident recovery plans.

We urge all schools and colleges to take action to reduce their chances of falling victim to attacks but unfortunately there is no guarantee an incident won’t take place. It’s therefore essential to plan and then test your response to identify areas of improvement.

We recommend leadership teams use our free Exercise in a Box toolkit for this, as it contains scenario-based exercises designed to help organisations practise their response to incidents, including one scenario where a phishing attack leads to a ransomware infection.
We strongly advise checking whether your Business Continuity Plan includes cyber incidents and taking action to rectify if it’s not included. Further advice on how to effectively respond to incidents can be found in our Response and Recovery Guide and the final module of the Toolkit for Boards.

5.    Backup, backup, backup!

Since every setting should think in terms of ‘when’ rather than ‘if’ they are affected by a cyber incident, the importance of backups cannot be overemphasised.  As a senior leader, asking your IT specialists about your backup policy and the frequency of testing whether staff can restore from backups might be the most important conversation about ransomware you can have.

However, it’s also vital to ensure the backup is recent enough to be useful, and that it is completely detached from the network. It’s worth knowing the 3-2-1 rule: have at least 3 backup copies, on 2 devices, and 1 offsite, and remember the importance of having at least one backup offline. This is especially pertinent for ransomware attacks as malware is often on networks for some time before an attack is deployed, meaning any online backup could also become infected.

We have published advice on making backups on our website including in our blog post Offline Backups in an Online World.

Key resources
•    Cyber security for schools: Tailored guidance and practical resources
•    The NCSC’s CYBERUK 2021 webinar, ‘Ransomware: The risk to schools and ways to prevent it’ is on YouTube.