Is your school resilient to cyber risk?

The recent cyber attack on the NHS showed the disruption that can be caused when systems go down. With schools increasingly relying on technology and the internet, what can they do to protect themselves and the data they hold?

Picture the scene. It’s Tuesday morning and your highest performing students have just left on a school trip. Across the rest of the school, it’s business-as-usual. Your staff and pupils are being registered for the day. Your office administrator comes in.

They can’t access the School Information Management System (SIMS). Children start arriving. They say their teacher can’t login and register them. Never mind, you’ll switch to manual. Your office administrator goes to print out the sheets.

They return shortly after – they can’t login to their computer to access the printouts and when you try, the printer won’t print them. Then you get locked out too.

You then get a call from your staff member who’s with the children on a trip. Can you get in touch with Crystal’s mum – Crystal’s not feeling well? Well. Can you?

What about if someone (an Ofsted inspector for example) needs access to some data on pupil performance? Can you provide this if all your workstations are locked and cannot be unlocked?

The above scenario could easily occur if a ransomware, or other cyber-attack was successful.

How resilient is your school?

In tackling cyber-risk, resilience is a key word.

Resilience is the capacity to recover quickly from difficulties; toughness.

Many of you may recall the recent WannaCry attack on the NHS, which may have personally affected you, in the form of a delay or cancellation to an operation or medical support. This wide‑scale global attack had an impact on many organisations, not just the NHS.

Whilst the NHS may have been able to recover, in this instance relatively rapidly, for a period services were seriously impacted.

Now, more than ever before, data is at the centre of our world. We often rely on technology and internet connections to deliver services and information to people. In order to provide services to our clients – children – we need to ensure that our computer systems and data storage methods are
resilient.

What it all really comes down to is; when something goes wrong, how long will it take you to resolve the issue and get your systems back up and running?

What are the threats?

In information security we talk about threats not risks. A threat is a potential cause of an unwanted incident which may result in harm to a system or organisation.

Broadly speaking, threats fall under one of these categories: non-malicious, meaning user error through being careless or poor training; or malicious, meaning a wide range of threats such as fraud, sabotage, cyber-crime and phishing etc.

There are natural threats such as earthquakes, floods and fires; man-made threats such as civil disorders, wars and terrorist attacks. As well as technology specific vulnerabilities through software, hardware and networking equipment.

A vulnerability can happen in any one of these threat categories. In the case of the WannaCry attack, the software (Windows XP) had a security ‘flaw’ (vulnerability) and the attack exploited that flaw to gain access to the system and encrypt users’ data.

It doesn’t take long for this topic to get complicated, does it? The language of information security and data protection is bewildering for some. This can make it difficult to know which way to turn and what to do.

It’s for this reason that South West Grid for Learning (SWGfL) created 360data.

360data builds on the success of SWGfL’s multi-award winning self-review tools to guide you step by step through the journey to data compliance and beyond. It enables you to rate where your organisation is against a maturing set of descriptors for each aspect; it then shows you how to make the next steps and provides the resources to make it happen.

It becomes a living, breathing, development plan that maps your strategy towards the safe and responsible use of information and data. Find out more at 360data.org.uk.

What can I do about it?

There are many different approaches to securing data for your organisation or school. Unfortunately a one-size-fits-all approach doesn’t really work. All schools have a variety of technology, policy, infrastructure and contractual relationships. However, there are some things all schools can do to begin an improvement journey in data protection.

To help you build a package that protects your school, its 360data tool and soon‑to‑be‑launched information security micro-site bring together many ideas, solutions.

Preventative

Training in our sister tool 360safe, schools in 2016 recorded that a consistently weak area of online safety is staff training. It could be argued that this can be applied to data protection too. Have you ever trained your staff with regards to their obligations under the data protection act? Your staff have access to, arguably, some of the most sensitive data about children. With this level of access to data, it’s easy to become blasé about its value. Staff need regular training to re-enforce the importance of good data protection procedures.

Auditing also helps data security. Do you know where you data is? Whilst we may think we know, when was the last time you asked your staff where they store data? With the range of cloud storage solutions available it’s easy to unintentionally share data. If you know what data goes where, then you can begin to control the risk of that data being shared.

Policy is also important. SWGfL’s annual report highlighted that 34 per cent of UK schools do not have a data protection policy. A clear data protection policy that helps staff know what their obligations are and how to perform them can be invaluable in securely protecting your data. Do you have a policy? When was it last reviewed? Have all staff be trained on it? Have all staff read it?

Another important aspect is to involve governors. This can be a great source of support and expertise. Not only that, but as part of the senior leadership team, they too have a responsibility for school data.

Looking at the technological side, this section covers a wide range of areas, passwords, anti-virus/malware, monitoring of hacking attempts, asset management, encryption. It’s here that having a good, supportive and responsive technology partner is vital. What percentage of your annual budget do you allocate to technology? Is that sufficient? Think about this. If your bank spent that percentage on protecting your data, would you be satisfied with your bank?

It’s worthwhile mentioning backup processes here too. A carefully considered backup routine cannot be over emphasised. If all else fails, a good, off-site backup copy (that has been tested) can literally save the day.

Reactive

Disaster recovery should be considered. There are a variety of disaster recovery plans in schools right now, but all too often these overlook your data. Perhaps more importantly when it comes to data protection, they’ve never been tested.

Again, imagine the situation we started with – you go to your backup provider and restore. Only when you look at the data you realise that for the last six months there has been an error and only 25 per cent of your data is backed up. Now you have a potential disaster.

Of course disaster recovery is more than that, it’s also about your servers, the ability of the school to recover from a flood, or a serious fire. It’s about recognising which of your systems are ‘core’ (you cannot run a school without them) and which are less important. It’s hard to see an argument that can explain why your pupil information is not core?

Another important area is incident management. Once you’ve reached crisis point, how do you manage that? It may seem silly, but creating a press plan and a response process can avoid a lot of stress and headaches. Consider the difference between a school that refers all queries to one, well-briefed person and the school where every staff member comments and voices an opinion.

Finally, please remember insurance. Whilst this may also fit in the preventative section, it’s worth checking if you have cyber-risk insurance that works for you. Check the policy wording covers what you need it to and that the amount underwritten is sufficient for your school or organisation. Using a large, reputable firm is a good idea.

Moving on

Of course, in an article like this, it’s only really possible to scratch the surface of a topic as broad, complicated and varied as data protection. We haven’t covered topics like mobile devices, paper systems, appropriate transfer to third parties – just to name a few. But the above list is a good starting point for discussion and action planning.

New Data Protection Regulation

It’s imperative to understand the impending shift in legislation. By May 2018 the UK will have new data protection regulations. This will apply to schools. Although the UK legislation has not yet been passed, broadly speaking we know what to expect. The advice above remains sound advice, even in the light of GDPR. The Information Commissioner’s Office (ICO) is working hard to raise awareness of GDPR and the shift in expectations.

Back to school

Returning to the scenario we started with, but this time in a better prepared school, we might begin to see a change in response.

Firstly, we’d hope that the improvement in systems would better insulate against an attack and that staff training would further reduce the likelihood.

But if this better prepared school did find themselves in the situation, there would be; an incident response toolkit directing their decisions, a sound backup routine protecting data, a technology partner that is there for them when they need them. In short a more resilient environment. L

www.swgfl.org.uk