Why schools need a lesson in cybersecurity this term

Dave Adamson, CTO of Espria on the top cyber risks in schools today, and how to prepare.

Posted 9 October 2023 by Christine Horton

Cybersecurity is one of the biggest, and sometimes overlooked, issues in British schools today.  The Cybersecurity Schools Audit released in January from the National Cybersecurity Centre – part of GCHQ – and edtech charity LGfL – The National Grid for Learning revealed that three quarters of schools in the UK have been victims of malicious cyber-attacks. Schools are highly attractive targets for cyber criminals due to the large amounts of sensitive, personal and financial data they hold.

The new school term presents a myriad of cyber risks, with students and staff at risk of unknowingly bringing back malware that they may have picked up on their devices during the summer and allowing cyber criminals access to their school network and data. This term has already seen schools like Highgate Wood School and Debenham High School in Suffolk fall victim to cyber-attacks and forced to remain shut, leaving parents scrambling for childcare. Last September, just weeks into the new term, six schools in the same academy trust in Hertfordshire had their internal systems brought down by a cyberattack.

Email, as one of the most important communication tools among school staff, students, parents and external stakeholders, is a primary avenue for online security threats because of their accessibility.  In Mimecast’s ‘The State of Email Security 2023 report’, 82 percent of organisations reported an increase in email use but the threat of email-borne attacks will simultaneously increase, as reported by nearly three out of four (74 percent) of IT security leaders as the initial or one of the prime culprits in breaches and attacks.

A cyber incident can refer to a phishing attempt to steal money and passwords, or a ransomware attack that encrypts files holding future access to ransom. Many cyber incidents are untargeted and can affect any school that doesn’t have basic levels of protection. Increasingly, as IT underpins not only educational resources, but also, schools’ infrastructure, sensitive information is at risk unless updates to cybersecurity policies and the right technology are in place. From staff and parents’ bank details to students’ private medical records, cybersecurity is a safeguarding issue.

The risks of not planning for cybersecurity can be severe resulting not only in the loss of sensitive data or financial loss but reputational damage, and legal liabilities too. Schools that fail to take cybersecurity seriously may also face regulatory penalties and legal action.

During the pandemic, the ‘business continuity’ of many schools relied heavily upon edtech solutions, as children and their teachers were forced to attend classes remotely. However, as with the rest of the business community, with the need for IT support swiftly transforming into complete reliance, any flaws in cybersecurity policies quickly became risk points. The acceleration of digital transformation often resulted in gaps, weak spots and lowered cyber defences for many organisations, and schools were not exempt.

Malicious actors are continually adjusting tactics to exploit the most vulnerable targets, and during the pandemic, gateways to new forms of data theft were opening in every direction. Each new VPN became an internet-exposed attack surface and every piece of video-conferencing software posed new security risks. In fact, between the period of February and May 2020, the personal data of more than 500,000 video conferencing users were stolen and sold on the dark web.

Attackers were able to ‘Zoombomb’ online meetings, access sensitive information on unpatched devices and breach security software that had not been appropriately configured. Statistica states that during the first half of 2022, there were a staggering 236.1 million ransomware attacks worldwide. This came at a time when many companies were storing personal information and sensitive documents in the cloud for the first time. Similarly, schools were also becoming more reliant on IT.

As schools have returned in person, teachers and students have not shed their reliance on IT. Instead, IT has become more deeply integrated into day-to-day teaching, and continues to amplify education as a learning tool. Poor cyber hygiene could affect a school’s ability to function, its reputation and its legal obligations to keep personal data safe. It could also undermine the fantastic potential of IT to accelerate learning for all students, particularly those with learning differences.

Schools must implement cybersecurity policies and clearly communicate best practice with students, parents and all staff, including phishing threats, password best practice, USBs and remote working policies.

Phishing for info

In a typical phishing attack, scammers send fake emails to thousands of people asking for sensitive information such as bank details, disguised as legitimate requests from an otherwise trusted source. Often, the email will contain a link to a ‘bad’ website that will steal personal details. A clear and simple policy that is easy to communicate in schools is ‘if in doubt, call it out’. Raising awareness of typical phishing red flags to students and faculty is also helpful, including lines like ‘dear friend’ or poor quality logos for example.

Passwords are only the first step

Given the number of accounts we all have, it’s unrealistic to expect anyone to have a different password for each, and to remember them all. People naturally write them down and, more often than not, these passwords are stored right next to the computer. A simple solution is to use a password manager which when coupled with two factor authentication (2FA) on sensitive accounts helps fortify your information. A good way of creating a strong and memorable password is to use three random words. Avoid obvious words like the name of a partner, child, pet, place of birth, favourite sports team. The most common password is still 123456.

Unidentified USBs

USBs are a common tool for spreading viruses and malware from one computer or network to another. Using secure cloud based digital asset management (DAM) systems sharing encrypted or password protected files can offer greater security.

Within schools, a simple solution is to ensure students and teachers only use USBs that have been provided by the school and to ensure the USB is password encrypted and that any option to autorun programmes from the USB is turned off.

Future proofing your policy with managed services

Schools were possibly ahead of the time with hybrid working. After all, students have always done  (and avoided) homework. Teachers have always prepared for classes from their living rooms in the evening, sometimes on their own device rather than one provided by the school, which may not have the same levels of security and protection built in. The only difference now, ‘post-Covid, is the amount of sensitive information now stored within the same IT systems that both students and parents’ access.

It’s therefore essential that schools have a clear cybersecurity plan in place that outlines policies, procedures, and controls to protect against cyber threats. Clear guidelines must be put in place around IT policies: from ensuring the latest software is installed and updated to ensuring passcodes are enabled and data is regularly backed up.

However, cybersecurity threats evolve faster than most organisations’ IT infrastructure; cyber attackers are often one step ahead. Even a school’s students can employ malicious cyber attacks; both internal and external attacks must be considered. Therefore, managed service, cybersecurity support can plug the gaps in knowledge and provide essential wrap-around support for incident management, managed vulnerability, distributed denial-of-service (DDoS) attacks, malware and phishing scams. Cybersecurity is one of the biggest threats to schools today, and not one they should be reliant on alone. Prepare for the unexpected by considering cyber insurance and investing in cybersecurity training for faculty and even students.