School is not everyone’s favourite place to be. It can be a source of anxiety and concern for many children. And that’s before we’ve even got onto the very real risk posed by cyber criminals. With the advent of new technologies and the increasing adoption of flexible working practices, the importance of cybersecurity in schools cannot be understated.
How bad is it?
You might not imagine that schools are particularly high on the list of desirables to hack, however school databases host a wealth of information, from the personal details of every student, their families, addresses, financial documents, medical history and grades, to the payrolls of staff, funding, bursaries and so much more.
Schools and academies are experiencing a significant increase in targeted attacks by cyber-criminals, with several high-profile cases of data breaches and ransomware attacks bringing schools to a standstill. The National Cyber Security Centre issued a high-level alert in September 2020 that, at the time of writing some 10 months on, still stands. This recent campaign emphasises the need for organisations across the education sector to iron-clad their networks and prepare for a more advanced level of hacking than they might have initially imagined. It also lists a number of steps that organisations can adopt to disrupt ransomware attack vectors mid-hack and enable more effective recovery from these attacks.
Why are schools so attractive to cyber-criminals?
It runs deeper than simply not enjoying their time learning. Cyber-criminals find educational institutions appealing for a plethora of reasons. Schools host a wealth of easily accessible and extremely lucrative data that is often guarded only by a view that ‘no one would ever harm a school’.
There is a distinct lack of protection in most mainstream schools. Though security is in place, it is often not as mature and progressive as it needs to be. The fight for tech budget is ongoing, and in schools that are strapped for cash, it is often very difficult to secure funds to protect against a hypothetical event.
The move to locally managed budgets has also put pressure on establishments to make the correct decisions for themselves in-house, relying on a pre-existing knowledge and comprehension of the risk to ensure the right choices are made around tech and partnerships. Unsurprisingly, mistakes are often inadvertently made, and the consequences often severe.
Schools and academies are seeing an uplift in internal attacks, as well as external. Malicious insiders who are well-versed in the inner workings of the institutions are carrying out ransomware attacks with the success of the best hackers. Alarmingly, vulnerable and weak processes are being targeted with extraordinary success-rates, getting significant payments released or access to credentials in return, and crippling a number of institutions as they go. They act as cyber-leaches; you don’t realise they’ve hooked on and before you know it they’ve expunged you of resources and moved onto the next target.
What’s to be done?
The trouble is there are just not enough hours in the day to educate staff and teachers on the threats of cyber-criminals. Likewise, the uptake on cybersecurity awareness training is very low.
We at Babble don’t claim to hold all the answers, but we do know that education in cybersecurity is a highly effective first line of defence. That’s why we run a security awareness training program that is jargon-free, ever-green, and most remarkably of all, quite fun. We’ve written on the teaching of cybersecurity awareness in schools and other institutions before, as well as the programme we run if you’re interested. It doesn’t need to be an institution wide undertaking but having a few key-figures in any institution well-versed in the language of cybersecurity is never a bad thing.