Fraud Alert – Schools Targeted with Ransomware

As I'm sure many of you will have seen, Action Fraud have published an alert after schools across the country have fallen victim to cyber criminals who have targeted schools in a widespread "ransomware" attack. Although it has so far predominantly been state schools who have been targeted in this particular attack, I wanted to make sure all my contacts at Independent Schools were aware of what is happening, and the best ways to mitigate the risk from these types of threats, as it seems that schools are the latest perceived "soft target" for these money making cyber criminals.

For those who aren't aware, ransomware is a form of malicious software (malware), which effectively hijacks your school's data by encrypting it, rendering it unusable by staff and pupils. The cyber criminals then demand payment of a ransom in order to provide the security key needed to decrypt your data. In the recent attack on schools this ransom has been up to £8000, but can be even higher, with some UK organisations who experienced these type of attacks last year being presented with demands in excess of £35,000!

Schools are not alone, as research conducted in June 2016 by Ostermann Research showed that 54% of organisations in the UK had experienced ransomware attacks during the previous 12 months, and, somewhat worryingly, 58% opted to pay the ransom, which would seem to suggest that the risks around such an attack had not been fully assessed or planned for, and contrasts sharply with data from the US where only 3% of victims paid the ransom.

So what should Independent Schools be doing to protect themselves?

Having good system backups, which are stored off-line so that they cannot also be encrypted, is, of course vital. But having to carry out a full scale disaster recovery of the school's ICT systems should really form the last line of defence. This is something I will talk about in future articles in more detail, but it is certainly not something to be undertaken lightly; it can be highly disruptive to the school's operations and indeed, without proper preparation, there is no guarantee of total success.

Unfortunately there isn't a piece of software or a firewall rule that will completely stop these sorts of attacks. Prevention really requires a blend of policies, staff training, plans and technologies to form a cohesive defence strategy for the school. Some of the steps we typically take with the schools who we work with include:

• Reviewing their current systems to identify risks and vulnerabilities.
• Working closely with the senior leadership team to define and implement a risk mitigation plan to address any vulnerabilities identified.
• Implementing a suite of technical measures, which may include hardware, software, cloud technologies and security policies to protect the schools data.
• Training and educating staff, particularly as these type of threats often get into a school through someone clicking on a bogus link or attachment.
• Devising, implementing and testing contingency plans including disaster recovery plans, frequent data backups, security incident response plans and emergency operating procedures.

Unfortunately whilst ransomware is generating such a healthy income for cyber criminals, I think it is only likely to become more prevalent, so it is best to be prepared. If you need any help or advice, please do not hesitate to contact me on 0330 002 0045 or email schools@entrustit.co.uk.

Getting Best Value from ICT Budgets in Independent Schools

With ever increasing demands for new and improved technology in independent schools, it is easy for ICT to become a bottomless money pit. Naturally, every school wants to use technology to enhance the learning environment, equip pupils for the digital world that they will be living and working in, as well as ensure that the school is keeping up with its competitors and using technology in a way that will serve to attract further pupils to the school.

The bursar however, has the unenviable job of trying to balance all these laudable ambitions against a limited budget!

This is where I often get called in to help bursars review current ICT budgets and look at strategic ways next academic year's ICT budget can be most effectively utilised. Because we work with numerous schools, and have a good handle on the technology marketplace, we are able to give bursars a steer on whether they are paying about the right amount for ICT services and staffing both commercially and in relation to other schools. We also look at whether there may be ways they can "flip" their budget to achieve their technological aspirations in a different way.

Every school is different, but with ICT forming a significant part of the school’s overall budget, it is well worth taking a little time to review how best to deliver maximum possible value from a limited pot of resources. Whilst time and space don't allow me to cover every scenario here, I thought it would be useful to jot down a few of the common areas that I find are worth reviewing:-

1. ICT Invoice review. This is often a very revealing exercise, as many schools receive a plethora of invoices from different providers each term or year, relating to services, maintenance contracts, software subscriptions and the like. The descriptions on such invoices are often vague or use technical jargon, which make it hard to know what they relate to, whether they are still actually relevant and whether they are offering good value for money. We have spent time with many schools unravelling their invoices to understand just these factors and frequently this exercise alone has yielded many thousands of pounds in ongoing cost savings.

2. Software review. Most independent schools have an array of software applications that have grown over time. Reviewing (or indeed making!) a list of all applications and asking questions such as "Who uses it?", "What for?", "Do we still need it?" and "Is there a cheaper way to licence it?" normally reveals another nice chunk of money that can be used for more exciting ICT projects.

3. Internet connectivity. With technological advances, prices for Internet connectivity are constantly falling, but many schools are not aware of this and so are oblivious of the opportunities to re-negotiate their contract, or perhaps add a back-up Internet line for the same cost they are currently paying for their main line alone.

4. ICT staffing costs. In some cases, independent schools find a better skills mix and a cost saving can be achieved by part or fully outsourcing their ICT function, or by changing provider.

5. The Cloud. Strategic use of the right public and private cloud solutions can potentially save schools a fortune in hardware and support costs, whilst also offering remote working capability and the ability to securely access the school system from pupil and staff owned devices.

6. "Closed" cloud. For those schools not yet comfortable with the idea of their data residing off-site, closed cloud solutions can offer similar benefits to private cloud solutions, as well as significant cost savings over a traditional network, whilst still keeping all data in school.

7. Leveraging your ICT systems commercially. From utilising digital technology to market your school more effectively, through to renting out your shiny new music technology suite over the holidays, remember you can use your technology to boost your bank balance too, not just deplete it!

If you would like more information on any of the topics raised or if you'd like to book a budget review, please do not hesitate to contact me on 0330 002 0045 or email schools@entrustit.co.uk.