Monday 10 July 2017

Preparing Your Independent School for GDPR: Cyber Security Issues


In my recent blog I talked about the importance of understanding your data and securing your information systems from internal threats in readiness for GDPR. In today's article I wanted to talk about the other side of the coin: securing your information systems from external security threats.

We only have to open a newspaper or turn on the news these days to hear about some new cyber security threat or data breach that has occurred. Protecting against such breaches forms an important part of GDPR compliance, since you need to be able to demonstrate that you are taking proper care of the personal data that your school holds.

There are a wide range of factors to consider here, which will include:

1. How is your network secured from threats like malware, ransomware and hackers?
In days gone by a firewall and some antivirus software would largely do the job, but with the constantly evolving threat landscape this is no longer the case and a much more sophisticated suite of school procedures, processes and technologies is needed to provide full protection.

2. What are your procedures for applying security updates to your systems?
New security threats are emerging daily and software vendors are releasing a constant stream of fixes and patches to try and mitigate the risks from these threats. Therefore it is critical that you apply these security fixes to both your servers and your PCs and laptops in a timely fashion. Indeed, the timeliness of updates has now become even more critical since some cyber criminals are now reverse engineering the fixes from vendors such as Microsoft, in order that they can see what vulnerabilities have been fixed, and using that information to directly target those vulnerabilities in organisations who have not applied the appropriate update to their systems.

3. How is your data backed up?
Taking full system backups which are regularly tested is essential, so that you know you could recover data in a timely fashion should your school be hit by a cyber threat such as ransomware.

4. What are your procedures around physical security of your servers and IT equipment? Having good cyber security in place is critical, but if someone can access your server room or acquire a laptop or smartphone containing school data, then the very best cyber security systems can be rendered useless.

5. How do you manage secure disposal of old PC and server equipment?
Equipment that is end-of-life and being replaced will often contain confidential data or emails, and therefore it is important that it is properly wiped, to guarantee that data cannot be restored.

6. How are your staff educated to ensure they are aware of the latest cyber security threats?
It is all too easy to click on seemingly legitimate attachments or web links which may actually contain malicious code, and with new threats constantly emerging, the vigilance of your staff in being able to spot such scams will form part of your defence strategy.

7. How and when are your procedures around cyber security reviewed and updated?
Given the constantly changing threat landscape, it is critical that procedures and controls around cyber security are regularly reviewed and updated

For more information about protecting your school from cyber threats or preparing for GDPR, please do not hesitate to contact me on 0330 002 0045 or email schools@entrustit.co.uk.