It appears impossible to read the
news at the moment without hearing about another IT security breach. In the
fortnight leading up to the time of writing, there have been reports of hacks
at Uber, Imgur and a private members club whose clientele includes Stephen Fry.
Some reports suggest that
cyber-attacks more than doubled in 2017. These include well publicised attacks
such as the WannaCry ransomware attack that affected the NHS earlier in the
year. Ransomware (a form of malware which locks files on your computer and will
only unlock them in exchange for money) is a particular area of growth in
cyber-attacks. In fact, more than 4,000 ransomware attacks have occurred every day since the beginning of 2016
(a 300% increase over 2015) and the proportion of phishing emails that contain
a form of ransomware grew to 97.25% in 2016.
With so many attacks making the
news, you may be concerned about the of cyber security threat to your Independent
School. As a school with a duty of care to hundreds of pupils, it is extremely
important that cyber security is tight. With so many schools keeping personal
data on staff, pupils and parents as part of day-to-day operations, the
consequences of losing sensitive material do not bear thinking about –
particularly with the danger of steep fines under the GDPR legislation coming
into force next May.
Although some Independent Schools
have a dedicated ICT team, with engineers that protect and improve their networks,
many don’t. For those that don’t, what practical steps can staff take to ensure
that your school is as protected as possible
Patch Tuesday
Have you ever heard of Patch
Tuesday? If you are not familiar with ICT, then chances are you have not. Patch
Tuesday is an unofficial term referring to when Microsoft regularly releases
patches for its software products. This is the second (and sometimes fourth)
Tuesday of each month.
Every Patch Tuesday Microsoft
releases a large number of updates for its Windows desktop and server software.
These updates make UI (user interface) tweaks, performance improvements and
security patches to Windows software.
If you are unfamiliar with Patch
Tuesday, then chances are your desktops and servers aren’t getting the patches
they need. By keeping on top of the updates, you can ensure that your hardware
and software is up to date, and therefore protected from cyber security
vulnerabilities
Education and Acceptable Use Policies
Whilst it is true that most
Independent Schools have an ICT ‘Acceptable Use Policy’, it is also true that many
pupils and staff have limited knowledge of it and limited knowledge of how they
can stay on the correct side of it. In order for cyber security to work in a
school environment, staff and pupils alike must understand why it is important
to be safe online.
This must not just be in the
context of the school, but also of the individual. Pupils are unlikely to be
moved to stay safe online if they feel the only consequence of their actions is
the school getting fined. By educating pupils of the dangers to them of poor judgement online, such as
ransomware locking their valuable files or phishing emails stealing bank
details, they are far more likely to take cyber security seriously.
By agreeing a fair ICT Acceptable
Use Policy, educating pupils and staff on the details and rigorously enforcing
it, you can make great progress in your school towards a safer cyber
environment.
Contingency planning
Even if you feel that your cyber
defences are relatively strong, a determined intruder is difficult to keep out.
Schools have vast stores of personal data and Independent Schools in particular
have data on high income individuals – this makes them targets for cyber-crime.
Therefore, it is important to
have a plan in place should a cyber-attack occur. Under the GDPR legislation,
all organisations experiencing a cyber-breach must notify the Information
Commissioner’s Office (ICO) within 72-hours of the nature of the breach, what
was stolen, and the measures you are taking to reduce the damage. To comply
with this requirement, your school will need an individual that has at least a
basic understanding of cyber security to liaise with the ICO directly.
You will also need a strong
backup approach in place. It is preferable that you backup every day to a cloud
server or an external drive. Once the backup is completed, removing the
external drive from your servers and storing it securely will prevent the
backups from also being infected. Furthermore, perform tests of your backups to
ensure that they work and to give you a rough idea of how quickly you can
restore your infrastructure from a backup. If your tests indicate that your
backups take too long to restore, you may wish to look for better options.
Removable Media Controls
Many people still use USB thumb
drives or external hard drives to store and transport files. However, removable
storage media is an extremely unsafe way to manage file transfers. Thumb drives
in particular are easy to lose and when pupils and staff can use personal thumb
drives to move files around, you have little control over what files they are
removing from the school premises, or indeed what files they are bringing in to the school network.
If a pupil or staff member were to
bring in a thumb drive from home that had a malicious file on it, that file
would have the potential to infect the whole school network.
Ensure that removable media is
encrypted and scanned for malware before importing files onto the school
network. Many businesses have even banned removable media entirely. A cloud
option, particularly one that is built from the ground up with security in
mind, such as Citrix ShareFile, is in my opinion by far the safest way to store
and share documents.
Be Vigilant
It is not easy to keep on top of
cyber security. However, it is so important to understand and to mitigate the
risks. By putting the advice listed above into action you will not be
completely protected from cyber threats, but you will have a strong foundation
of security.
If any school would like further information or consultancy on ways in which they can protect themselves, or ways in which they can reach GDPR compliance next May, please do not hesitate to get in touch with me at schools@entrustit.co.uk or 0330 002 0045.
