The first week of the 2023/24 has now been completed and during this first week I have been made aware of 4 different schools having cyber incidents reported in the press. I think this highlights the risks that schools face in relation to cyber security/resilience and possibly the fact that cyber criminals may focus more directly on schools, and education more generally, at key points of the year when they are likely to have a greater chance of their attacks succeeding, such as at the busy start of a new academic year. So what can schools do to reduce the risk?
I cannot speak to the 4 incidents as I don’t know sufficient details as to the nature of the attacks and incidents however there are generally actions which I believe schools can take which can reduce the risk. Given below are the 5 things I would say are the priority areas:
- Staff Awareness Training
In the vast majority of cyber incidents a human is involved at some point, and usually towards the start of the incident. Whether this is giving away user credentials following clicking on a link in a phishing email, using a weak password or misconfiguring a solution, our staff are both our weakest point but also our best defence if properly training. And this training needs to go further than simply a session at the start of the year. It may include this start of the year session but it must include advice, stories, examples and other awareness content throughout the year; little and often. Whether it is videos to watch, information given in morning briefings or content in newsletters or other regular documentation, awareness content should be delivered often and in different formats and medium. I also think one way to help get the importance across is to focus broader than the benefit to the school and highlight that good cyber hygiene is important for our daily lives and our interactions with the many digital tools which we use.
- MFA (Multi-Factor Authentication)
Phishing and credential theft resulting from phishing attacks continues to be a common attack method. As such anything that reduces the risk of a users credentials being compromised is important. Multi-factor or two-factor authentication is an easy method of reducing this risk. Cyber criminals may get your password through guessing or a data breach of another service, where you have re-used your password, but without the 2nd factor, such as the app on your phone, they are unable to get into the account. Now I have heard many raise issues about using their personal phones for this purpose and about having to install an authenticator app on their own phone. I get this but there is no cost as we almost all have smartphones these days and the cost of not having our schools accounts secured, the risk to all staffs personal data, to student data, to parent data and to all the other data a school may hold, never mind to students coursework and other critical learning info surely outweighs the downside of having a small authenticator app installed on the personal phone you already have? For me, all schools should have MFA enabled for any user who needs to access data from away from the schools network. Note, if only accessing accounts from the schools network, the fact that the account can only be accessed from the network, and not from home or elsewhere, counts as a second factor.
- Backups
We need to accept that a cyber incident will happen at some point in the future and at that point we will need to find a way to quickly and safely recover our IT systems. Backups are key to this. As such it is important to have backups in place and the 3-2-1 rule is a good rule of thumb; You should be keeping 3 backups, in two different mediums (e.g HDD and Cloud or HDD and tape) with 1 being offside or immutable. It is also important to note that your backups are of no value or use until the point when you need to recover them, so it is important for you to test that you are able to recover from your backups when you need to following an incident. It is also important that those who would need to conduct the recovery are familiar and comfortable with the backup process such that when under high pressure following an incident they are comfortable with what they need to do.
- Patching
If cyber criminals didn’t gain access via a compromised user account then the other way they may gain access, or maybe the 2nd stage of their attack following compromising a user account, might be to exploit a vulnerability in software. This is all the more likely if you havent patched systems where these patches often contain fixes for known vulnerabilities which cyber criminals may already be actively exploiting. By regularly patching software, including operating and application software, we reduce the risk of a known vulnerability existing within our network environment. This includes the need to patch or update end point devices such as laptops, tablets and printers. Now this can sometimes be difficult as it may result in downtime, either waiting for a server to reboot, or waiting or a device to restart, however it is important. Being pragmatic, and given the fact it may often be impossible to patch all devices, servers and systems, the key is to identify which devices or systems are most important in terms of the operation of the school or the sensitivity of the data contained on them, and seek to do these first. Every newly patched system represents a reduction in risk, so patching 1 server is better than worrying about which of 60 servers to patch, but patching none. Every small step matters.
- Least Privilege Possible
It is important to reduce the access rights of users to what they really and essentially need. This includes things like remote desktop access. If using Office 365 or Google Workspaces do users really need remote access? Also you administrative credentials; Do your IT team need high level access all of the time or can they use Privileged Identity Management (PIM) such that they only escalate their privileges when needed. And when technicians are logging into PCs are they using credentials with Global Admin access or a separate set of credentials? The more we can reduce the access rights provided to users the less access a cyber criminal will gain should they compromise an account.
Conclusion
We have to accept that all organisations will suffer a cyber incident at some point in time, with this being all the more the case in education where the diverse nature of users technology skills, the number of users, the diverse range of systems and the limited investment in cyber security and resiliency all come to play. The key thing though is that we need to make it as difficult as possible for the cyber criminals and the above 5 areas to focus on will help do just that.
Am hoping the 4 schools suffering incidents in the first week just relates to the busy nature of things in the first week, and that things will settle down over the coming weeks, however I suspect these 4 schools are just the start of the list of schools which will suffer incidents in 2023/24.
Technology and Learning