October is cyber awareness month and an important opportunity to discuss and highlight cyber security and cyber threats. Now cyber security and particularly the development of a culture of positive cyber security practices is an ongoing requirement, however cyber awareness month provides a valuable chance to highlight cyber security and ensure it is the subject of discussion. Due to this I would briefly like to share some of my thoughts in relation to the main cyber threats as they current exist for schools and colleges.
Phishing, vishing and other “ishing” attacks.
For me, phishing and similar attacks based on SMS, messaging services, social media, phone calls and even malicious QR codes continue to be one of the most common attacks aimed either at compromising a user account or at compromising a target machine through malware. One of the big issues here is that we ae living in an increasingly busy world dealing with ever increasing numbers of emails, messages, etc. And in this busyness it is “human to err”, to click a malicious link, to reply to a malicious email or provide user credentials to a convincing looking, but fake, login page. Continued user awareness training can help in this area, making users more aware of the signs to look for in malicious messaging, but it can only go so far especially as people are becoming increasingly busy. For me, the key is for users just to have a fraction more time to review messages before acting, giving their conscious brain just that bit more time to engage and identify the unusual features of a malicious email, message or call. I am not talking about huge amounts of time, only fractions of a second. That said this time needs to come from somewhere in a time bounded world so we are going to need to make some compromises to fine this time as otherwise we are only likely to see data breaches resulting from phishing and other “ishing” style attacks becoming both more common and more significant in their impact.
Third parties
We are increasingly using more and more third parties, including online tools, in our lives and in our schools, whether this is a cloud hosted MIS, a learning platform, quizzing app, website provider or a multitude of other solutions providers. In each third party there is an additional risk. And this risk is two-fold. One part relates to an incident on this third party resulting in school data being breached, where the school as data controller, remains responsible. The other part of this issue relates to the use of a third party to gain access to a schools systems, possibly through a business email compromise attack having gained access to a compromised email account within a third party, or it could involve using integration between the third parties solution and school systems. Either way, I see third parties as the 2nd most significant risk which schools are exposed to. Due diligence is key here in terms of ensuring appropriate checks are done on vendors in terms of their approach to security, etc, although I note these are often only superficial in nature in the information third parties may provide via their policies or via response to direct queries. I suspect the other solution is simply least privilege and both limiting the access of third parties to school systems, plus in trying to limit the total number of third parties used. Sadly this is often easier said than done.
Conclusion
Given the above as to the two main risks as I see them, and the acceptance that a cyber incident is a matter of a when rather than an “if” scenario, it therefore makes sense to play out the above scenarios as desktop exercise to consider how your school might respond. Phishing can also be easily tested for through the use of a phishing test campaign, sending out a fake phishing email to see how users respond. I would suggest in both of the above scenarios there isnt a huge amount schools can do to prevent an incident, although I will once again state the importance of doing the basics in terms of cyber such as using MFA, patching, least privilege, taking and testing backups and performing regular user awareness training. So, if there is limited opportunities for preventative measures beyond the basis, then the key thing is to prepare for the most likely threat scenarios. How would you respond to a compromised user account resulting in MIS data being exfiltrated for example or to a third party data solution suffering a data breach resulting in school data being leaked publicly? Would police be involved? What would you tell the press, parents and the wider community? How would your school respond internally, including who would be involved in discussions around actions and who would have the authority needed to approve comms, etc, plus what roles would each person undertake? And how might you deal with wellbeing and mental health during a high stress incident?
It is better to consider these and other questions now, than waiting and having to answer them during an incident. And maybe this is one aspect of cyber awareness month we neglect; It isnt just about preventative measures and reducing the likelihood of an incident, it is also about acceptance that incidents will happen and therefore spending some time planning and preparing.
Technology and Learning