This year’s Cyber Security Breaches Survey states that 71% of secondary schools and 52% of primary schools reported a breach or attack in the past 12 months.
One of the most common form of attacks is phishing were emails claiming to be from legitimate companies trick individuals to reveal personal information, such as passwords and personal data.
Ransomware is perhaps the most disruptive and expensive forms of cyberattacks facing schools – where malicious software is inadvertently downloaded if there is a weakness in the ICT, via a link or even a malicious document which encrypts the data until a ransom is paid.
In September 2023, a large secondary Academy in Durham was referred to the NEBRC by their external IT support team following information from policing that they may have suffered a data breach. At this time, the circumstances of that breach were unclear, and Framwellgate School Durham chose to work with the NEBRC to understand if they had any weaknesses in their network, that could be exploited to steal data.
In this blog, we gained the insights from the School Business Director, Wendy Pattison on why Framwellgate School Durham is happy to share the experience that the Academy went through in the hope that lessons learned by her school may help colleagues across the sector prevent incidents in the future and know who to contact for support should the worst happen.
So, what can you do to improve cybersecurity in schools?
Ensure you have someone with overall responsibility of IT security on the Senior Leadership Team.
Have a comprehensive cyber security policy in place to illustrate your commitment and spell out what you do around risks and cyber security. Our team at the NEBRC can work with you to help support the development and management of your cyber security policy.
Once you have a policy, make sure it is reviewed regularly, include it on your risk register and report on progress to your Local Governing Body.
Prepare an Incident Response Plan including a pre-determined set of instructions or procedures to detect, respond to, and limit the consequences of a cyber-attack.
Implement a backup strategy – at least 3 copies, on 2 devices, and 1 offsite. This strategy is popular because it scales effectively (including the use of the cloud for an offsite backup) and can give you confidence that your critical data is safe from a localised incident.
Install security updates as soon as possible – patches sent by software providers are designed to close known vulnerabilities. The longer it takes to install a patch, the more vulnerable you are.
Ensure your operating system and software are up to date. Avoid making yourself vulnerable by using out of date operating systems which aren’t don’t have mainstream support and fixes are no longer available.
Instil good password hygiene – create a unique password for each service you are using and avoid using passwords that are easy to recall or guess, the NCSC guidance highlights the use of three random words. Use a password manager to store passwords if you find them hard to remember – they will remember it for you.
Use Multi-Factor Authentication (MFA) where possible. MFA is when a user must provide two or more pieces of evidence to verify their identity to gain access to an app or digital resource – banks and online retailers use them.
Encrypt sensitive content – such as identity details (names, titles, roles) contact details (addresses and phone numbers) encryption converts information or data into a code to prevent unauthorised access.
Implement user awareness training so all staff understand the importance of installing updates, know how to spot a phishing email and what to do if they are accidentally caught by one. From time to time, test staff awareness of potentially dangerous emails by undertaking a phishing test and use adverse findings to build awareness and confidence of staff in potentially harmful emails.
Keep on top of your housekeeping and ensure that accounts for staff and students that have left your school are disabled or deleted.
Ensure that staff and students are only given access to files and resources that are relevant to them. If you provide a colleague with access to everything, your school will be more vulnerable if their account is compromised.
Run regular vulnerability assessments on your network to identify any systems that are out of date.
Use built-in security tools like Microsoft’s Secure Score, which gives a summary of your security position based on system configurations, user behaviour, and other security-related measurements. It represents the extent to which you have adopted security controls that can help offset the risk of breaches.
Ensure that you have secure, updated, back-up copies of contact details for parents. If this data is inaccessible or wiped in an attack, you can stay in touch and avoid potential safeguarding issues.
Carry out spot checks on the team, person or supplier responsible for managing your cybersecurity. If you are supported by a company, ensure that they have Cyber Essentials, Cyber Essentials Plus, IASME Governance or ISO 27001 certifications.
Wendy Pattison CFO / Academy Business Director of Framwellgate School Durham shares her story below:
When the incident occurred in September, it was like a bolt out of the blue. Schools think they are prepared for such incidents, but in reality, until it happens, you do not know how prepared you are and if you have thought of everything. The truth is none of us know what the impact on our school will be until something like this actually happens to us.
If you lose your network and have to take it down, what is attached to it? Phones; tills; photocopiers; management information systems; safeguarding logs and more. If you lose all of this at the click of a button, with no notice, what happens to your students and staff and the wider school community? How can you ensure the children are safe? How long will you be down for? Does your plan cover all of these eventualities?
I have said many times since the event that our business continuity plan re wrote itself throughout the course of the incident. Initially we were dealing with very limited information and it wasn’t until a few weeks after we were informed that the network had been compromised, that we fully understood the extent of a data breach which had occurred, and for how long the network had actually been compromised. This was over several weeks.
Each situation will be different in every school and this makes planning, for what I believe for many will be the inevitable, very difficult.
As Martin often says, failure is our greatest teacher, and knowing now what I do, I would have insisted on an annual vulnerability check of the network. This was something the NEBRC did for us within 24 hours, and they immediately found key vulnerabilities around our VPN which we were able to resolve quickly. This is most likely how access was gained to the network and if the good guys had found this before the bad guys did, we wouldn’t have been in this situation.
An annual vulnerability assessment costs very little in comparison to how much we had to spend on dealing with the incident. There are also many things without a cash value which are harmful to the school including safeguarding of children and staff; reputational damage; loss of faith from the school community and more.
The best course of action is to do everything possible to avoid an incident in the first place. Your risk register plays an important role in this, and highlights to Governors and Trustees the importance of cyber security. Something I learned from Martin’s sound advice was that it wasn’t the school that was targeted. Like it’s not a hospital that’s targeted or British Airways, or Boots. What is targeted are known vulnerabilities that exist. The bad actors on our network didn’t know it was a school until they found the vulnerability on our network and got in. Like a burglar trying door handles as they walk down a street.
It is also vitally important to ensure the leadership team in the school are involved in business continuity planning for should the worst happen. I am a senior leader in my organisation but if colleagues around the table are not involved in the planning stages, you are in a very lonely place. I haven’t experienced stress like I felt over the weeks that ensued, from the initial notice of the network breach, to the notice of a significant data breach and the work involved in managing the fallout of the whole event. Work which is still underway today. The impact on everyone involved is significant and not to be underestimated.
It is also important to contact the right people in your organisation. One of the first things I did was contact our Chair and Vice Chair of the Trust to keep them in the loop and to gain their support. It is important to communicate with a few key stakeholders in the first instance and not let the message go out too widely in case of mis information and in case it gets into the wrong hands, such as the media. However, the Board are ultimately responsible for everything in the school and it is therefore essential to be open and honest with them as they will have some key decisions to make. It should also be understood that as the police are involved with such serious cases, there will be an ongoing live police investigation, which is still the case at Fram to this day, so the message out needs to be managed very carefully so as not to interfere with the case.
One final lesson learned that I would share is that in reality, and being totally honest, many of us do live in blissful ignorance. Not because we don’t care, are bad people or because we aren’t good at our jobs. But because until it actually happens to you we think that our network is sound and impenetrable. The sad fact is that for so many organisations, it is a case of not if but when, and schools I would argue for many reasons are a very vulnerable sector. We don’t have the funds of big corporate organisations, therefore we don’t have the expertise or expensive systems in place. We do our best with very little, and again, if I can leave one message for colleagues it is to get that vulnerability assessment done. This will show you what needs plugging before it is exploited and will add in that extra layer of defence alongside everything else you may have in place.
As the number of cyber incidents is increasing nationally, and within the schools sector particularly, it is so important to work together to share experiences and lessons learned and to reach out to partners such as Martin and the NEBRC who are trusted experts in the field. They are there to advise and support to help avoid such attacks, but if the worst happens, like it did for us, they are there to scaffold, support, advise and get you through to the other side and for us have become a permanent friend.
At NEBRC, we work to educate and inspire organisations to understand the importance of having strong cyber security.
For further advice on how to keep your school cyber safe contact a member of our team today at: [email protected]