Schools told to develop ‘hack plan’ to avoid NHS cyber attack

Schools told to develop 'hack plan' to avoid NHS cyber attack

Stringent “hack plans” must be developed by schools in the light of a global cyberattack that brought much of the NHS’s computer system to its knees last Friday.

Security experts say teachers should not open links or attachments on laptops or phones connected to a school’s network in case the message is a fraud.

Ken Corish, online safety director at the education tech charity, South West Grid for Learning, said “more and more schools” had been hit by ransomware viruses that encrypted sensitive data before the hackers demanded payment to get it back.

“Tens of schools” in the southwest had been affected over the past year, with some paying thousands of pounds to hackers, he said.

In one case, a school left the affected computer running for five days without telling the local authority, allowing the virus to spread throughout its
computer system.

“It’s like a cold virus. It doesn’t target schools specifically, it takes the opportunity where defences are weak,” Corish said.

At the end of last week, a virus infiltrated the NHS’s outdated XP Windows system, leaving many hospitals unable to access patients’ medical records.

A ransom – to be paid in bitcoins, the internet currency – was demanded.

Steve Proffitt, deputy head of Action Fraud, the national cybercrime reporting centre, told Schools Week the hackers were likely to morph the ransomware and attack again.

“Schools using old Windows systems are incredibly vulnerable.

“If systems are susceptible, the virus could go into your finance details and empty your budget for the year.”

Schools Week has previously reported that hackers have demanded up to £8,000 from targeted headteachers for sensitive data to be recovered.

Corish and Proffitt recommend a number of strategies to avoid ransomware threats.

Schools using old Windows systems are incredibly vulnerable

Staff should not open links or attachments in emails, or texts on phones or laptops connected to the school’s system, even if they recognise the sender.

Unless an email with an attachment or link was expected, “ring the sender and check they sent it”.

Schools should have a data protection strategy, with sensitive data backed up daily off-site or in the Cloud, and all other data backed up weekly. This would allow data to be recovered without payment if there were a ransomware attack.

Anti-viral and anti-malware software and all other systems should be up-to-date. Ransomware-specific protection is available as a bolt-on to anti-viral software for as little as £4 for each device for a year. School-specific disaster recovery insurance for £25 a year would cover £12,000 of costs.

Staff should be trained to recognise a ransomware attack, they say.

For instance, a computer will become unusable or data disappear. A “splash screen” will also pop up demanding a ransom – often for bitcoins – to have sensitive data returned unencrypted.

A school’s “hack plan” should immediately cut off the “infected” machine from the network. The school should then call Action Fraud and the local education authority or central academy trust.

If personal data has been breached, the Information Commissioner’s Office should be told. All attacks should be communicated to parents.

Tony Parkin, an education technologist, said smaller schools without a savvy staff member could particularly “overlook” the need to update all their systems. It should be a priority, he said.