The education sector has been hit hard recently with cyber attacks resulting in highly confidential data on parents and students being leaked onto the dark web.
Just this month, 14 schools in the UK had documents leaked online by hackers. This followed an attack last year by ransomware cybercriminal gang, Vice Society, who are behind a recent string of attacks on schools in the US and UK.
Documents ‘sold’ on the dark web included children’s SEND information, child and parent passport scans, staff pay scales and contract details. Some of the passport scans dated back to school trips from 2011.
Schools are high on the target list due to the rich data they hold. According to the UK government’s 2022 cyber breaches survey, 41 per cent of primary and 71 per cent of secondary schools reported an attack in the previous 12 months. They’re also considered a soft target, often because of inadequate protection in place due to a lack of budget and resource.
It’s therefore critical for any school today, to have an incident response plan in place that helps to quickly contain a threat and minimise damage as much as possible should an attack occur. This should include:
Prepare
This was the topic of last week’s Solutions article in these pages, but it bears repeating: An effective incident response plan is crucial to mitigating the risk of a data breach.
Understand what data you’re holding and mark this data with an expiry date to be auto-archived or deleted. Ensure to have a good patch management policy in place, conduct regular vulnerability assessments, and keep end-point protection up to date.
Encrypting data at rest is key and could act as a second line of defence should an attacker gain access. Segregate data too, to limit people’s level of access.
Finally, ensure that your security policies align with your data protection regulations and, at a minimum, employees should receive regular cyber awareness training and your systems should be audited regularly.
Identify
The next stage of the plan is what to do should your systems have been compromised. The quicker you can spot an intrusion the better, which is why its key to have someone constantly monitoring the network. Automated response systems exist that can do just this very quickly.
When identifying a security incident, communications are key. Ensure that everyone who needs to be informed or consulted is contacted in a timely manner and people are authorised to make swift decisions.
Contain
Thirdly, know how to mitigate the damage once you’ve been breached. This could mean removing or taking systems offline and steps to close vulnerabilities as well as action to remove or isolate the hacker from your system.
If it is a ransomware attack – a hacker demanding money in exchange for returning your data – then refrain from paying the criminal’s ransom demand if possible. This just finances them to strike again. And there’s no guarantee that your data will still be intact.
Eradicate
Then, identify how the network was compromised to rectify the weaknesses that enabled the data breach to occur and reduce future risk. Actions during this phase will depend on what type of attack occurred. For example, if it was through an employee’s login credentials, freeze their account.
Recover
Once the threat has been contained or removed, you can focus on getting your systems back online. This can be complex as hackers often leave a mess behind, but it is essential to do this speedily to avoid a repeat attack.
Once complete, test and monitor the affected systems to ensure that new measures you’ve put in place are working effectively.
Despite a school’s best effort to stay cyber secure and no matter how strong your cyber security posture is, the reality is that sometimes attacks and breaches slip through the cracks. This means it’s critical to be prepared.
Should an incident happen, take time to assess what happened and learn lessons so that your school’s cyber defence grows stronger against present and future threats.
Good article. I would add “communicate” though. My school was hit with a cyber attack last year, and was shut down for two months. We had zero contact from our tutors throughout the ordeal – because they couldn’t contact any students as all of our details are stored electronically.
One of the problems was even the phone systems were hooked up via MS Teams so they couldn’t receive calls. None of the tutors had any of our contact info. We logged on to our Google Classroom for materials the morning of a class when this all started – and it was only due to another student finding a notice on the website we found out classes were cancelled indefinitely.
It’s been 7 months now and we have never received any communication about if our data were compromised.