A spike in ransomware attacks on schools should be spurring leaders – and the Department for Education – to pre-emptive action, writes Hayley Dunn
Since February, there has been a disturbing rise in ransomware attacks on schools, prompting the National Cyber Security Centre to issue an alert to the sector in March. So while we welcome the government’s announcement that it is responding with training and guidance, we are concerned that they are simply not doing enough relative to the size of the risk.
A faceless crime, ransomware is a type of cyber attack that prevents users from accessing their IT system and/or the data it holds. Usually, large amounts of data are encrypted, but fraudsters may also steal or delete it. An initial attack will be promptly followed by a threatening demand for funds in the form of cryptocurrency to release or restore the compromised files.
As those who have been attacked will attest, ransomware has a devastating impact. Restoring services to their usual capacity and functionality can take weeks, if not months, of work. And imagine the burden of responsibility on the individual – staff or student – who unwittingly clicked the link that triggered the attack.
Cybercrime is nothing new to the sector, but attackers have become more devious. Their previous modus operandi of blocking access and locking users out of their data was largely thwarted by the move to offsite backups and cloud-based technologies, which protect information and reduce the impact of disabling hardware.
Now, they have moved to focus on confidential and sensitive information. They target networks using remote access systems and virtual private networks, often using convincing phishing emails designed to catch out unwary employees to deploy their ransomware. These are aimed at exploiting unpatched software vulnerabilities, weak passwords and lack of multi-factor authentication processes. Most mobile phones, for example, have only one-step authentication via a passcode.
Cybercrime is not new but attackers have become more devious
The NCSC reports the new trend is to threaten to publish stolen sensitive information. Given the volume of highly sensitive pupil and workforce data schools are required to hold, especially in relation to safeguarding and child protection, the resulting levels of stress and anxiety for school leaders is unimaginable. After all, publication of highly sensitive information can put lives at risk or derail legal processes.
And then there’s the financial impact of ransomware. According to reports in the IT press, this has more than doubled this year alone, and we aren’t even halfway through. The costs, which include system downtime, lost efficiency, new devices, new network infrastructure, lost opportunities, possible third-party claims and Information Commissioner’s Office (ICO) fines, are potentially devastating.
A key element of the recovery of these costs (and the speed of reparations) is how much cover schools get from their insurers. Yet specialist cybercrime insurance is out of reach for most, leaving them adrift and potentially exposed by inadequate cover.
The DfE is supporting the National Crime Agency’s advice on ransom payments, rightly advising leaders not to consider or action payment of any ransom demands. Realistically though, few education institutions would even have the means to pay.
So what are schools to do in the face of this new strategy from fraudsters?
It may be impossible to entirely eliminate the risk of a successful attack, but the good news is that there are ways to prevent compromise and reduce the impact of an attack when it does happen.
Helpfully, the NCSC has published useful advice. It recommends treating the cause, not just the symptoms, with a “defence in depth” strategy. In practice, this means schools should have an incident response plan that will reduce the risk and enable effective recovery, including regularly backing up systems offline and practising their emergency response protocols.
In the face of Covid, it may seem like an exaggeration to say that cybercrime is one of the most significant risks facing school leaders. But it’s the truth, and our increased reliance on technology to get through the pandemic has only increased that risk.
So more advice is on the way, including at ASCL’s Business Leaders Conference in a week’s time. But in the meantime, leaders should be taking what steps they can, and the DfE should be looking at how it can better support leaders to protect themselves.