Posts

Schools Warned They Are ‘Easy Prey’ For Cyber Attackers

A cyber security professional has warned schools to prepare to face more attempted cyber breaches in 2023 after a wave of cyber attacks saw sensitive documents such as children’s passports and staff contracts exposed to the dark web.

Attackers infiltrated UK schools using techniques known as ransomware, a type of malware that gains access to computer systems and blocks user access until a sum of money is paid, but also through exploit vulnerabilities in the systems that are not patched or secured.

Some of the documents that were exposed went as far back to over a decade ago and raise serious concerns about how much priority cyber and security is being given, especially with school leaders identifying cyber and security as a top 3 risk.

 

Why is Education Sector so under threat and why must it act now?

According to Scott Slocombe, Deputy CTO and a Cyber Professional at PSP Agile IT, the education sector is being targeted because of the amount and value of their data and the security posture of their technology environments.

“I’ve worked in education for almost two decades and the surge in ransom attacks we’re seeing is alarming. Sadly, attackers don’t care about the moral element, they see education as easy prey, with a high success rate due to poor business continuity and untested disaster recovery methods.

Scott claims there are a number of vulnerabilities that attackers can expose. A typical network could connect all staff, teachers and pupils, who may use the open wi-fi and share files on their personal devices, increasing the risk of a cyber incident.

“It’s critical schools, academy trusts, colleges and universities perform security assessments and audits regularly. We need greater awareness and sharing of best practise to help the education sector adapt to the challenges, also harness investment by companies like Microsoft who have solutions like EDR (Endpoint detection and response) or ATP (Advanced Threat Protection) on their SaaS platforms like Microsoft 365.”

 

What can educational bodies do to protect themselves?

There are several ways organisations can bolster their cyber defences and improve their ability to react to a data breach. Scott has four initial steps to develop a bullet-proof plan to cyber resilience:

 

  1. Take ownership at senior level

“Cyber security is a whole school issue, and it’s important that the person who takes ownership of a school’s cyber strategy engages with IT teams, staff and directors to build a robust strategy that is free from jargon. Security and cyber should not be seen as only the responsibility of the IT team, it is crucial that your IT leader is heard at senior level, challenged and supported, but cyber and security is as important as safeguarding or health and safety, and is everyone’s responsibility.

 

  1. Regular review of vulnerabilities and annual pen testing

“Threat actors are constantly attempting to access your systems, using leaked credentials on the dark web to exploit, harnessing phishing attacks or other social engineering techniques. You need an understanding of your security posture to do the technical mitigation to help protect your systems.

“Education providers should be performing  security reviews across all their infrastructure, from end-point devices to cloud platforms.

Regular vulnerability assessments, external audits and annual penetration testing will highlight vulnerabilities in your systems, and help you understand that your strategy for mitigation, processes and procedure and awareness is efficient and effective.  

  1. Best practise including Pupils and Staff awareness

“Every device is a door to your network and systems, the more schools expand their device programmes for staff and pupils, they are increasing their surface attack area; it’s important to keep those doors shut by having robust patching systems and procedures. Once an attacker gains access to one device, they have means to infiltrate your wider systems.

Every end-user must be aware of common cyber threats and how to spot them. As with safeguarding and health and safety; security, cyber and e-safety should form part of your staff induction process.

The NCSC provide an overview of the areas of focus for the education sector, including their CyberFirst program. They also provide a framework and awareness for cyber security; oultlining the foundations for you to start or grow your cyber resilience.

You also have a British standard for cyber security, which provide best practise and framework to build your cyber resilience from your trustees to your pupils.”

  1. Business Continuity Planning and Disaster Recovery

A business continuity plan ensures that, even in the event of disaster, schools can still safeguard pupils and staff, and restore the systems back to an operational standard.

By developing a disaster recovery plan with runbooks, organisations will have well-documented policies and procedures to make them ready to respond when a cyber incident or crisis occurs and can quickly recover lost systems and/or files.

Perform monthly reviews and annual desktop exercises to test the procedures and runbooks to ensure, when the day comes, you will come out the other side.

 

About PSP

A Microsoft gold partner with a combined experience of over 40 years defining strategy, implementing solutions and for over 14 years providing agile roles and services for various sectors including the education and membership sectors.

Website: www.psp-agileIT.co.uk

Cyber insurance provider Coalition urges schools to check internet security using free online scanning tool

 

  • Call comes after 14 schools hacked and confidential documents leaked

 

Following cyber-attacks on 14 UK schools and colleges, cyber security and insurance provider Coalition is encouraging educational establishments to use a free online security scanning tool to check their internet security.

 

The tool, called Coalition Control, scans all the parts of an organisation that face the internet to give a ‘hacker’s eye view’ of security. It then provides a report listing any security vulnerabilities and their severity so that organisations can take active steps to fix them and mitigate risk.

 

The call comes after a hacking group named Vice Society stole confidential documents from schools and posted them online. According to the BBC, Vice Society is behind a recent string of high-profile attacks on schools across the UK and the US.

 

According to the UK Government’s Cyber Security Breaches Survey 2022, 41% of primary schools and 70% of secondary schools had suffered at least one cyber-attack during the previous year. Of the schools attacked, phishing was the most common form of incident, followed by impersonation attempts and viruses. The report noted that ‘schools do not necessarily stand apart from the typical business in terms of the kinds of breaches and attacks they are reporting.’

 

Tom Draper, Coalition’s Head of Insurance in the UK, said: “We know that most British schools and public sector entities can’t afford to buy cyber insurance or top-line cyber security. But by using Coalition Control, they can get an accurate picture of what security weaknesses a hacker can see in their system within a couple of minutes, and easily understand if any data, like passwords, may have leaked onto the web.”

 

Coalition Control is available online at https://control.coalitioninc.com/. Users input their email address, validate it, then provide basic information, including the organisation’s email domain, to begin the scan. The results are usually available within minutes and provide clear advice on resolving the identified issues.

 

Draper continued: “Coalition’s mission is to protect the unprotected, especially small businesses and the public sector. Having made this incredibly sophisticated scanning tool available in the UK, it seems a no-brainer for schools and colleges to check their security using it. It’s also useful for students studying computer sciences to see what a scan like this can detect.”

 

Coalition is the world’s first Active Insurance provider with a radical approach of combing sophisticated cyber security tools with cyber insurance. Founded in the US in 2017, the firm has since expanded to Canada and launched in the UK last September. Founder and CEO Joshua Motta was a former CIA operative and was invited to the White House to discuss cybersecurity with President Biden in 2021.

 

Free cybersecurity toolkit for schools launched

LGfL’s Elevate Cybersecurity Toolkit for schools. 

 

Hacking, phishing, malicious software and distributed denial of service (DDOS) attacks are on the increase according to the National Crime Agency. With more and more schools falling victim to cybercrime and pressure mounting on governors and school leaders to implement appropriate controls, edtech charity LGfL-The National Grid for Learning  has launched a new, free resource called the Elevate Cybersecurity Toolkit for Schools to help steer them in the right direction.

 

The new toolkit comprises a collection of key documents that schools can use to improve their cybersecurity and also use as a foundation for attaining Cyber Essentials Certification – a foundation level certification designed to provide a statement of the basic controls they should have in place to mitigate the risk from common cyber threats.

 

The following key documents can be downloaded for free:

 

A CyberSecurity Policy Template  – designed to complement the schools existing social media and acceptable use policies – which outlines the school’s guidelines and security provisions that are there to protect its systems, services, and data in the event of a cyberattack.

 

An Incident Response Plan which can be used as a starting point for planning recovery from a ransomware attack, or any other kind of unforeseen outage.

 

An Example Risk Register that can be used to assess, evaluate, prioritise and manage cybersecurity risks. This can also be used by the school’s senior leadership team to report to governors on how they are proactively managing risks and improving cybersecurity.

 

An Example Asset Register that can be used as a starting point to inventory the equipment used in the school. It sounds obvious, but it’s impossible to be secure if you don’t know what you have.

 

An Example Software Register used to record which software/systems schools have and whether they hold confidential information. This can be used to complement the Incident Response Plan for prioritising the recovery of services.

 

Commenting on the new resource, Dinesh Seegobin, Head of ICT at STEP Academy Trust, said, “We all know that being aware of cybersecurity is critical but how many of us can claim to be experts? In addition, there is so much information out there to digest, where do you begin? This is where, yet again, LGfL has come to our rescue. The Elevate Cybersecurity Toolkit is an absolute game changer. A one-stop shop to help get you on track backed up with all the weight of industry experts.”

 

To download your free copy please visit http://www.elevate.lgfl.net

Protecting your school from cyber attacks

Hacking, phishing, malicious software and distributed denial of service (DDOS) attacks are on the increase according to the National Crime Agency. With more and more schools falling victim to cybercrime and pressure mounting on governors and school leaders to implement appropriate controls, edtech charity LGfL-The National Grid for Learning  has launched a new, free resource called the Elevate Cybersecurity Toolkit for Schools to help steer them in the right direction.

 

The new toolkit comprises a collection of key documents that schools can use to improve their cybersecurity and also use as a foundation for attaining Cyber Essentials Certification – a foundation level certification designed to provide a statement of the basic controls they should have in place to mitigate the risk from common cyber threats.

 

The following key documents can be downloaded for free:

 

A CyberSecurity Policy Template  – designed to complement the schools existing social media and acceptable use policies – which outlines the school’s guidelines and security provisions that are there to protect its systems, services, and data in the event of a cyberattack.

 

An Incident Response Plan which can be used as a starting point for planning recovery from a ransomware attack, or any other kind of unforeseen outage.

 

An Example Risk Register that can be used to assess, evaluate, prioritise and manage cybersecurity risks. This can also be used by the school’s senior leadership team to report to governors on how they are proactively managing risks and improving cybersecurity.

 

An Example Asset Register that can be used as a starting point to inventory the equipment used in the school. It sounds obvious, but it’s impossible to be secure if you don’t know what you have.

 

An Example Software Register used to record which software/systems schools have and whether they hold confidential information. This can be used to complement the Incident Response Plan for prioritising the recovery of services.

 

Commenting on the new resource, Dinesh Seegobin, Head of ICT at STEP Academy Trust, said, “We all know that being aware of cybersecurity is critical but how many of us can claim to be experts? In addition, there is so much information out there to digest, where do you begin? This is where, yet again, LGfL has come to our rescue. The Elevate Cybersecurity Toolkit is an absolute game changer. A one-stop shop to help get you on track backed up with all the weight of industry experts.”

 

To download your free copy please visit http://www.elevate.lgfl.net

Department for Education provide almost 2 million laptops to students for remote learning

London, 17th August – The Department for Education (DfE), the UK government department responsible for the English education sector, has provided nearly two million electronic devices to children and young people to support their education.

The research, retrieved via the Freedom of Information Act (FOI) and analysed by the Parliament Street think tank, observed the number of laptops, tablets and phones purchased by the DfE over the past three years, for staff, teachers, and students during the era of remote learning over the pandemic.

It was revealed that the Department for Education has supplied a total of 1,939,320 electronic devices, including laptops, tablets and mobile phones, to DfE staff, as well as students, delivered via the Get Help with Technology Programme (GHwT).

The GHwT Programme has sought to provide devices to children and young people to support their education and keep them connected to teachers and peers, with laptops and tablets being lent to digitally deprived students, by schools, trusts and local authorities.

The greatest investment in devices came between July 2020 and June 2021, with 1,122,308 devices purchased, 1,114,789 of which were for the GHwT Programme.

Cybersecurity expert Achi Lewis, Area Vice President EMEA of Absolute Software, commented: “It is fantastic to see the Department for Education supplying not only their staff with new devices, but helping to deliver new technological equipment to classrooms across the UK in order to help with education and staying online, especially throughout the difficulties of the pandemic.”

“For staff connecting to the DfE’s network, and students connecting to their school network, it is important that individuals are not only educated on potential cyber threats, but also the right cybersecurity measures are in place in order to avoid sensitive data breaches.”

“Remote secure access solutions which promote strong network resiliency are the backbone of remote working environments, providing IT teams with valuable insight into device and application activity in order to identify suspicious behaviour and freeze, or shut off, compromised devices, or apply pre-defined policies to protect company resources and data.”

The news comes prior to A level results day on August 18th and GCSE results day on August 25th.

Screenshot of the DfE’s response: