As schools start to wind down for the summer holidays, this is a good time to really consider just how vulnerable they are when it comes to cybercrime and what measures they should be taking to improve their cyber resilience.

Earlier this year, the government issued the Cyber Security Breaches Survey 2024 which contained the following findings collated from samples of UK educational institutions:

• 52% of primary schools identified an attack in the past year (which sits relatively close to the number of businesses which also reported a breach).

• 71% of secondary schools identified a breach or attack in the past year.

Our colleague at the Cyber Resilience Centre for Wales, Director Paul Peters, recently delivered a presentation at a school bursars’ event and spoke to businesses that manage the network for a number of schools in order to get an insight into the issues. The problems identified to him included suffering from underfunding, a lack of patching/updating, unsupported machines and an absence of robust policies.

To look into this deeper, Simon Plummer, Director of Information Security from Collective Security Nottingham, a trusted security partner for SMEs and proud Community Ambassador for the East Midlands Cyber Resilience Centre, commented:

Why are schools such an attractive target for cybercriminals?

Sensitive Data: Schools store a wealth of sensitive information, including personal and sensitive details of students, parents, and staff, as well as financial information and academic records. This data is valuable on the black market and could be leveraged in ransom situations.

Limited Resources: Many schools have limited budgets and resources for cyber security and  reliance on third party suppliers without suitable security assessments making them easier targets compared to well-funded organisations.

Varied User Base: Schools have a diverse and large user base, including students, teachers, administrative staff, and sometimes even parents, which increases the number of potential entry points for attackers.

Lack of Awareness: Students and staff might lack awareness or effective training on cyber security practices, making it easier for cybercriminals to exploit human error.

What are the most common cyber-attacks currently used by hackers to infiltrate a school’s network?

Phishing Attacks: Emails or messages that trick users into revealing sensitive information or installing malware. These would be the usual pre-curser to onward threats such as;

• Ransomware: Malware that encrypts the school's data and demands a ransom for its release.

• Distributed Denial of Service (DDoS) Attacks: Overloading the school's network with traffic, making it unavailable for legitimate users.

• Data Breaches: Unauthorised access to sensitive data, often involving hacking into databases or networks.

• Malware: Various forms of malicious software, including viruses, trojans, and spyware, that can disrupt operations or steal information.

What damage can a cyber-attack on a school cause?

Much the same as a corporate enterprise, however due to the limited resources, they do not have the ability to ‘absorb’ the financial and reputational issues making these threats much more impactful.

Data Theft: Loss of sensitive student, staff, and financial data, which can lead to identity theft and other crimes.

Financial Loss: Costs associated with responding to the attack, including paying ransoms, legal fees, and investing in improved security measures.

Operational Disruption: Interruptions to the educational process, such as systems being down or unusable, leading to lost instructional time.

Reputational Damage: Loss of trust from students, parents, and staff, which can affect the school's reputation and enrolment numbers.

Legal Consequences: Potential legal liabilities and regulatory fines for failing to protect sensitive information adequately.

What are the biggest vulnerabilities for a school?

Insufficient Training: Lack of cyber security training for staff and students, leading to poor practices and easy targets for phishing.  The ‘Human Element’ is often overlooked where it is quite possibly the biggest risk. Human problem, not ‘IT Problem’.

Outdated Software: Using outdated systems and software that no longer receive security updates.

Weak Passwords: Lack of strong password policies and the re-use of passwords across multiple systems/services.

Inadequate Network Security: Weak network security configurations, including insufficient firewalls and intrusion detection systems.

What are five key basic cyber resilient tips that you advise all schools to put in place to help protect against a cyber-attack?

Education and Training: By far one of the most important tips. Conduct regular effective cyber security training and awareness programmes for staff and students to recognise and avoid cyber threats. Training should be targeted, based on the risk profile of the user and not ‘blanket training’. Interactive sessions should also be conducted over standardised ‘cartoons’ or text based training. Regular testing of ‘awareness’ in the organisation can help identify risky areas and help target specific training as needed.

Strong Password Policies: Enforce strong password policies, including the use of complex passwords, and preventing re-use of passwords across multiple systems.

Regular Software Updates: Keep all software and systems updated with the latest security patches to protect against vulnerabilities.

Implement Multi-Factor Authentication (MFA): Use MFA for accessing sensitive systems and data to add an extra layer of security.

Data Backups: Regularly back up critical data and ensure backups are stored securely and tested periodically for recovery.

The Police CyberAlarm tool is free and completely available to all who wish to understand and monitor malicious cyber activity. It will detect and provide regular reports of suspected activity, enabling organisations to minimise their vulnerabilities.

Original source: The Cyber Resilience Centre for Wales

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).