It's Not a Game...
Image Source: https://www.moviestillsdb.com/movies/wargames-i86567/2f96edec
It is 40 years since the film Wargames when Matthew Broderick hacked into the computer systems at his school to change his grades and those of the girl he wanted to impress (Ally Sheedy – if you’re trying to remember!).
The reality for schools four decades on is that the science-fact is rather more disturbing than that of science-fiction. 15 schools across Hull and Yorkshire were targeted by cyber-criminals at the end of 2022. The local media reported a ransom demand of £15 million for access back into their systems, but this has been denied by the MAT responsible for the schools who have said that they would not pay a ransom ‘on principle’.
This is not an isolated incident according to the recent Cyber Security Schools Audit 2022 published by London Grid for Learning (LGfL) in conjunction with the National Cyber Security Centre (NCSC). This is the second such audit, the first on taking place in 2019.
Both organisations flagged that since 2019
‘…the pandemic caused a significant and sudden shift towards remote-learning technologies and an even greater reliance on system availability. A cyber incident causing even a few minutes’ outage can have a massive impact on teaching and learning.’
Media headlines reporting on the Audit focused on attacks via email
SchoolsWeek report 17-01-2023
Fraudsters impersonate staff emails at one in three schools (schoolsweek.co.uk)
805 schools took part in the Audit. As they were self-selecting, we don’t know whether we can extrapolate their results across the entire sector. Nevertheless, there is no doubt that schools are the target of both sophisticated and more ‘basic’ cyber threats.
Increased vulnerability to cyber attacks
Schools are ever more reliant on their IT systems for use by both staff and students. That dependency creates a vulnerability – to both deliberate attacks and ‘accidents’. School networks are uncommon in the sheer size of the user base – in a secondary school up to 2000 users is not uncommon. In a MAT with interconnected systems then the numbers ramp up. As educational organisations now ensure that they have protected systems with hardware/software in place, schools’ cyber-security risks are focused on the human dimension.
Source: Cyber Security Schools Audit 2022
The LGFL/NCSC report is positive about the increasing number of schools that now have policies and procedures in place, but it’s the people that matter. After all, we know that burglars will try front-doors in domestic buildings to check if someone has not locked the door at night…
Our own awareness of cyber attack
There is always a danger that staff and students don’t understand cyber security, have a poor attitude to risk, they find it burdensome/time-consuming and therefore don’t pay attention to it or they have a ICHTM (It Can’t Happen To Me) approach.
Phishing (fraudulent emails), spoofing (impersonation) and malware/viruses/ransomware were the top three issues experienced in 2022. Hackers frequently use a combination of these three methods in an attack. Staff need to know that email is a prime gateway into schools for cyber-criminals.
Spoofing is a particular vulnerability for schools. Staff receive lots of email from across their organisation and with published staff lists on websites and obvious email address protocols (often variations of firstname/surname@nameofschool.org) it could be straight-forward to construct an email address that appears legit… clicking and responding might be just too easy…
Recovery from a cyber attack
The LGfL report has published some more in-depth comment in its report Cybersecurity in schools – are we teaching and learning? The report identifies 8% of the
surveyed schools had suffered significant impact as a result of cyber-security breaches, that still meant 1000s of staff and students experiencing disruption.
Source: Cyber Security Schools Audit 2022
While it is possible for the organisation and operations to return to normal, the potential impact on children’s lives cannot always be reversed, which underlines the seriousness of every single case.
Recovery time for these schools could be up to months but usually was confined to weeks. The issue in Hull and Yorkshire, reported previously, struck over Christmas/New Year but the consequences have extended into 2023 as they slowly bring systems back on-line.
Even though the schools in the LGfL audit were able to restore normal school operations quickly, this does not capture the lasting impact that a major incident can have. What’s more, hackers know they are more likely to receive a ransom payment during critical periods for school operations. In common with the Hull/Yorkshire events, industry sources note that ‘…there is an increase in cyber-attacks carried out during holidays, weekends, and outside of working hours’.
Cyber security vigilance
Cyber-security is not being ignored in UK schools, but the conversations about it need to be louder, longer and listened to by more people. Being forewarned is being forearmed – so what needs to happen ?
Source: Cyber Security Schools Audit 2022
Schools need to take this threat seriously. If a MAT, such as the ones discussed above, responsible for thousands of pupils can be targeted, then size is no guarantee of safety – whether large or small. Some organisations are targeted because they are small, since there is a likelihood that their systems aren’t protective or extensive. For larger organisations, their very complexity means that there are far more human vulnerabilities in the system.
Remember even something we use every day can be compromised – witness the scammers who are taking out GoogleAds so that their bogus URLs are appearing at the top of Google searches … The origin of the phrase ‘The Price of Peace is Eternal Vigilance’ is disputed but it’s still true!
The LGfL is a great place to enhance your threat perception but before you read that, here are:
Source inspiration: https://national.lgfl.net/security/securityaudit
Read our guide ‘Six ways to improve cyber security vigilance’, we discuss the above steps in more detail and how you can review the quality of your cyber security.
Conclusion
Over the last three years, especially, schools and MATs have increased their usage of ICT especially for the provision of remote learning. The advantages of this showed themselves and using ICT is now a mainstay for education delivery and achievement of outcomes. This has increased the exposure to criminal activity of cyber attacks. It is heartening to learn that 83% of schools that took part in the Cyber Security Schools Audit, have a cyber security policy. However, by improving awareness of what a cyber attack could look like and encouraging more vigilance from staff and pupils will go a long way to avoiding succumbing to a cyber attack and reduce unwanted disruption and cost.
Even if you do have a cyber security policy, when was it last reviewed? Technology advances all the time and you’ll want to make sure that you’re up to date with your precautions. Or perhaps you don’t have a policy in place and know that now is the time to have one. We can help audit your cyber security provision and risk of attack and develop a cyber security policy that can be implemented across your school or MAT and help staff and pupils play their part in avoiding a cyber attack.
Get in touch to see how we can help you.
