Education institutions are facing a challenging time, with the governments and schools continuing to work out what a return for students will look like. What’s clear is that a blended approach between online and offline is here to stay, with three-quarters of teachers and senior leaders believing remote learning will play a continued role in education after lockdown ends.
Schools and universities need to continue to consider how they deliver online learning, and ensure they have the infrastructure in place to do so securely and effectively amid the continued threat of local lockdowns.
Typically, security will be managed by an in-house team or outsourced to a specialist, but with next to no training or education of the resource users themselves. Security teams are having to react and put new processes in place, but few take the time to educate and train the end user who can be an excellent first line of defence – be it teaching professional, student or pupil.
Preventing an attack will act as a force multiplier for any organisation and prevention is always preferable to the fallout from an attack or breach. Training end users in common techniques used by bad actors is a cost effective and proven safeguard.
Education providers often have constrained tech budgets, poor legacy IT infrastructure and minimal cybersecurity defences. This makes maintaining cyber resilience, whilst providing more resources and options online, a challenge. What’s more, IT infrastructure is now included as a criterion in OFSTED evaluations – meaning it’s essential in maintaining the reputation of the service.
With valuable data to hand, education institutions are prime targets for cybercriminals and instances of breaches in schools and higher education are widely reported. For example, at least 10 universities in the UK, US and Canada recently had student and alumni data stolen.
Here are some cyber-resilience tips that education providers can put in place whilst needing to remain agile due to changing COVID-19 restrictions:
Be wary of phishing emails
Prior to and throughout COVID-19, we’ve seen a growth in the rise of phishing emails impersonating cashless payment systems implemented by schools, such as ParentPay, +Pay and SchoolMoney. Cybercriminals are impersonating these companies and targeting parents, driving them towards similar-looking fraudulent sites.
The pandemic has provided opportunity for cybercriminals to further exploit these tactics– for example by impersonating the digital confirmation of grades to students for GCSEs and A-Levels, or by posing as the Department for Education to try and obtain bank details from unsuspecting parents.
It only takes one click to put users at risk. Education providers should ensure that staff conduct security awareness training so that individuals are vigilant in scrutinising the types of emails they receive, and that they err on the side of caution when it comes to emails asking them to download attachments.
Parents should also be reminded to remain cautious, and examples of common phishing campaigns should be shared with them so they know what to look out for. Schools should be clear on the type of communication and information they share as well.
It’s important these training processes take place regularly as phishing campaigns are getting increasingly more sophisticated.
Audit all machines connected to the network, including the data they hold and the access they have
There’s a common misconception in cybersecurity that a firewall and antivirus is all you need to stop all network threats. But they don’t protect against internal threats, such as data theft through compromised machines on the network. This is where access policies are needed to fill in the gaps.
To mitigate future attacks, education providers must properly audit all machines connected to their networks and the data they hold.
IT teams can begin by conducting a ‘privilege audit’. This involves checking all existing accounts, processes, and programs to ensure that they have only enough permissions to do what they need to. Students connecting to the network should have their accounts created with as little access as possible, with specific higher-level access only added as needed.
Protecting all existing sensitive data can be particularly tricky for universities, as it may often live on the individual students’ laptops or desktops, as well as the university servers, and the data available makes stolen student credentials particularly valuable. Ultimately, a highly tied-down environment doesn’t match with the knowledge sharing culture of universities.
Consider migrating servers to the cloud
As the education sector is tasked with delivering increased online learning options due to COVID-19, institutions should consider moving their servers away from on-premise to remote cloud facilities.
Firstly, this makes files accessible anywhere, allowing administration personnel to safely work from home if needed and creating a more productive remote learning experience for pupils.
It also helps to mitigate the danger of data loss by moving data from a vulnerable environment to a secure one. This provides IT teams peace of mind by knowing that sensitive pupil data is safe and sufficiently backed up, should they be the victim of a cyberattack.
With the new school year around the corner, education providers should take the time now to review and ensure they have clearly defined security policies and procedures in place. The impact of a cyberattack can be far-reaching and longstanding, from data loss to damage to reputation and infrastructure. Cybersecurity is not an area to scrimp on; after all, the cost of protection pales in comparison to the cost implications of a data breach.
You might also like: 7 top tips to keep your data secure