We’ve seen a steady rise in cyber-attacks on schools and colleges this past year. The impact is devastating, as the loss of network access, or systems which can no longer be trusted has the potential to stop pupils and students from learning, hinder teachers and grind administrators to a halt.
But why is the education sector now in the ‘cross hairs’ of the ‘bad guys’? The answers fall into three areas:
- Schools and colleges are perceived as being cash rich, open, and collaborative by nature and consequently, easy targets to exploit;
- Often, systems deployed across the education sector are not optimum. Rather, they tend to be based on cost and, if free and open source, even better;
- The level of cyber awareness of staff and leadership teams tends to be low, resulting in data protection being overlooked in the budget.
The cost of a data breach
It’s fact that a very high percentage of a school’s spend goes on salaries. This leaves very little to cover running costs of buildings, let alone the purchase of educational aids. And of course, let us not forget that the reason these institutes are there is to educate. It’s easy to see how a school would buy more laptops rather than a data breach alerting system.
But the cost of a data breach is high and unfortunately many education institutions don’t realise this until it is too late, regretting their decision to not invest in better data protection. It’s time to start thinking about the data held, and classifying its value.
Understanding your data
All schools and colleges hold a lot of data but not all of it is critical. Should non-critical data be lost, it would not have a significant impact on the education process, nor leave the school at financial risk. Hence, the first part of any data security review is to understand what data is held, who or what needs access to it and, if critical, what protection is needed.
Often schools think that because their data is in the cloud, using a world-renowned service provider, their data is protected and backed up. This is a mistake, as none of the major cloud vendors guarantee that data will be protected or restored in the event of an outage. Any critical data needs to be backed up in a secure way, utilising the key rule that there should always be multiple backups on different platforms.
Data should also be protected against a ransomware attack. These look at any cloud or backup programs and attack them in the first instance. Cheap or free back-up solutions are susceptible to this type of attack. Given the low level of investing within schools on information protection, their backups quickly become targets. If the spend had been better deployed, a backup and business continuity system could have been installed which has immutable storage capabilities. This means any ransomware trying to lock the data will be stopped.
By identifying what data is held, if it’s critical and what access is needed, any organisation can quickly and cost effectively design and secure a system that provides security in-depth.
The issue of compliance
Another failing of a poor information security strategy is the issue of compliance. All educational institutes hold sensitive information, and much is child-focused data, which falls under General Data Protection Regulations (GDPR), which demand that data be protected.
Pseudonymisation or encryption, is the only security measure specifically called out within this regulation, but few educational establishments have any form of encryption, leaving them exposed to data breaches which in turn, can result in large fines from the Information Commissioners Office (ICO).
It’s also likely that following a breach, schools will face Subject Access Requests (SARs) from parents and careers wanting to know what data was held before the breach.
New application security
Another weak security area within schools is when new applications are introduced. Rarely are they assessed for their data protection or network connection. This is not only poor data security, but it’s also a breach of GDPR, as any new application introduced should have a Data Protection Impact Assessment (DPIA) completed. A DPIA should identify if any data held is sensitive, where it’s stored, by whom, and if it has sufficient controls to stop unauthorised users.
If better data security processes were deployed, many of these compliance consequences could be avoided
Understanding the importance of data security
If better data security processes were deployed, many of these compliance consequences could be avoided.
Educators need to ensure they fully understand the importance of data security and the implications of having poor strategies. Adding tools to an email system, to help a user detect a possible phishing attack or bad link can greatly multiply the level of protection, as will adopting a ‘think before you click’ mentality across the board.
Educational institutions must get out of the mindset that they have nothing of value to a hacker. All data has value, and the cost of breach remediation can be huge. Couple this with the bad publicity such a hack can attract and the possibility of large fines, and it’s easy to see that data protection is simply not worth ignoring.
You might also like: 3 pathways to blended learning success