Contributors
David Emm, Principal security researcher, Kaspersky
Roger Snelling, Senior network consultant, Axians; former head of networks, University of Exeter
Subhalakshmi Ganapathy, Product evangelist, ManageEngine
Mark Bentley, Safeguarding and cybersecurity manager, London Grid for Learning (LGfL)
Darryl Morton, Director of operations and security, MyConcern
Q. Can you outline some simple, practical and affordable solutions for schools and universities?
David Emm: Protect all devices, including smartphones and tablets. Update operating systems and applications as soon as updates become available. Backup data regularly and store the backup offline. If connecting remotely to school/university systems, use a VPN to secure communications. Encrypt sensitive data. Don’t assign admin rights automatically, and don’t use admin rights for general use of computers. Develop a digital security culture that mirrors real-world safety policy. Follow the UK government Cyber Essentials guidelines.
Roger Snelling: Educate staff and students to the dangers of phishing and social engineering, and regularly alert and advise on common threats. The human is still the weakest link, and no amount of security measures can stop people clicking on links they shouldn’t.
Audit your current estate’s security capabilities. Ensure you have restricted access to systems and services, remove default settings and admin rights if people don’t need them, ensure any pertinent embedded security features are utilised. Leverage existing tools and services, within your organisation and from your partners and/or service providers.
Encourage the use of complex passwords – using your favourite song, film title, or something suitably unique. Substituting words with numbers and characters can make it easy to remember and less likely to be written down.
Nominate a cybersecurity champion: someone with the authority to implement the necessary security policies and procedures to safeguard the organisation. They may need to carry out several functions, such as Data Protection Officer.
Backup important data. If you are hit with a ransomware attack, this may offer the chance to rebuild and restore your critical data without paying a hefty fee.
Subhalakshmi Ganapathy: Inventory the type of data your institution possesses, classify it, and identify the policies required to secure this data. A decent data loss prevention (DLP) solution would be able to identify, categorise, and secure personal data stored in your network. Seal vulnerability loopholes: regularly patch endpoints to prevent intrusions. Look for a vulnerability and patch-management solution that automatically detects outdated systems and pushes the latest patches to eliminate patch-related vulnerabilities.
Monitor user accesses to sensitive data: set up audit policies and monitor user behaviours within the network. Deploy an effective security information and event management (SIEM) solution with a user entity and behavioural analytics (UEBA) module that automatically baselines normal user behaviours and detects suspicious activities within the network in real time. Adopt a preventive and responsive security approach: regularly hunt for threats and formulate a preventive security strategy to proactively mitigate attacks, coupled with a responsive approach to tackle security incidents that have already occurred.
Mark Bentley: We carried out an audit of cybersecurity provision across UK schools with the National Cyber Security Centre (NCSC), and used the findings to publish 10 top tips for a cybersafe school [see graphic]. Why not ask your technical and leadership teams if you are doing all those 10 things? Next, I would say have a look at our checklist for measures you could be using [see second graphic]. They might be available already from one of your service providers at no extra cost.
Darryl Morton: There are many different frameworks and accreditations for assessing the maturity of an organisation’s cybersecurity posture. One which is applicable to schools, colleges and universities is the Center for Internet Security’s CIS20, which is available to download for free from cisecurity.org. It contains three different maturity levels and explains in reasonably jargon-free language how to achieve each level.
Schools could focus on achieving IG1, the lowest level, which would place them in a good position. Larger schools and colleges, and certainly universities, should aim to achieve IG2 or IG3. A UK government-backed accreditation called Cyber Essentials covers a wide range of security considerations; the entry level requires an organisation to self-certify, but even this level will pose a number of questions to the organisation going through the process.
The higher-level Cyber Essentials Plus is far more stringent and requires an audit to be carried out by qualified, external, independent auditors. Cyber Essentials Plus is one of the accreditations held by One Team Logic’s safeguarding software MyConcern HQ, which we feel is important given the sensitivity of the data that we process on behalf of our customers. Using either Cyber Essentials or CIS20 should form the basis for a checklist.
Q. How can education providers keep pace with security measures when cyber crime is constantly evolving?
DE: It’s important to see security as an ongoing process, and to establish a team to keep an eye on security developments. It’s essential to carry out periodic risk assessments to identify the potential ways in which an attacker might target an organisation, and identify the measures needed to stay secure.
Where the organisation doesn’t feel it has the necessary skills, external expertise is important. This will vary depending on the skills available in-house, and could extend to all aspects of security policy, including risk assessment, management of security software and security awareness.
RS: Evolving cybercrime will test the most sophisticated cybersecurity solutions and services, and education providers suffer a double whammy in terms of restrictions on funding and their ability to attract and retain key personnel, specifically security specialists.
I see the trend increasingly to work with partners, in part or in whole, to provide much-needed security solutions and expertise – ideally in a ‘pay as you consume’ model, so that security services are closely aligned to the institutions’ immediate needs, but can allow some flexibility in growth.
SG: To keep up with the evolving cybersecurity landscape, education institutions should depend on both in-house and outsourced experts. Training and awareness on cyber-attacks, and eliminating misconfigurations due to human errors, can be maintained by in-house experts; however, tackling advanced, targeted, and financially motivated attacks may require assistance from outside experts. These experts can help with configuring the SIEM and UEBA security tools required to tackle sophisticated attacks.
DM: There are lots of free, authoritative resources on the internet, which a school can access to keep abreast of security threats and measures. However, the landscape is constantly evolving and at a pace where it would be advisable to call upon outside experts. At MyConcern, we have a team who focus full-time on security, but we still use a number of outside experts to provide deep expertise in certain fields, to transfer knowledge and skills into our team, and to challenge our thinking to ensure that we are not becoming complacent.
Q. Assuming the majority of threats are external, do some threats also come from within an institution – and if so, is the procedure for dealing with them different?
DE: Typically, people within an organisation become unwitting threats to security, either through lack of knowledge of the dangers or through cutting corners. This is why an imaginative security awareness programme is so important. However, there are situations where someone inside the organisation deliberately attacks the organisation. This is, first and foremost, a breach of trust, which makes it difficult to deal with. However, some of the measures designed to block external attacks can also help to minimise the impact of an insider threat, such as segmenting the network, limiting the use of admin rights, limiting access to sensitive data to those who really need it, avoiding single sign-off for sensitive activities such as making payments, and removing e-mail addresses and access credentials of staff who leave.
RS: This assumption seems reasonable, but internal threats may still be significant.
One recent study carried out by Jisc highlighted that lots of threat activity emanated from institutions themselves, and dropped away out of term time.
Ensuring suitable measures are in place to secure your institution may be OK, but what if your site is used to launch an attack elsewhere? Under the Janet Acceptable Use Policy, you may risk being disconnected if you are impacting other organisations externally, which would be catastrophic – not only in the organisation’s functionality, but also in reputational damage.
SG: Educational institutions are susceptible to attacks from their own students. There are several reasons students may launch an internal attack, from wanting sensitive data such as test papers to manipulating grades or payment processes.
Dealing with these internal attacks involves implementing tight user access and security policies. This starts at the architecture level and requires a separate secured network zone to store both personal and other critical information (such as test papers, payment information, grades, research papers, etc), restricting access to those who need it.
Additionally, deploying a user monitoring and activity auditing solution and configuring it with details on the access and behaviour of different users (students and staff) isn’t a simple task in this industry. In other sectors, the user access levels can be broadly classified as normal user or admin user. However, in the education sector, there are different user access levels: students who cannot access most of the sensitive data, teachers who can access limited sensitive data such as attendance details and test papers, and other staff who can access the rest of the critical data the institution stores, such as personal information of both students and staff.
MB: The internal threat can be malicious or accidental. The best way to combat this is to start with training for all staff and then ensure that the essential trio of policy, risk register and business continuity plan is in place. Unfortunately, we found that many schools are lacking one of these three pillars, which are all interdependent for each other’s success.
DM: The majority of cybersecurity threats come from outside an organisation, but the area we need to focus more effort on, because it is where the highest risk of a breach will originate from, is within an organisation. This doesn’t mean that we should doubt or be suspicious of our staff: the real issues are mistakes and a general lack of cybersecurity awareness. Many of the simplest, cheapest measures focus on improving staff knowledge: it’s often said that humans are the weakest link in cybersecurity. Training your staff to spot malicious emails is one such example; understanding how to create and manage secure passwords for the hundreds of websites and applications that each of us logs into these days is another vital skill. The NCSC website is a great place for materials like this.
Further reading
● UK government Cyber Essentials guidelines: ncsc.gov.uk/section/products-services/cyber-essentials
● National Cybersecurity Centre: ncsc.gov.uk
● LGfL / NCSC audit of cybersecurity provision across UK schools: securityaudit.lgfl.net
● Center for Internet Security: CIS20 best practices, free download: cisecurity.org/cybersecurity-best-practices
Q. How has GDPR impacted on the cybersecurity landscape in education?
DE: Since GDPR came into effect, educational institutions, like other organisations, have a duty to use data appropriately and ensure that it’s secured. This includes paper records, as well as digital data. As with security, it’s important to see this as a process. This means auditing the methods used to collect data, how it’s held and what mechanisms there are for those whose data it is to access the information. It also means creating procedures for managing this properly, to ensure that data is secure, is collected only with consent, isn’t held longer than needed, and is accessible only to those who need to see it.
RS: There have been some notable and well-publicised breaches, and fines are starting to be issued, so it would be in any organisation’s interest to ensure they have suitable measures in place. Implementing such measures may put an extra load on an already stretched workforce, but the impact of not implementing may be worse considering the penalties.
Common sense dictates that organisations should look at the cost of a breach against the investment to mitigate this. Sadly, I think a number may still be hoping that it won’t happen to them.
SG: Students who are part of an educational institution’s network have numerous publicly-facing endpoints (laptops and mobile devices). Adopting a strong security strategy to protect these open endpoints has gained more importance since GDPR. It has also resulted in more educational institutions investing in monitoring and user-behaviour tracking systems to detect anomalies during the reconnaissance stage of the kill chain.
DM: Whilst GDPR has increased restrictions on how we all manage sensitive data, it has had some positive impacts on the cybersecurity landscape. It has forced all organisations to examine how they are processing data, how their suppliers are processing data on their behalf and to think about the longer-term effects of data processing. For example, at MyConcern HQ, we receive many requests for clarification about the topic of data deletion versus data retention. There is guidance circulating in the education community about the length of time that data must be retained once a student has left the establishment (generally, until the data subject reaches the age of 25), however, it’s not as straightforward as that because there is conflicting statutory guidance and laws that need to be taken into account.
The GDPR has caused these conversations to take place, so in that respect it has been a force for positive change.
Q. Do schools and universities face a slightly different set of issues/risks from other industries, when it comes to data security?
RS: Certainly. Universities and colleges usually have some form of 24/7 access these days – typically the library, with little policing in terms of physical access. It leaves organisations potentially vulnerable in that regard.
Schools and universities are the repository for a lot of sensitive student and staff data, with student records, academic achievements and education history all at risk
if there is a breach. With academics and students
working collaboratively and sharing data, records and data can leak, whether stored on personal devices or externally in the cloud. So even safeguarding the standard repositories doesn’t necessarily mean that all data is secure.
SG: Yes, they do. Educational institutions are prone to advanced persistent threats and targeted attacks such as ransomware. Education is among the top three most targeted sectors, as these institutions’ networks are often relatively easy to breach and lateral movement through the network is even easier. There is often a lack of security awareness, and poor security hygiene. Moreover, schools and colleges are more prone to social engineering, as users tend to give away credentials to techniques such as pretexting and baiting.
MB: Education is the most challenging environment in which to convey key cybersecurity issues. Employees of companies generally accept that cybersecurity is an important topic because someone at board level has responsibility for it and you have to do what they say. In the public sector, complex hierarchies mean that policies are often harder to implement. By the time you get to schools, the challenge is the greatest: if you ask a classroom teacher who is responsible for cybersecurity in the school, you would be lucky to get an answer. Pressures of time and budget also make it very hard indeed for a school to justify spending on new security protections when they are laying-off staff.
“Educational institutions are prone to advanced persistent threats and targeted attacks such as ransomware” – Subhalakshmi Ganapathy
Q. How much of this comes down to material solutions (better software, etc), and how much down to human solutions (better training for staff and students)?
DE: Both play an equal role in data security. While there’s a temptation to reach for a security product in response to the latest threat, it’s important to start with an overall strategy. What assets does the school have? How are those assets vulnerable to attack? What would the impact of a breach be? Software is important – but so, too, are policies such as limiting access rights, not assigning admin rights and using two-factor authentication for access to school resources, etc. A risk assessment will highlight the areas that need attention, and will prevent money being wasted on inappropriate solutions.
RS: Fundamentally, if you can encourage a better approach to cybersecurity from your staff, students and visitors, then you go a long way to reducing your exposure to risk. The key recommendation is to provide training and awareness, but even then, the phishing attacks are becoming increasingly sophisticated, so increased vigilance is needed. However, this is often contrary to a busy working environment, and it’s all too easy to let your guard down and click on something that looks genuine. Backing this up with appropriate software – antivirus, for example – may help to block any attacks that slip through the net.
SG: Many of the data breaches and cyberthreats that occur in this industry are a result of poor security practices and a lack of attention to configuration details. Providing continuous security awareness training will help eliminate human error associated with misconfigurations, preventing institutions from falling victim to social engineering attacks. Most of the data breaches due to misconfigurations and human error can be prevented with a proper security awareness and training programme.
To prevent targeted, financially motivated cyber-attacks, educational institutions need to invest in security tools that can:
● Boost identity security, facilitating multi-factor authentication and identity governance;
● Protect endpoints by updating workstations with the latest patches to eliminate patch-related vulnerabilities;
● Monitor user behaviour;
● Audit configuration changes to critical resources such as Active Directory, web servers, and databases;
● Control access to personal data, and;
● Detect advanced persistent threats and lateral movement indicators within the network.
MB: The two are totally inseparable. In practice, for our schools, this means DDoS (distributed denial-of-service) protections before the internet leaves the gate, state-of-the-art firewalls in the network and in schools, overlapping antivirus and malware products for servers and workstations, filtering for emails and internet, research into behaviours and needs, plus, of course, both online and face-to-face training. You can’t cut corners with cybersecurity, but it’s amazing what you can do with quality systems and solid training. After all, when it comes to the ‘human element’, Verizon found that education has a higher click rate for phishing emails than any other sector. Malware creators are just as aware of these trends and aren’t likely to pass up on perceived ‘weaker victims’.
DM: Any organisation considering where to start should focus on general training for staff and students on how to manage passwords, how to spot malicious emails etc. Implementing material solutions such as antivirus software, having a firewall on the boundary of the school network, regularly running updates (patching) on all digital devices, or implementing a password policy (or, better still, two-factor authentication) are some straightforward aspects of a good cybersecurity plan, using a combination of physical and human factors. Having a top-of-the-range firewall is no good if you leave the admin password as ‘password’, so an effective password policy needs to complement the physical hardware.
“You can’t cut corners with cybersecurity, but it’s amazing what you can do with quality systems and solid training” – Mark Bentley
Q. What’s the best way to galvanise staff and students, and to get them engaged with cybersecurity?
DE: Too often the job of security awareness is given to technology specialists who aren’t necessarily able to communicate effectively at the same level as those who need to be educated. Also, the means used can be unimaginative, such as PowerPoint presentations. An imaginative approach is vital to engage both staff and students.
Consider, for example, comic strips, posters, ‘spot the security gaffe’ competitions, and even developing (or commissioning) security games, or online platforms that ‘drip-feed’ security in manageable slices that measure the retention rate.
RS: Try and make it more fun and less onerous – certainly for the students. Some form of gamification: the most vigilant, the most emails identified as phishing attempts, etc. For staff, positive recognition goes a long way, rather than always dwelling on the negative consequences of hacking. I think people will feel bad enough as it is.
SG: Be approachable. Set up an email address for security-related issues and questions from staff and students. Regularly communicate the importance of cyber hygiene through internal newsletters, contests, and posters.
Organise talks and training on the cybersecurity threat landscape. Bring in security analysts and provide training to get everyone on board with following best security practices. Conduct training separately for different user bases: students, teachers, and other staff.
To counter phishing and other social attacks, establish a dynamic and proactive early warning system that alerts all users, and keep them informed about the potential of these types of attacks.
MB: One problem is the word ‘cybersecurity’ itself – some people call it ‘information security’ or ‘data security’ instead, but none of these really convey that we’re talking about a strategic matter to protect your organisation from an existential threat to your results, your money, your reputation, and more. Most people react to any of those terms by groaning because they either think it’s boring, someone else’s job, or a new restriction to the way they work.
What’s the answer? I’d suggest a combination of four things: top-drawer technology; strategic implementation in a customised way so user needs are met and protections don’t stop people getting their jobs done; communication of what measures are needed, why and how; and training, training and more training.
Contacts
● lgfl.net
● oneteamlogic.co.uk/myconcern.co.uk
You might also like: Roundtable: powers of persuasion