Cybersecurity: How schools can protect themselves from digital threats
David Horton, chair of the ISC Digital Advisory Group, shares expert advice for schools on how to defend against, and mitigate, phishing attacks.
In my many years of working with schools, one thing that I have found varies widely from school to school is their response to their exposure to threats from the digital world. The balance between accessibility and security can be hard to strike. Following some recent, targeted attempted incursions using parent enquiry emails, we felt a blog piece setting out how best to manage these “phishing” attacks was timely.
Despite over 25 years of managing IT in schools without major incident, the level of threat to the school as a business has led me to engage the services of a cybersecurity specialist company to support and advise us on best practice, just as we might for site security or health and safety concerns, and one recommendation I would make is for schools to consider doing the same.
I asked my security partner, a company called Protecture, for their advice on defending against and mitigating phishing attacks, and the rest of this blog is drawn, with gratitude, from their recommendations.
Phishing is an activity that all organisations feel is an evolving threat. The potential damage to schools is of a slightly different nature, as typically attackers will be focusing on the data held. Schools hold an extraordinary amount of sensitive information and compromise of such could put those in the school’s care at risk and cause reputational damage to the school’s brand. Ultimately an attacker is looking to make money, but rather than direct financial theft, schools are more likely to be targeted due to the information they hold which may either be held to ransom directly under threat of release or encrypted and require a ransom to be accessed.
Limiting the risk of a potential attack
• Train staff to recognise potential phishing emails: ensure all staff are aware of the potential of phishing attacks and what they are. Ensure all sender addresses are correct, all links in emails show as going to a legitimate destination and that pressure to act fast should be ignored. Check that all staff understand the normal way of working so that they’re better equipped at identifying requests out of the ordinary.
• Create a culture of ‘asking questions’: ensure that staff are aware that they may ask for help if they suspect that they have been a victim of phishing. Do not punish staff if they are caught out, as this may discourage future reporting.
• Desktop simulation exercises: table-top exercises that enact the school’s procedures for dealing with a cyber incident. This will help to ensure staff are familiar with the process so that in the event of an actual incident, there will be a practiced response.
• Configure anti-phishing policies: these policies will help to prevent unwanted and potentially dangerous emails from reaching inboxes.
• Ensure staff accounts do not have excessive permissions: configure staff accounts to the principle of ‘Least Privilege’ – give staff the minimum rights required to perform their jobs to limit potential damage if an account is compromised.
• Separate administrative accounts: ensure ‘Administrator’ level accounts are separated from normal day to day user accounts, and never browse the internet or answer emails with these accounts.
• Recent backups: ensure all data is backed up regularly and logically separated from school networks.
Actions to take if the school is attacked
• Incident Response Plan: ensure all staff are familiar with this plan and their roles. Desktop exercises will inform and tune this plan so that it is effective and can be acted on quickly if necessary.
• Immediately inform your school's IT department: report the cyber attack to your school's technical personnel. They will be able to assess the situation and take the necessary steps to contain and mitigate the attack. This will likely include password changes and malware scanning.
• Change your passwords: if the school's network has been used to access any of your personal accounts (within the acceptable use policy), change your passwords as soon as possible. Make sure you use strong, unique passwords (less of a burden with a password manager) and enable two-factor authentication where possible.
• Be vigilant for identity theft: if the cyber attack has resulted in the theft of personal information, be vigilant for signs of identity theft. This can include unusual credit card activity, unexpected bills, or notifications from your bank or other financial institutions. Notify your bank’s fraud department.
• Always notify the authorities: this can include the police, the National Cyber Security Centre (NCSC), the Information Commissioner's Office (ICO) and through the Action Fraud website.
One final point that I discussed with Protecture is training to identify potential phishing emails. This continues to have considerable value, especially with the advent of tools such as ChatGPT - which is capable of quickly producing convincing and high-quality emails on any subject.
I hope this piece has been valuable. Please feel free to share your own advice and experiences: in doing so we can help protect ourselves and one another.