It may surprise some, but even childcare companies can be prey to online criminals. Annette Rawstrone reports
Talk of the dark web, ransomware attacks or cyber criminals can sound like something out of a sci-fi film and worlds away from the childcare sector, but the potential threat is closer than you may think.
Just consider the technology used to keep your setting running – from facilitating administrative tasks to communicating with parents and educational programmes and documentation. ‘Reliance on online tools in early years settings has been increasing over a number of years and accelerated during the pandemic,’ says Sarah Lyons, deputy director for economy and society at the National Cyber Security Centre (NCSC). ‘Now more early years settings than ever depend on internet-connected services and are growing their “digital estates”.’
Ransomware groups used to target large multinational companies in the hopes of big ransom payouts, but now any organisation is considered fair game. ‘As many cyber criminals are motivated by financial gain, education settings can seem like an attractive target because they hold lots of sensitive data about children, parents and staff. Criminals can find this information valuable for setting up fake bank accounts and reselling details online for fraud,’ explains Lyons.
Early Years Alliance director of people and technology Paul Donaldson warns, ‘A survey from risk management specialist Allianz revealed cyber incidents – which include cyber-crime, IT failure and outages, and data breaches – as the most significant threat facing businesses this year, and early years settings are far from immune from these challenges.
‘Many of the systems used by settings are reliant on the internet and therefore at risk of cyber crime. This ranges from emails and social media to operational management and software solutions. Settings who fall victim to a cyber attack may find that they are prevented from being able to access online data, or find that it is stolen, which could, in turn, damage a setting’s reputation.’
In global security company Tenable’s ‘Threat Landscape Retrospective’ report, it is revealed that the education sector experienced the greatest disruption from data breaches last year, impacting staff, parents and children. The report states, ‘A staggering 52 per cent of breaches in the education sector were the result of ransomware attacks. While it’s not clear if ransomware groups actively set out to target education facilities, or if this is a result of opportunistic activity targeting easy-to-find vulnerable devices, this is a worrisome trend.’
One of those disrupted organisations was multi-academy trust Harris Federation, which runs 51 primary and secondary schools in London and Essex. It experienced a ransomware attack by Russian cyber criminals in March 2021.
Attackers hacked into the organisation’s computer system, probably through a phishing email, encrypted the data and demanded a ransom to get it back. They also threatened to publish sensitive information online. Not only was financial data and safeguarding information stolen, but all emails were affected, whiteboards, CCTV and even some door entry systems.
Speaking on BBC Radio 4, Harris Federation chief executive Sir Daniel Moynihan said, ‘They have like a web page on the dark web where people can have conversations with them. And they’d indicated that they wanted $4 million in cryptocurrency.
‘It struck me as completely insane. I mean, we are a group of schools operating in disadvantaged and challenging circumstances for students from low incomes. Why would anybody want to take or think it’s appropriate to take money from youngsters in that situation?’
Despite not paying the ransom, it cost the Harris Federation around £500,000 to rectify.
Steps to security
In November 2021 alone, the NCSC removed 68,000 scams from the internet. Frustratingly it can be very easy to fall victim to a phishing email, text message or phone call because they can be difficult to identify, often posing as a bank or popular company and asking for payment or credit card information. They may make you visit a website which can download a virus onto your computer, steal bank details or other personal information. ‘It comes as no surprise that settings are looking to improve their approach to cyber security; overall, businesses are quickly waking up to the dangers of cybercrime and putting processes in place to do what they can to prevent being impacted,’ says Donaldson.
While cyber security may seem daunting, Lyons reassures that you don’t have to be an IT expert to follow actionable advice to make your setting more secure. ‘Cyber-security training is relevant to all staff members, so everyone can play a part in boosting overall resilience, just as they would on the security of doors and windows,’ she adds. Donaldson agrees that all setting staff should undergo cyber security and data protection training so they are aware of the tactics cyber criminals use and how they can keep data and systems safe.
The NCSC has published bespoke guidance for early years practitioners which provides actionable advice on how to protect sensitive information about the setting and the children in their care from online criminals (see Further information). Lyons advises following these four steps to significantly reduce the likelihood of becoming a victim of cyber crime, which she says will also help you to ‘get back on your feet’ should you be targeted:
- Back up important information.
- Use passwords to control access to computers.
- Protect your devices from viruses.
- Learn how to spot and report suspicious messages (phishing attacks).
‘It’s important to remember that organisations can be affected by a cyber incident and victims should not feel embarrassed – cyber criminals are devious and use a variety of methods to take advantage of unsuspecting victims,’ says Lyons.
‘If you think your organisation has been affected by a cyber attack, you should report your concerns to the person in charge of your IT, if there is one. All cases of fraud and cyber crime should be reported to Action Fraud (or Police Scotland if in Scotland). Individuals are also encouraged to report any suspicious messages – either emails or texts – they receive. Cyber criminals are opportunistic and sadly look to take advantage of topical issues to trick people into sharing sensitive information, but by reporting, you can help prevent others from falling victim.’
case study: Thrive Childcare and Education
‘We all must bear in mind there is no “silver bullet” solution for cyber-attack protection, and unfortunately the risk continues to increase as criminals become more advanced and capable,’ says Thrive IT manager Eddie Evans. ‘For any business solely reliant on technology for operation, recording and analysis or e-commerce, we know that interruptions or systems being compromised can be debilitating and potentially very costly.’
To guard against cyber attacks, the nursery group – which has 46 settings across the UK – uses various systems including endpoint technology protection on all tablets, PCs and laptops across the business and multi-factor authentication. The IT team also has regular update calls with the Microsoft support team to review the company’s ‘secure score’ across all its settings.
All staff are educated to be alert to potential cyber-security risks. ‘Our IT team have been performing some “Attack Simulation Training”,’ says Evans. ‘This allows us to run benign cyber attacks to our users and devices, flagging our security policies and practices. This can report back on any high-risk users or devices, allowing us to assign training accordingly.
‘We have strict internal access policies and lock down sites where there is potential for risk. Additionally, we have policies around restrictions on BYOD (bring your own device), preventing unsecured memory sticks from spreading viruses between home and work hardware.’
If there were to be a cyber breach, the nursery group has a variety of systems in place to detect and ultimately lock the breached users’ account or device. The IT team receives regular reports of any ‘high risk’ incidents, allowing it to block a single breached user or device without affecting the whole business.
‘We would always stress that no IT systems are 100 per cent effective at preventing cyber attacks, so end-user training and guidance is of the upmost importance in a battle to prevent these,’ advises Evans. ‘Make sure you take the opportunity to ask system security and IT specialists to review your practice and the security of your system and, importantly, take the time to run important software updates on your PC.’
‘Early Years practitioners: using cyber security to protect your settings’, National Cyber Security Centre: https://bit.ly/3OMXUAT
Recovering a hacked account: https://bit.ly/3yKkmoM
NCSC advice on phishing: https://bit.ly/3P0LQeU
Forward suspicious emails to: firstname.lastname@example.org
Forward suspicious text messages to: 7726
Action Fraud: www.actionfraud.police.uk
‘Tenable’s 2021 Threat Landscape Retrospective’: https://bit.ly/3Awhe0P