The mass move to lockdown learning as a result of the pandemic saw educational institutions face a host of new security challenges. The previously ‘safe’ confines of the school environment no longer existed as people and devices became displaced. As defences became more vulnerable, cybercriminals wasted no time in taking advantage of the situation – with 52% of schools experiencing a breach or attack in the last 12 months.
While educational organisations are slowly starting to get ‘back to normal’ and welcome students back to the classroom, this is no time to rest easy, with hackers becoming more sophisticated in their methods. To avoid a potential disaster, educational institutions should take steps to identify and address the security risks.
A good starting point would be to carry out a security assessment and detect any weak spots where breaches are most likely to occur. It’s advisable to include an independent third-party in this process – a security specialist who can offer guidance and make a list of recommendations and actions. This assessment will look different depending on the organisation, but it makes sense for educational institutions to focus on staff training first before tackling devices and data.
Protecting your staff:
Human error still accounts for 90% of data breaches, so any cybersecurity strategy has to take individual staff into consideration. It also makes life a lot easier if all employees, not just the IT department, are aware of the signs of a possible attack – yet only a third of schools currently train non-IT staff in cybersecurity.
Key hacking tactics that staff members should watch out for include:
- ‘Credential stuffing’: this involves hackers using lists of compromised usernames and passwords (often sold on the dark web) to gain access to accounts. In some cases, hackers don’t even need a username but can rely on the likelihood that most people use the same password for multiple accounts. For example, I recently worked with a secondary school where a member of staff was using a variation of the same password for fifty different logins – across a mixture of professional and personal accounts. In this scenario, all a hacker would have to do was crack one account password, identify their work email (which are often easy to guess) and they’d be in!
Fortunately, it’s easy to protect staff members from this type of risk using multi-factor authentication. Offered as standard by all the major cloud providers, it’s simple to set up (all you need is a smartphone) and provides an additional barrier to those who may be attempting to exploit compromised passwords.
- Brand theft: this involves criminals stealing your institution’s branding or logo and adding it to emails or apps to try and trick people into sharing sensitive information. You can run a brand monitoring search to find any instances where this is happening. This will allow you to take precautionary actions – and warn stakeholders that they may well be targeted by this type of nefarious activity. Where apps are concerned, businesses can also approach the hosting company and request they take it down.
- ‘Domain squatting’: also known as ‘cyber-squatting’, this is a method used by hackers to trick users into sharing their credentials. An example of this would be a cybercriminal taking control of a domain with a similar name to a school’s domain – primaryschools.tr.uk for instance. The aim is to get parents, staff and students to try and login to that fake site and then harvest those login details. If this happens, you should approach the domain name provider and request they take down the website.
Alongside ongoing education, schools can work with a security partner to run training days that play out different scenarios to see how staff will respond in the event of a breach or attack. This isn’t about catching anyone out but providing some tangible examples of what could happen. The goal is to make staff more aware so they know what to look out for.
Additionally, educational institutions can also carry out regular penetration testing – these are simulated cyber-attacks that will test computer systems and check for vulnerabilities.
Reviewing your devices:
During the pandemic many teachers have been conducting lessons virtually from their own homes. It’s important for organisations to ensure that if devices have been used outside of the school environment for an extended period of time that they are still secure. Is the firewall and anti-virus up-to-date? Do they have the latest patches installed? Are key files and data being stored in the right places?
To secure devices in a remote working environment, organisations can take advantage of cloud-based tools such as mobile device management (MDM). These solutions can be used to authenticate users and monitor the health of the devices before giving the user access to the school network. MDM can also help ensure employees are storing information in places where backup can take place, and disaster recovery protocols can function.
If educational institutions follow the steps above and take a proactive approach to security, they should be confident that they have done what they can to protect their organisation, its key assets and manage any ongoing risk.
You might also like: A cultural and professional pivot for both Gen Z and employers