Cybercrime continues to be one of the fastest growing areas of crime with increasing numbers of individuals and groups exploiting the speed, convenience and anonymity of new digital structures to commit a diverse range of disruptive activities that know no national borders. Historically, cybercrime was committed mainly by individuals or small groups. Today, criminal organisations use full time ‘staff’ who use real time sophisticated techniques to commit crimes on an unprecedented scale, either for the rewards that they bring in their own right or to fund other illegal activities such as terrorism. In other instances, inexperienced hackers can simply download readily available attack tools from the internet.
The crimes these people carry out may not be necessarily new, as in the case of fraud and theft, but the ease with which these can be committed and the potential rewards have changed due to our ever increasing reliance upon inter-connected technology.
We read that new trends in cybercrime, such as ransomware, are constantly emerging with the costs to the global economy now running to billions. The Cabinet Office recently estimated the cost of cybercrime to the UK alone to be £27bn per annum. However, this does not give a proper insight in the impact on an organisation of a fully-fledged cyber-attack. Many people still consider the biggest risk to be a failure in technological controls which in turns results in the theft of money or data. The reality is the impact upon schools, colleges, staff and students can be much wider than that.
Attacks such as these can easily result in some or all of the following:
- genuine financial loss to the organisation;
- loss of reputation amongst parents and trustees;
- compliance failures such as breach of the Data Protection Act or Safeguarding rules;
- loss of intellectual property; and
- loss of key operational systems for an extended period.
So what can you do to protect your organisation?
In our experience, there are several key issues that need to be addressed as follows
1. Don’t ever think you won’t be attacked. Even if you are not at risk from disgruntled ex-employees or students, there are plenty of people who will attack you just because they can use the easily available tools we have already discussed.
2. You need to perform an exercise to assess the degree of cyber risk that you are exposed to. You cannot put in adequate safeguards if you do not know what data you are protecting where it sits or how it is used.
3. Cyber security needs to be discussed at the highest level in the organisation. It cannot be just seen as the responsibility of the IT department.
4. IT themselves need to get the basics right. In a nutshell, good old fashioned IT controls such as back-ups, systems patching and anti-virus software will help mitigate a lot of the cyber risks currently faced by organisations.
5. Establish IT controls that provide strength in depth. In this way, the failure of a single control should not be as harmful should the worst occur.
6. People continue to be the weak link. The best technological controls can be undone by a member of staff or a student who clicks on something they shouldn’t or writes their password on a post-it note. Training and education continues to be a key element of successful cyber security arrangements.
7. Establish an environment where it is OK to query an e-mail or question an unknown person wandering around the corridors. Staff and students need to know that they will be taken seriously if they act upon what they have been told to do.
8. Plan for the worst. Many organisations have no incident management plan that can be invoked when an attack is underway. This can result in initial confusion which can in turn exacerbate the incident.
9. Consider compliance with the government’s 10 step cyber essentials scheme - which can be found here.
For more information, please contact Steven Snaith or download the back to school PDF.