This is the second article in our insight series relating to the new Academy Trust Handbook. In this article we consider the addition of a new section focusing on cyber security, reflecting the increasing concern around the number of cyber-attacks across the education sector on institutions of all sizes. The Handbook highlights the National Crime Agency’s advice not to pay ransoms, and to approach the Education and Skills Funding Agency (ESFA), if a Trust finds itself in the very difficult position of contemplating such a payment.
The cyber threat landscape is ever changing; we live in an increasingly interconnected world. Whilst this affords us the benefit of accessing data and resources using a multitude of devices and from remote locations, it also provides a much larger attack surface.
Since the onset of the Covid-19 pandemic, we have seen staff and students working remotely and from personal devices. IT departments rushed to provide remote access to resources and looked to third parties for cloud computing, simplifying remote access to systems, and providing effective capacity management.
As such, there are many more routes to data, more data traversing the public internet, and people accessing emails from both corporate and personal devices such as tablets, wearable technology and smart devices. We have an increased use of Internet of Things (IoT) devices such as home smart printers and smart speakers, which are all connected to home wireless networks but not subjected to corporate security policies. These devices allow less secure access to the extended network that is no longer just corporate infrastructure, it now extends into the homes of staff and students.
To set the tone, here are some frightening cyber statistics (including sources):
- 95 per cent of cybersecurity breaches are caused by human error (Cybint).
- The worldwide information security market is forecast to reach $170.4bn in 2022 (Gartner).
- 88 per cent of organizations worldwide experienced spear phishing attempts in 2019 (Proofpoint).
- 68 per cent of business leaders feel their cybersecurity risks are increasing (Accenture).
- On average, only 5 per cent of companies’ folders are properly protected (Varonis).
- Data breaches exposed 36bn records in the first half of 2020 (RiskBased).
- 86 per cent of breaches were financially motivated and 10 per cent were motivated by espionage (Verizon).
- 45 per cent of breaches featured hacking, 17 per cent involved malware and 22 per cent involved phishing (Verizon).
- Between 1 January 2005 and 31 May 2020, there have been 11,762 recorded breaches (ID Theft Resource Center).
- The top malicious email attachment types are .doc and .dot which make up 37 per cent, the next highest is .exe at 19.5 per cent (Symantec).
- An estimated 300bn passwords are used by humans and machines worldwide (Cybersecurity Media).
As the statistics suggest, 95 per cent of all data breaches and cyber-attacks are the result of human error and the attacker’s reliance on the human trust factor by way of social engineering. This risk has increased, mainly due to an inherent lack of security and awareness training and as a result of a lack of critical cyber controls in place. Attackers like to prey on the vulnerable, and people inherently trust other people. IT staff may be distracted and overwhelmed with having to resolve issues remotely and IT support is now extending to the homes of staff and students as well as personal devices. It's difficult to put security controls in place over personal devices and the “new” extended network infrastructure.
The value of information is also attractive to cyber criminals. Financial data and student coursework can be held to ransom or stolen and sold on the dark web.
Trends in educational institutes
We have seen a dramatic increase in ransomware, especially in the education sector.
On the 23 March 2021 the (National Cyber Security Centre (NCSC) released an updated alert that there have been further targeted ransomware attacks on the UK education sector by cyber criminals.
The Department for Digital, Culture, Media and Sport conducted a survey of educational institutes, and it showed that educational institutions are much more likely to receive cyber-attacks over larger organisations, with a perception that institutions may be less equipped to deal with scams or attacks.
Recently we have also observed attackers seeking to:
- sabotage backup or auditing devices to make recovery more difficult;
- encrypt entire virtual servers; and
- use scripting environments such as PowerShell to easily deploy tooling or ransomware.
In recent months:
- in Bedfordshire, a cyber-attack destroyed student coursework;
- other schools have lost financial records and Covid-19 pandemic testing data;
- ransomware has hit 17 schools in Cambridgeshire region;
- in Northampton a cyber-attack disabled telephone and IT systems;
- in March 2021, a ransomware attack hit the Harris Federation which runs 49 schools, with their financial data ending up for sale on the dark web and led to 37,000 students being locked out of their email accounts and coursework; and
- now more recently, Colchester Academy has suffered a cyber-attack with 20GB of data extracted or held to ransom. They had successfully defended an attack the week before and this seems to have been a revenge attack.
As a theme, the common threats targeted against academies and educational institutions are:
- hacking, social media scams and email scamming;
- phishing - preying on someone to fall for a fake but legitimate looking email, in the hope of gaining information, details or credentials; and
- ransomware - used to blackmail or hold data to ransom. Once infected, it will spread quickly, encrypting data rendering it inaccessible until the decryption keys are provided for a monetary value. Often targeting backup storage locations too, making recovery impossible.
Often when conducting cyber security audits on the education sector we come across the following repeatedly, all of which are serious vulnerabilities for ransomware:
Out of date server operating systems
On premise servers still using older operating systems that are no longer supported, and no longer receive patch or vulnerability updates.
Ineffective patch management
Not ensuring that critical and security patches, for both operating systems and applications, are deployed within 14 days of release (recommended for critical or high risk issues).
Security and awareness training
A lack of security and awareness training.
- Role based training is key, roll out a standard training program for the staff, but focus key training with enhanced oversight to IT staff and members of the Board.
Lack of password controls
One of the biggest weaknesses is not making use of Multi-Factor Authentication (MFA).
- Ensure that MFA is enforced in order to access corporate resources. Multi-Factor Authentication is an electronic authentication method that provides an additional layer of authentication, decreasing the risk of unauthorised access.
Privileged access issues
So often we have seen that domain administrators use the same account for both server and desktop logins.
- Domain administration accounts should be separate to standard user accounts.
Non-Secure Backup Procedures or controls
Backup storage locations are being targeted and encrypted by ransomware, spreading to production servers and backup locations.
Extra controls for backup security are required, such as placing the backup storage location in a demilitarized zone (DMZ) or off-site, and allowing access to this zone only during the backup window.
What can be done to mitigate risk?
Governance ensure that policy and procedures are effectively developed and communicated to all staff and third parties. Ensure adherence to these policies and that they are regularly reviewed.
Frameworks implement or benchmark your cyber controls against industry standard frameworks. This will help to highlight weaknesses and provide a roadmap to fixing or mitigating the vulnerabilities. A Cyber Essentials certification aims to ensure that the basics are in place for cyber security. Performing a cyber maturity assessment based on the National Institute of Standards and Technology (NIST) framework offers even further value, going over and above the basics into gauging maturity on identifying, detecting, preventing, responding and recovering from attacks or breaches.
Threat modelling will help to identify IT assets, potential risks to those assets, the threat actor, the likelihood of an incident occurring, and highlighting what the potential impact would be.
Penetration testing is a good way to examine the environment and it should be carried out regularly. It will help to highlight the vulnerabilities open on any system. Understanding the vulnerabilities ensures that they can be addressed, or extra controls or security can be implemented to protect those assets.
Phishing exercises or testing can be used to educate the workforce and to assess the level of maturity towards cybersecurity. Ongoing and regular testing is vital in creating a security culture.
Incident response and recovery testing is important, it helps to ensure that recovery plans and incident response procedures work and help to minimise fallout in the event of a disaster.
Third party management, ensure there is a defined process to manage third parties effectively, focusing on due diligence, onboarding, compliance monitoring and roles and responsibilities.
To support schools, the Department for Education (DfE) has introduced a free ‘cyber secure’ tool which is being piloted and will be launched in 2022. The free and anonymous self-assessment tool will allow schools to assess their cyber security measures through a grading system of zero to five, and will enable schools to assess their cyber security, helping school leaders and staff safeguard their pupils’ education as well as comparing their score with local and national averages. In addition, the DfE is piloting a Risk Protection Arrange Cyber Risk Pilot with over 500 schools. The pilot, which ends in March 2022, will support each school to achieve a certification which helps to protect them against 80 per cent of the most common cyber-attacks. Each certified network will also receive £250,000 of commercial cyber cover for one year to ‘improve resilience’.