05 March 2020
The end of a busy academic year is when attention turns to taking well-earned time away, but cyber-crime threats don’t take holidays. It’s important to secure your IT systems and infrastructure, as cyber-criminals are ready to exploit weaknesses in your defences.
What’s the risk?
We continue to see education providers identifying cybercrime as a key strategic risk, and the threat is growing. The Department for Digital, Culture, Media and Sport (DCMS) has published updated findings from the Cyber Security Breaches Survey 2022. The DCMS revealed that of those surveyed:
- 41 per cent of primary schools;
- 70 per cent of secondary schools;
- 88 per cent of colleges; and
- 92 per cent of higher education institution (HEI).
- had identified a cyber security attack or breach within the 12 months reviewed.
62 per cent of HEIs experienced ‘breaches or attacks at least weekly’ and, while related figures are lower in other parts of the education sector, of colleges that had experienced a breach or attack in the previous 12 months, 42 per cent had a negative outcome. This included loss of money or data.
Cyber-criminals are becoming more sophisticated in their techniques and approach, as awareness of the cyber-crime threat grows. ‘Ransomware as a service’ (RaaS) and ransomware attacks are on the rise, and phishing or whaling attacks are becoming increasingly difficult to identify. Cyber-criminals remain intent on exploiting employees, who are often the weakest link in an organisations’ cyber-crime defences.
A provider’s risk of falling victim to cyber-crime increases when its staffing level reduces during the summer break. To assist providers, we detail some key considerations for securing your IT systems, digital infrastructure, and organisational assets.
Securing your IT environment: Key considerations
- Firewalls are imperative for monitoring, permitting and blocking data. You should have a firewall security policy, detailing the types of rules used and what each rule set does. Firewall rules should be reviewed frequently (in line with policy). The policy should also state how logging and alerts are configured and monitored.
Ideally, network intrusion detection and prevention (IDS and IPS) tools should be deployed and configured on the organisation’s network, so all incoming and outgoing digital traffic can be continuously monitored for unusual activity that could indicate an attack.
It is equally important that there is someone on call to monitor the alerts, as across our education client base, many attacks are launched at night, at the weekend and at bank holidays and during education holiday periods. Not all colleges have out of hours provision, which is something that should be reconsidered to make sure that the risk of an out of hours attack is managed. It is important to ensure that any vulnerabilities, of any level, identified by network scans are remediated as a priority.
Access controls and passwords
- Strong passwords should be required from all users. Review ‘password history’ controls frequently, to prevent individuals from cycling the same passwords, and consider implementing a lockout threshold of three to five attempts.
- Disable the ‘store passwords using reversible encryption’ option, as this allows the operating system to store passwords in plain text format that can weaken overall security.
- Undertake periodic reconciliations of active staff against user accounts and review inactivity reports, ensuring inactive accounts are quickly disabled.
- Where possible, implement Multi Factor Authentication (MFA), as without MFA there is an increased risk of compromised accounts.
Security patches and antivirus software
- Antivirus and software updates should routinely be applied and supported by underlying policies and procedures. It’s also important to ensure that all devices have the latest security patches installed and that they are encrypted to ensure confidential data is protected in the event of a cyber-security breach.
Data backup and business continuity
- Backups are essential to ensuring that key data can be recovered in the event of an operational failure or cyber-attack. A backup procedure and policy should already be in place that includes the backup schedule, retention periods, and backup restoration testing schedule.
- It is good practice to require daily incremental and weekly full backups, but a provider should have assurance that retained data can be restored quickly. Formalising the approach for backup restoration testing, setting standards for frequencies and types of restores, will consequently help providers to further secure their data and assets.
- Remember to consider the physical security of equipment, and where possible keep high value goods restricted from outside view.
Has your IT incident response plan been tested recently?
A comprehensive incident response plan is essential, as it will guide a provider’s response to an attack. As a minimum, a formal incident management policy and related processes should be in place, including:
- references to related regulation;
- reporting requirements; and
- explicit examples of what constitutes an incident or security breach.
Once documented, a walk-through and other tests of scenarios should be undertaken and extended to relevant third party service providers. The incident management policy should be tested at least every 12 months, and any lessons learnt captured and fed back into the process.
For more information about how we can help you to protect your institution, please get in touch with your usual RSM contact.
Our latest review of strategic risk registers across the sector highlighted IT risks in the following areas:
- hacked systems, leading to significant data and financial losses and reputational damage;
- ransomware or denial of service attacks, creating disruption and loss of data, while phishing emails continue to target staff;
- poor system access controls, and providers may be using aged (or even unsupported) IT equipment and software; and
- inadequate education on IT security and remaining safe while online.