Technology can also be used in wider stakeholder engagement, including the efficient and effective management of relationships with parents, funders and alumni – it has never been so easy to be connected and develop relationships. This has never been so critical as during the current period which schools have encountered, both in terms of the provision of remote learning, as well as the hybrid examination approaches being developed.
In addition, the Russia/ Ukraine conflict has increased the scale of cyber related activity, heightening the need for focus in this area. Within the UK, given the emerging economic challenges (with inflation/ cost of living/ energy) there is also the potential for either staff to lose focus and not implement control measures, as well as a general increase in fraudulent activity in a period of economic uncertainty.
From a risk perspective, schools hold considerable amounts of sensitive personal data of children, parents, staff, donors and alumni – all of which present a security risk which has to be managed.
Back in 2019, the National Cyber Security Centre and the London Grid for Learning completed an audit into cyber security within schools.
Key findings from this included:
While the report predates the pandemic the issues, in our view, will have been exacerbated. We have seen a huge increase in phishing and ransomware incidents and in particular, schools being subject to ransomware attacks, which we have focussed on below.
Ransomware is a type of malware that prevents you accessing your computer or the data stored in it. This generally impacts the entire network as once an attacker has accessed the systems, they will identify where key data is stored and encrypt the entire network at the point of attack. Payment (the ransom) is then requested, usually in cryptocurrency, with contact made by an untraceable email address, with threats to release the sensitive data if the ransom isn’t paid. It should be recognised that the data may not be released even if the ransom is paid.
Key actions to take to address this risk include:
Overall, there is a need for an effective response plan should an incident occur. This should include the key contact points, escalation processes for senior management and the Board, key responsibilities, an available conference number (accessible without the network), how critical functions can be operated and importantly, access to the incident response plan and contact points in an offline form.
We would also recommend testing this – in our experience, a desktop exercise can be used to raise staff awareness and learn lessons. You should also be aware of your cyber insurance contact points and how you can access them without systems access.
If you are subject to a ransomware attack you need to consider how you would respond – how to identify the data which has been compromised, engage with stakeholders and in more extreme cases, how to manage a recovery process which takes an extended period.
These attacks will often target the back ups of the school, so it is critical to understand the key data which is backed up and pertinently, where it is stored. For example, is this offline, in a different location from the network or stored in a cloud service?
There are also challenges where real time replication (which can often be part of a standard Windows setup) is in place – as a result, as soon as the ransomware attack occurs the replicated back up is also subject to the attack.
In conclusion, we recommend that schools both refresh and renew their approach to cybersecurity, considering the full lifecycle of the process and asking a series of key questions.
If you require any further advice on any of the above, please contact Richard Evans or your usual Crowe contact.