3 Strategies Schools Can Apply To Protect Their Data

Cyber-attacks on our nation’s schools have been increasing over the past few years and have spiked significantly over the past 12 months, with more than a third of primary schools (36%), over half of secondary schools (58%) and three-quarters of further education colleges (75%) reported to have suffered a cyber breach in the past year, according to recent National Cyber Security Centre (NCSC) figures.

In June of this year the NCSC reported that recent attacks had “led to the loss of student coursework, school financial records, and data relating to COVID-19 testing.”

With the shift to online and hybrid learning, schools have found themselves more exposed than ever and with limited resources to defend their IT infrastructures, most schools are unequipped for the risk posed by today’s ever-evolving threat landscape.

Budget constraints are an ever-present obstacle to maintaining or improving security, and IT administrators also struggle with persuading students and staff to take security seriously.

Let’s look at some strategies schools can employ to make the cybersecurity grade.

Make endpoint security a priority

“Endpoints” refers to devices that users access directly, such as Servers, laptops & desktop PC’s, tablets, phones, etc., so called because it is a literal endpoint on a network.

Endpoint protection has always been a fundamental security practice, but as the network perimeter expands to include home networks, it’s now more crucial than ever. Unfortunately, due to budget constraints, school systems have struggled in this area.

To address this, administrators should consider prioritising high-risk systems and assets, such as data stores or servers, and apply threat detection to alert them of potential threats. If a violation of the school’s security policies is detected, automated actions can quickly contain threats before sensitive data is compromised. Essential mitigations should include a good antivirus solution, spam-filtering (for email accounts) and web-content filtering. You may also consider newer mitigations such as a ransomware protection solution, for example.

If budget remains an issue, schools can also leverage existing technology investments, such as the in-built security capabilities in Windows, Chromebooks and Microsoft365 to enhance protection across lower-risk assets. This is especially useful where IT administrators may not have complete “authority” over remote devices — such as a home user’s own PC — but can require that remote users have their in-built security options activated.

Awareness is key

An often-overlooked fact of cyber-security is that, even when you all the critical policy and technology mitigations in place, the most important defence is the awareness of those who use your systems on a day-to-day basis.

Educational institutions must work on building their security culture to ensure students, staff and administrators are “cyber aware.” Knowing how to identify and report a phishing email, practicing password hygiene and not sharing passwords — which has, unfortunately, become a common practice as the use of collaboration and cloud software has proliferated in recent months.

The fact is cyber-awareness training (CAT) need not be time consuming, disruptive, or expensive. Managed CAT services, incorporating simulated attacks, targeted training and auditing/reporting can be delivered on-going for very low cost — as an example, here at Supreme Systems we’re currently quoting just £2.99 per Teacher/Faculty member per month, and this service includes access to a wealth of resources that can be used for Student education sessions also.

Alternatively, you could take a more DIY approach and take advantage of free resources made available by the NCSC. Take a look here for links to NCSC practical resources to help schools improve cyber security, or here for cyber security training for school staff. While not as effective as on-going services at maintaining awareness, and will require some investment of time, this approach won’t impact already tight budgets.

The importance of good Access Management

With the rise in remote and technology-focused learning, schools must set up strict network access control policies, limiting data access to the people who need it, when they need it.

The statement that non-IT administrators should not have administrative rights on their devices or networks may sound obvious (because it is obvious) but in practice this is all too often not the case.

IT Administrators should have 2 accounts set-up — one with administrator rights to be used only when these rights are needed and their other account to be used at all other times, for everyday activities.

“Starter” & “leaver” processes are another important component to have in place, ensuring old accounts are removed and any passwords that a leaver may have been privy too are changed quickly.

With these policies in place, administrators are in a much stronger position and will mitigate against the risk of frequent turnover of students and staff. When a student graduates or a teacher leaves a position, their access rights can be quickly revoked to minimize the risk of their identity credentials falling into the wrong hands.

Where possible, you should also utilise 2-factor-authentication (also known as 2FA, multi-factor-authentication or MFA), especially for systems that access sensitive information.

Last words

Even before the pandemic, hackers discovered that schools are easy prey and a lucrative source of data and as students have returned to the classroom, the cybersecurity threat has not diminished in the slightest.

Establishing cybersecurity strategies like those above can help schools enhance their cybersecurity maturity and protect students, teachers, staff, and networks.

While many of these may seem obvious, they all require time and management, and some require financial investment too, which can result in them not being implemented at all or, just as bad, “worked around” — this is exactly what the cyber-criminals are banking on.

Ready to take the first steps toward better cybersecurity?

If you would like to know more about IT managed services that can drastically reduce your cybersecurity risk, get in touch with us.