That the Education sector faces major challenges is not news to most. Issues such as a lack of staffing and a lack of funding and resources are well known and persistent. But now UK Schools and Further Education are facing another challenge — cyber-attacks.
In this article, we’ll be focussing on one way to mitigate against cyber-attacks for Schools and other educational organisations, Cyber Awareness Training.
Why is Cyber Awareness Training important?
Schools, and the education sector as a whole, are under-siege from cyber-criminals in 2021. Recently published Gov.UK and National Cyber Security Council statistics show that attacks on this sector have been rising steeply over the past 18–24 months and this shows no signs of abating.
For more information on this, and a look at some of the under-lying reasons why this is happening, take a look at our recent article “Why Cyber Security must be a Priority for Schools In 2021”.
Over here, in the IT industry, there is an understanding that, while sensible cyber-security mitigations, such as anti-virus, firewalls, anti-spam filters, proper and sensible configurations, regular patching, and so on, are all essential components of good cyber-security for any organisation, the fact is that no amount of effort or expenditure can 100% protect you from cyber-attacks.
The truth is, your last, and most vital, line-of-defence against malicious actors is the awareness of those who legitimately use your IT systems.
The UK’s National Cyber Security Council (NCSC) ‘s “10 Steps to Cyber Security” begins with the following guidance…
1. Understand your organisations risks
2. Implement appropriate mitigations
3. Prepare for Cyber Incidents
Cyber Awareness Training is a key component of both points 2 & 3 as training will enable your “users” to identify attacks, and to know how to best respond when they do.
The goals of cyber awareness training are straightforward in principle, but there are some aspects that are not immediately obvious too.
· Educate staff on their responsibilities and current information security threats to mitigate the risk of a breach.
· Inform legitimate “users” of current and common information security threats and how to “spot” them when they occur.
· Further inform your legitimate “users” on best practice responses when a malicious activity is identified.
· Raise awareness and encourage a culture of information security throughout your organisation. These are requirements of compliance with Clause 7.3 and control 7.2.2 of ISO 27001.
· Test learner knowledge to prove compliance for auditing purposes.
· Reinforce awareness with monthly security updates, which include the latest news and tips.
What does Cyber Awareness Training comprise of?
The National Cyber Security Council (NCSC) does provide free cyber awareness training resources for the Education sector — such as these — and this is a good starting point.
However, what is often overlooked is that it is vital also to know that staff have engaged with training, and to be able to prove this for purposes of compliance and auditing, as well as for the simple peace-of-mind that comes with knowing that your colleagues are aware and understand what to look for and how to respond when they encounter a malicious email or malware infection.
Cyber Awareness Training is not something that you can “do once and forget” — it needs to be integrated into your systems and delivered on-going (not necessarily continually, though that would be the ideal, but regularly at the least).
The best Cyber Awareness Training solutions available today combine several elements. Here’s a breakdown of how our own automated Cyber Awareness Training service works, as an example of a more advanced solution.
Simulated attacks — These will usually take the form of “Phishing Attack Simulations” — the single most common form of cyber-attack and the way that most successful cyber-attacks are initiated (over 98% according to recent industry statistics). Attacks of this type begin with a communication of some type (usually email) purporting to be from a trusted source. These will then attempt to manoeuvre the recipient into some action that will compromise information — whether this be an attempt to coerce login credentials from them, or to download a file or click on a link that will, unbeknownst to the victim, install malicious software onto a network device that will in turn allow the hacker illegitimate access of some kind.
For the simulated attacks to be effective they need to be entirely unpredictable and as authentic as possible. To accomplish this, we have a large selection of template emails, over a thousand and counting, modelled closely on real world attacks and these are selected from randomly and sent at random times to each “user”. This ensures that no-one can predict what will be sent to whom and when.
The simulations also incorporate elements of “user” information, such as first names, email addresses, and so on — exactly how targeted phishing attacks will do — to increase authenticity.
Monitoring of responses — In conjunction with Simulated Attacks, an advanced Cyber Awareness Training solution will also monitor the “users” response and interactions with the emails it sends.
Delivery of training — Training is delivered in 3 ways…
· Automated delivery — Short, engaging and appropriate training, often in the form of short, animated video clips, is delivered automatically when the system detects a “failure” condition — i.e. a “user” has interacted with the simulated attack in some manner that is not in line with best practice response. The training will highlight the tell-tale signs of the attack, enabling the recipient to be more able to spot them in the future, and what the recommended response should have been.
The training will usually include some interactive element and the “users” interactions with the training are also monitored.
· Pre-made and customisable training sessions — The solution also includes a large amount of multi-media resources to make group training sessions easy to prepare. The resources cover all aspects of cyber security and even “social engineering” type hacking methods.
· Self-serve training — “Users” can also access the training portal and access training resources themselves if they wish.
Reporting — Administrators can monitor the progress of the training in real time via our online portal and choose from a range of reports and graphical representations, and gauge these against current industry sector benchmarks to see how they are performing. These reports are able to be downloaded to be used as evidence for compliance and auditing purposes too.
How Can Supreme Systems Help?
Supreme Systems offer Cyber Awareness Training as a subscription service for Schools & Education (one of our CyberSercure.School services) making delivery of comprehensive training a hassle and disruption free process for you.
Our fully automated Cyber Awareness Training service, as described above, is available on a monthly basis, that you can have running all the time or periodically — a month each quarter being a popular choice.
It’s a hassle free, non-contract service and we can even arrange a no cost, no obligation 2-week trial for you if you wish.
If you would like more advice on how Supreme Systems can help your School, College or University to become Cyber Secure, get in touch.