School Cybersecurity: The Risks and Costs of an Attack
Many presume cyberattacks are only levied against governments or multinational businesses. Unfortunately, that isn't the case. The education sector and schools, in particular, are also at risk as there's always data to steal.
For example, in June 2021, two schools in Kent — Skinners’ Kent Academy and Skinners’ Kent Primary school — were forced to close after their hackers breached their servers. Sensitive data such as personal details were stolen. Other notable cases include:
- The Harris Foundation was attacked by ransomware in March 2021, leaving 37,000 pupils unable to access their email.
- Also in March 2021, 17 schools within the Cambridge Meridian Academies Trust (CMAT) identified ransomware in their shared network.
- 15 schools in Nottingham’s Nova Education Trust were shut after an attack in the same timeframe.
- On March 16th 2021, 24 schools across South Gloucestershire were hit by what was described as a ‘highly sophisticated’ ransomware attack.
These attacks resulted in an abrupt loss of service, impacts of COVID-19 testing being carried out by the schools and the costs incurred by having to rebuild hardware.
The impact of a cyber attack on a school is difficult to predict. In this blog, we will be exploring potential impacts as well as mitigation efforts that can be employed.
- Cyberattacks on UK Schools
- How Are Schools Vulnerable?
- Costs and Risks of Poor Cyber Security
- How Schools Can Mitigate Attacks
Cyberattacks on UK Schools
According to the National Cyber Security Centre (NCSC), there’s been an increase in the number of ransomware attacks on the UK education sector from 2020 to 2021. Attacks like these have the potential of causing significant damage to an institution in terms of lost data, financial harm and the need to close.
Ransomware itself is a type of malware preventing data owners from accessing their systems or the data stored there. It’s called ransomware because the data is effectively ransomed until the owner can pay to reaccess the data.
The NCSC states: “In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records as well as data relating to COVID-19 testing.”
How Are Schools Vulnerable?
Security risks, also known as ‘infection vectors’, are common. Attackers will adjust any attack carried out based on the weaknesses they identify within a school’s system. For example, attacks could be made possible because of a lack of multi-factor authentication or weak passwords.
There's also risk caused by:
Virtual Private Networks (VPNs)
While VPNs are usually utilised because of their security benefits, there are also some vulnerabilities. These allow attackers to retrieve arbitrary data which can include files containing authentication credentials. The vulnerabilities allow the attacker to connect to the VPN and change the configuration settings or gain access to internal servers.
Phishing is one of the most common cybersecurity risks. These are emails crafted under the guise of legitimate businesses, organisations or even internal users. However, they usually contain a malicious file or link that, when clicked, allows malware to infect a computer or server.
Remote Desktop Protocol (RDP)
With the increase in remote working, RDP infection vectors have become the most common opportunity for cyberattacks.
RDP allows users to access desktop computers or servers from other devices. This requires certain configurations which can be built insecurely, allowing attackers to gain access.
Once an attacker has access, they can steal or ransom data.
Costs and Risks of Poor Cyber Security
Upon the occurrence of a successful cyberattack, the financial costs can be significant. An attack will include any number of the following effects:
- System downtime
- The need for new devices
- New network infrastructure
- Decreased efficiency
- Information Commissioner’s Office (ICO) fines
- Potential claims from affected third-parties
There's no rule of thumb used to determine the actual cost of an attack should it occur. Depending on the circumstance, the severity of the attack and how quick an institution can respond, costs can change dramatically.
However, in the past, the cost of a cyberattack has been high. For businesses, in particular, an average cost of a cyberattack can be around £2.9 million. According to Infosecurity Magazine, one attack on a Mississippi school district ended up costing $300,000 after they agreed to pay the ransom on encrypted files.
So, the costs can be massive. Unfortunately, it's unlikely schools will have the financial ability to pay costs that hit these amounts.
How Schools Can Mitigate Attacks
Fortunately, schools can take pre-emptive steps to better secure their systems. These are all fairly simple additions to security. First of all, schools should utilise RDP services that include multi-factor authentication, alongside implementing anti-phishing protections, such as anti-malware.
Secondly, there should also be quality antivirus software in place. Any and all scripting environments and macros should be disabled.
On top of these strategies, schools can also undertake the following.
Develop Strong Passwords
It’s very easy to fall into the trap of using the same password for multiple accounts, but this makes all of them weak in terms of security. The most secure passwords are non-dictionary words, mixtures of numbers and letters with a varied use of uppercase and lowercase.
Carry Out Security Awareness Training
While cyber attacks evolve over time, one of the most vital avenues of risk mitigation is ensuring that staff are trained on cybersecurity awareness. What this entails is giving staff the best possible training on not only cybersecurity best practices, but also training in how to remain aware of developing risk factors. This includes the ability to:
Spot suspicious activity
Detect phishing attacks
Identify areas of potential weakness within a school’s system
Similar types of training can even be given to pupils. If digital technology is something that is part of everyone’s future, it’s worth including cybersecurity education within a school’s curriculum.
Choose Cybersecurity Champions
Within a school or other educational institution’s staff, appoint several cybersecurity champions. These individuals should be trained as above, but also work to monitor the status of an institution’s cybersecurity.
They should continue to develop their knowledge of cybersecurity best practices over time and be ready to head up and support any projects that require cybersecurity input.
Data recovery should also be considered in mitigation strategies. For example, a school should have an up-to-date, tried-and-tested offline server backup in place. For more information, you can utilise:
- The NCSC’s ‘Mitigating malware and ransomware attacks’ guide
The NCSC’s Cyber Security for Schools resource page
Ultimately, a school should address the root causes of cyberattacks, such as any present infection vectors. This should include an incident response plan made up of continuous system assessment so systems are backed up often, emergency response protocols are practised and software is regularly updated.