Cyber security is critical. No matter the size of your school or MAT, a breach of security in your network can cause massive problems that do not have a quick fix. While it’s good to get systems in place after an attack, preventing risks is much easier in the long run. But what risks are out there? And how do we defend ourselves from them?
TIAA, as a leading Business Assurance firm with Cyber Security Specialists, has helped schools, MATs and Universities avoid data breaches and prevented cyber-attacks through internal auditing among other services. Peter Sheppard, Director – Digital Assurance at TIAA discusses this.
We’ve learned far too often that schools are surprised to hear that there needs to be a big focus on cyber security. National Cyber Security Centre recognises education as a high-risk sector. Microsoft’s global threat activity records deem the educational sector to be the number one at risk sector. While you may feel that it wouldn’t make sense for a school to be attacked, it’s undeniable that the risk exists. It’s not a case of ‘if it happens’, it’s more like ‘when it happens’.
Essentially, if you have a computer – even if it is just one – you need to make sure it is secure. Due to the data retention of schools regarding sensitive information on your student’s formative years, it’s key to make sure that it stays as secure as possible.
With 2021 having to accommodate to an acceptance of remote working and learning, so too was there an increase in ransomware attacks on the UK education sector. Unfortunately, ransomware attacks also evolved in the last year. Cyber criminals will not just try to extort you for your data, they will now look to steal log in information, log in as that user and steal data directly from said account, while remaining undetected for large periods of time. They will then send a ransom notice to your school for you to deal with the consequences. Whether they be reputational, legal or financial.
A great way to start to combat potential risk areas is undertake a gap review and create a radar graph. The aim of a radar graph is to highlight areas of cyber security that need to be improved within your school, take this graph for example:
From this, you can see where improvements have been made throughout the school’s last few years and what needs to be worked on.
It’s important to have a member of staff own the risk at your school. By them taking responsibility, it increases the chances that any potential risks do not get overlooked or swept by the wayside. Another key point is to make sure that your budget is proportional with the risks you may face. For example, if you have a data breach, the ICO (The Information Commissioner’s Office) can fine you up to 4% of your turnover or approximately £17 million more the most serious of breaches. Fortunately, while fines are not typically this large, high-profile real-world examples do exist (British Airways were fined £20m for a data breach back in 2020 for instance).
You may have heard of a pen test as a way to provide assurance of your cyber security. An issue we find with these are while they may look good on the day, by tomorrow they may be obsolete. Pen test reports can sometimes be inconclusive according to TIAA. It can be difficult to understand if expert terminology/jargon is overused in the report. If you are commissioning pen tests, ask questions on the efficacy of them and how you will be able to improve your security from them.
Another key risk reduction strategy is to presume you’ve already been breached and work your way backwards:
- Has your school got proven and pro-active threat detection?
- Are you learning from incidents or near misses?
- Are your cyber security improvements timely?
From this you can look at if your school is prepared now:
- Not prepared as a reactive response.
- Is your cyber security mature and tested?
- Is incident management in place?
- Is cyber security actively managed at board level?
Have you looked at the new ways in which working remotely has impacted cyber risk management:
- Has your school revisited its cyber risk assessment recently?
- Is there any additional training needed for remote workers?
- Do your continuity arrangements reflect new ways of working and the new technology used?
By answering all of these questions, you can look at building a robust assurance.
You can also seek supply chain assurance; include a cloud service provider that can help with remote working security and third-party assurances. Finally, would you need ‘deep dive tests’ for specific areas to obtain drive improvements and assurances? Testing is vital and if it needs to be done, it’s worth requesting so you can get peace of mind for your more complex systems.
To conclude, cyber security is a must for any school, no matter the size. The risks and potential financial hit that can come from them are too great to ignore. It is important to make sure you ask yourselves the necessary questions to ensure you have the assurances you need to stay safe.
If you would like to see how TIAA can help you, whether that be training, Cyber Security, data analytics, auditing and more, please Contact Us.