Security in the UK Education Sector

How do Information Security Attacks threaten the UK Education Sector? Over the last several years, the education sector in the UK has seen many of the same issues that face industries across the world. The increased inter-connectivity of systems and networks has undoubtedly increased efficiencies in work, though it has also opened the door to information security attacks.

Research shows that around 69% of schools surveyed have suffered a phishing attack, whilst 35% have experienced periods with no access to important information. A 69% rise in cyber-attacks launched against schools was also seen between 2017 and 2018 alone.

“As the reliance on digital solutions in schools has increased, so has the importance of securing these technologies”

Sarah Lyons, Deputy Director for Economy & Society, NCSC

There are many kinds of sensitive and personal information that educational institutions are required to handle, and as many school administrators will acknowledge, methods and practices of handling personal information are not always perfectly secure. Exacerbating this issue is the fact that the majority of schools do not train non-IT staff in cyber security.

The Facts

• 69% of schools suffered a phishing attack. Though many of these attacks will be unsuccessful, it’s estimated the open rate of phishing emails in schools is 2%
• Only 35% of schools surveyed train non-IT staff in cyber security, meaning two thirds of school staff are susceptible to information security attacks
• Only 41% had a business continuity plan. In the eventually of a ransomware attack, operations would potentially grind to a halt
• Only 49% were confident of their preparedness regarding cyber-attacks

Given the obvious vulnerabilities that exist within the UK education sector, it is unsurprising that cyber criminals are threatening schools. Though outside threat is merely one component of the information security problem.

As with all organisations, many of the information security issues that affect the education sector are not external, and are in fact a result of user negligence; with around 21% of all breaches involving internal actors. One survey of schools shows that 75% believe the biggest threat to their information security was accidental loss by staff.

‘92% would welcome more cyber security awareness training for staff’

Regardless of the sector in which you operate, there are certain standards and best practices to which staff should adhere. It is not so frequently that complex and technically sophisticated attacks are targeted against schools, but it is far more likely that a breach will be as a result of basic information security mistakes.

Top 3 Threats to UK Educational Institutions

Data Breaches

A data breach is defined as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to data. A breach can come in many forms, such as the unauthorised access to a database, in the case of a hack, or even the accidental loss of a physical storage device, e.g. leaving a USB drive in a taxi, and though they don’t have to: they happen scarily often.

Though there many technical elements to defending against a data breach, there are plenty of ways standard users can help minimise the chances of sensitive information being lost, disclosed or improperly accessed.

Firstly, it is critical that every organisation understands the value of investing in comprehensive information security awareness training, covering proper encryption practices, various types of data and the responsibilities that come with possessing them, and how to best ensure the confidentiality, integrity and availability (CIA) of data.

Phishing

Despite best efforts, phishing emails are now an unavoidable reality of life and independent of sector. Phishing attacks can vary wildly in sophistication and their objectives; with some aiming to manipulate users into directly giving up sensitive information, such as log in details, while others may be trying to direct users to malicious URLs.

Despite the variety of methods, there are several key practices to keep in mind to reduce the chances of an effective phishing attack:

•  Be suspicious of unsolicited emails, especially if they contain promises of prizes, unexpected invoices or unrealistic deals
• Double check the email address. Many times, scammers will intercept communications with addresses that seek to mimic the genuine article
• Be wary of communications that implore urgency. Attackers often attempt to coerce users into acting quickly and making snap decisions
• Have protocols and procedures in place. Giving employees at your business specific technical guidance will greatly help to mitigate risk

Ransomware

One of the common objectives of phishing attacks is to introduce malware into a system, of which, ransomware is an increasingly common type. As a type of malware that takes your data hostage, ransomware works by encrypting the files on your computer so that they may only be accessed in exchange for payment (often in the form of cryptocurrency).

Awareness of ransomware increased greatly in 2018, following the WannaCry worm which infected around 200,000 computers and cost the NHS an estimated £92 million. The vulnerability stemmed from the use of outdated IT systems and was likely introduced via a phishing attack. Illustrating, with grave consequences, the importance of up-to-date systems and simulated phishing training.

It may sound simple, but in addition to anti-virus software, the easiest way to defend against malware is to avoid the point of infection. Having security conscious users and a staff adequately informed and trained in information security awareness issues will undoubtedly save time, energy, and more importantly: costs in the long term.

If you’d like to learn more about information security awareness training and how it can help protect your business, click the link below.