Online behaviour: the key to battling cyberthreats
Two independent schools tell Evan Davies about the cybersecurity threats they have faced from the darker side of the internet this year, shedding light on what methods attackers use, who is most vulnerable and how they are mitigating risk
Looking through a lens at what challenges independent schools face today, cybersecurity, increasingly, comes into focus.
The number of reports of well-known schools making the headlines for security breaches alongside their business counterparts is increasing. Threats have evolved from being visible only to technical support staff, to now include pupils and teachers who are not only targets, but vehicles for delivery.
Understanding what risks schools face and how to work together to stop them has never been so important.
Tony Whelton, IT director at Wellington College, explains in more detail how defences and the focus of attacks have changed in recent years: “It was very much more the traditional preventative defences, as in protect your front of house and basically monitor that, to the extent that is required, whereas now the threat is definitely nowhere near as strong for that data.”
In this traditional landscape, a would-be attacker’s primary objective is to force a way through the ‘front of house’ to access internal systems and data, but now attackers seek softer targets – teachers and pupils – using the tactics of old, and new, to achieve their objectives.
“Now, the brute force attacks are on the users’ accounts and that goes hand in hand with the phishing campaigns,” says Whelton.
Phishing is when a cybercriminal will send an email encouraging the recipient to click a link within it. Often the objective is to harvest user credentials, deliver a virus or lure the receiver to another website where a payment will be requested. There are still brute force attacks but targeting pupils’ accounts in order to harvest email addresses of the pupils’ parents. Those parents would then be the targets of phishing attacks trying to entice them to pay their children’s school fees early in exchange for a discount. Often, it appears, that international parents are most vulnerable.
The biggest challenge schools are facing with this style of attack is that the attacker’s emails look extremely realistic. They are created manually, using publicly available information such as fees and logos, and written in a tone that will feel like that of the school’s normal language.
In order to eradicate these risks, Wellington College have implemented the latest in cyber defences; their infrastructure now rivals that of a large enterprise.
How many independent schools face cyber-attacks?
A report by Endsleigh Insurance Services, ‘Independent, but insecure? The growing cyber security risks facing the independent education sector’, unveiled some interesting statistics
● 61% of independent schools have reported experiencing a cyber-attack within the last five years.
● 39% considered their school to be a target for cybercriminals.
● 73% considered themselves to be fully protected from cybersecurity threats.
● 1% admitted to feeling highly vulnerable.
● 75% indicated they have a dedicated plan in place to respond to a cyber-attack.
● 38% monitor their cybersecurity policy monthly.
In the report, John Murphie, chief operating officer of the Independent Schools’ Bursars Association, says: “A top-down approach is one of the most effective ways of providing a robust response to rising cyberthreats, all those involved in the direction and running of a school are made aware of their responsibilities, the developing threats, and the necessary countermeasures.
“By increasing awareness and taking an active, and occasionally anticipative approach to mitigating the risks, schools can start to very effectively manage existing and emerging cyberthreats.”
Royal Hospital School (RHS), located on a rural peninsula of East Anglia, have also been the target of phishing campaigns but with a very different outcome.
I spoke with Alex Davison, IS manager, about an incident earlier this year that involved phishing to deliver a ransomware attack. A ransomware attack is a virus that gets into the network and encrypts important data before contacting the data owner and asking for money for it to be unencrypted.
Davison explains the logistics of the attack: “The finance department clicked a link in an email. The virus was new and punched a hole straight through the defences and encrypted a shared drive. The first we knew of it was a report someone couldn’t access files.”
RHS take security extremely seriously and have invested heavily in many layers of advanced technology for defence from attacks, but due to the speed in which new threats are created today, they could not stop this incident.
Fortunately, however, because of the fundamental, technical basics that they do well, they were able to roll back systems to avoid losing their data and paying the ransom.
The main style of attack that Davison is seeing is what he calls an ‘escalation attack’.
He explains: “This is where people come in and they will attack broadly across the site by any email account, so it is usually a phishing attack. They try to get you to click on a link and put your credentials in and once you have done that they will then use those credentials to log into your account and send further emails.
“Obviously hitting a pupil account isn’t what they are after but once they have got into a pupil account they tend to email a staff member or whatever people [are in their address book] and they are more likely to click because the legitimacy of those emails is higher than a random email from the outside.”
Davison went on to explain that the objective of these attacks often isn’t clear, so it cements the need for everyone at the school to remain aware, vigilant and responsible for their daily digital lives.
The responsibility of the students in this context at RHS falls to the head of digital learning, Hamish Mackenzie.
He explains that he wants every child to be an “active participant in security and safety, and to understand that their behaviour can undermine anything that we have from a network infrastructure point of view”.
To implement this, Mackenzie and the school have pioneered an innovative program, where students need to earn, and maintain, their right to access digital systems through acquisition of a ‘digital license’ at the start of each term.
Mackenzie says: “Risk-wise, the school is only as good as the behaviours of the children and they have to understand that, and we do that via their digital licenses and their digital handbooks.
“The digital handbook is, essentially, an acceptable usage policy, which is turned into child-friendly language and given some design elements. They are given three weeks to understand it before they have to sit a test to show that they understand it and what we expect of them.”
Risk-wise, the school is only as good as the behaviours of the children and they have to understand that
In those three weeks to understand their handbooks, students are given tutor time and various lessons to support it.
But it is not just a case of a license being granted and then forgotten about until next term, behaviour outside of what is acceptable can result in access being revoked for a pupil, helping to ensure ongoing compliance.
Critically to the success of this initiative, and the integrity of the school’s network, this isn’t an isolated exercise; security and digital safety is woven in at a curriculum level where appropriate also.
When thinking about these initiatives, Mackenzie explains that there is no one-size-fits-all answer.
He explains: “Our approach works well for a rural boarding school with day students coming in but it would not be appropriate for a state school down the road or an urban school with full network coverage and a different population.
“Threats change very quickly and can be national or regional. So, risk has to be analysed in the nature of the landscape and the context.”
Mackenzie recommends key things that all schools should do to maintain digital integrity: “Engage all stakeholders – that is governors, management, staff, pupils and parents. You have got to look at it from a holistic point of view rather than just seeing it as just the kids. I think you need to keep abreast of the changing natures of threats, for example ransomware. You also need to offer lots of training opportunities to allow people the chance to learn and I think most importantly you need to make sure your policies are fit for purpose and you need to make sure they are understood by people.”
Ultimately, the nature of the landscape in which schools sit from a cybersecurity point of view has evolved dramatically in recent years and will continue to do so. This calls for a coordinated and cohesive response that focuses on the online behaviour of everyone at the school – pupils, staff and teachers.
You might also like: 60% of independent schools faced cyberattacks in five years