The education sector is increasingly being targeted by cybercriminals, who use ransomware to prevent schools from retrieving their own data and then demand cash to restore access. With such attacks resulting in months of disruption and distress, what can be done to minimise the risks? Simon Creasey reports
The data had gone, the planning had gone and the resources had gone. Years of work had vanished and Graham Andre, a teacher at Lanesend Primary School – which featured in the BBC Two documentary No More Boys and Girls: Can Our Kids Go Gender Free? – took to Twitter to share his frustration.
It was down to hackers, he revealed. His school had been one of three on the Isle of Wight whose service provider had been targeted. All the data had been locked behind encryption and the only way it was going to be unlocked was if the schools or the service provider paid a huge sum of money.
The “ransomware people”, he lamented, had targeted education.
In fact, they had already been operating in education for some time, as the replies to Andre’s tweet demonstrated. Among the messages from fellow teachers, members of the public and cybersecurity experts offering Andre support and advice about how best to tackle the problem were other messages – messages of empathy from fellow victims.
“We were caught in a ransomware attack like this back in May,” tweeted one teacher. “We thought we’d lost everything and were without all computers and internet for a month!”
Another teacher tweeted: “This is awful. It happened to us last year just as we were teaching online and heavily dependent on IT-based systems.”
The reality is that ransomware attacks on schools are on the rise, according to the National Cyber Security Centre (NCSC), a government agency that provides advice and support for the public and private sectors on how to avoid computer security threats. Since September 2020, it has published three separate alerts, warning of a spike in ransomware attacks affecting the education sector.
And in an email sent to headteachers in March this year, which was seen by Tes, the Department for Education (DfE) warned of an “increasing number of cyberattacks” affecting the education sector and said it was “vital” that senior leaders “urgently review” their cyberdefences and take steps to protect their schools from attack.
How worried should you be? And what – if anything – can you do to protect your school?
The good news is that schools are not being targeted specifically by hackers – the rise in ransomware attacks is across all industries and is a global problem. In the first half of 2021 alone, ransomware attacks globally eclipsed the entire volume for 2020, according to the 2021 SonicWall Cyber Threat Report.
That said, education has experienced a significant rise in incidents: the report found that attacks on educational establishments increased by 615 per cent in the same period across the world.
The impact of cyberattacks on schools
Why, in an age when cybersecurity is so robust and organisations invest so heavily in infrastructure and training for protection, is this rise happening? Quite simply, the attacks are getting increasingly advanced.
In early June, one academy, located in the South East of England, found this out the hard way. The school, which has asked to remain anonymous for this article, had put in place a number of protocols to prevent this type of attack occurring, such as firewalls, antivirus software and extensive staff cybersafety training, but as the summer term wound down, the hackers got in regardless.
The cybercriminals were able to steal a wealth of data, including teaching resources, school trip information, human resources files, a significant amount of staff data and some student data. They also encrypted the school’s management information system containing contact details for parents, rendering it inaccessible to the school.
“External organisations have subsequently confirmed that this was a highly sophisticated attack,” says a spokesperson for the school.
It’s a scenario all too familiar to a headteacher from an academy located in the Midlands (it also wishes to remain anonymous). The academy was attacked last summer just as it rolled out its online learning offer to students.
“We think the hackers, who subsequently turned out to be quite a large and professional team, noticed us because of increased traffic on our website portal,” says the headteacher of the academy. “They encrypted everything they could before our paltry security system kicked in. They wanted half a million euros to de-encrypt it, which we refused. The police told us not to engage.”
The headteacher says that the timing of the attack was awful.
“We lost pretty much everything on the servers, including all data for centre-assessed grades, all curriculum and teaching resources, the most recent version of the following year’s timetable, all emails and Sims (School Information Management System) data. It was carnage.”
It’s important to recognise that these are not random attacks, nor are they haphazardly approached. The image of the hacker as a bored teenager after kicks is extremely outdated (if it was ever true) and, as the headteacher above inferred, hacking is now a highly professional business. As schools come to rely on IT more and more, and with the pandemic hastening that transition, those gangs will see education as an increasingly valuable target.
An attack usually starts months before the final encryption happens and the favoured approach is usually phishing emails. These are communications that appear to be from trusted sources – a company you have ordered from, a friend or a colleague – and the idea is to get you to give up sensitive information that will enable the hackers to access your IT infrastructure or get you to download malware that opens the door instead.
Once someone unwittingly falls victim to the emails, the malware often sits dormant, undetected, on the “host” system until the hackers are ready to launch the attack. As soon as they start the process, the malware works its way through an organisation’s IT system, and encrypts (or “locks” ) all the files it comes across. These files cannot be unlocked without a key. The cybercriminals will demand a ransom – probably in cryptocurrency – before they return the key that will allow the owner of the data to unlock it.
How do the hackers decide when to action the malware? A spokesperson for the NCSC says that, often, the aim of cybercriminals is to encrypt data at a time when it will have the most impact on an organisation’s services, such as right now, at the start of the school year.
“It can affect access to computer networks, as well as services including email systems and websites,” says the spokesperson. “Ransomware incidents can have serious impacts on an organisation’s ability to operate.”
And recently, the criminals have added a new element to the attacks.
“Recent trends show that cybercriminals are aiming to not only disrupt operations with their attacks but to extort them, too, by threatening to leak information online,” says the spokesperson.
During the pandemic, schools were more likely to be targeted and were particularly vulnerable to those attacks, according to Colin Tankard, managing director of the data security company Digital Pathways.
“Because of the pandemic, a lot of schools had to switch to online education and they did that really quickly, so stuff was put in place and rolled out without a lot of thought, precautions and testing,” he explains. With so much reliance on those IT systems, the impact of an attack (and the likelihood of a ransom being paid) also increased.
But even prior to the pandemic, schools were viewed by cybercriminals as a “soft” target, experts argue. For example, email addresses of employees are easy to access.
“Most email addresses for requests like invoice payments are on a public website so they are easy to target [using phishing attacks],” says Craig Barratt, a director at IT and telephone service support firm Foresight UK, which has been providing ICT services to schools and colleges for more than a decade. “It doesn’t help that companies sell these emails on the internet.”
Another issue is that school staff are not always trained on the risks; if they are, adds Barratt, “the training is usually delivered by another member of staff rather than a third- party expert. Support by local authorities is sporadic and a bit of a postcode lottery”.
The way schools are funded also means that buying into more secure systems frequently involves taking money from other vital areas, and Tankard says that, often, the way IT is perceived and acquired makes schools easy targets, too.
In addition to his day job in data security, Tankard is chair of governors at a local primary school and a data protection officer for a multi-academy trust. He says that schools are targeted by cybercriminals because they’re seen as cash-rich organisations that have weak systems in place compared with commercial organisations.
“Schools will buy laptops and tablets and things like that, rather than invest in a better, more secure wi-fi system,” says Tankard. “They also don’t think they need to back up their data because they use Microsoft 365 or Google Drive but, obviously, neither of those organisations back up your data and they don’t guarantee your data is backed up – they just guarantee a level of service and a service availability.”
So, is the key to ensuring that your school is not next in line for an attack to address these issues of back-up, training, IT acquisition strategy and basic security procurement? In a perfect world, yes.
For example, Tankard explains that because ransomware typically searches for and attacks system back-ups first (ensuring the hack is not worked around by simply using the back-up if the attack is spotted in time), what schools should be doing is investing in immutable storage, which essentially means that data can’t be accessed or amended by anyone other than the owner of the data.
The problem is that investing in protections such as immutable storage – and organising training or procurement of highly secure systems – costs money and, as Tankard says, “schools have generally taken the cheaper option” when it comes to cybersecurity because, as has often been reported in this magazine, most schools have to make a little go a long way when it comes to funding. During the pandemic, that little had to go even further. As such, many security protocols and systems in schools are simply not fit for purpose.
This was the case at the aforementioned academy in the Midlands, which was the victim of the attack last summer. But the headteacher admits that an inaccurate perception of the level of threat also led to poor decisions being made about where funding was most needed.
“Looking back, our security protocol was appalling,” says the headteacher. “We had assumed we would just need to keep out kids really, not real professionals. Our trust underspent on IT for years. They didn’t think it mattered. Then they blamed everyone else when it happened.”
But even if they do spend big once, that doesn’t mean they are protected for the future. Cybercriminals are becoming increasingly skilful and there has been significant growth in the “cybercrime-as-a-service” business model, which has led to more agile and powerful attacks.
“Criminals can essentially buy or rent cyberattack facilities to launch attacks against their chosen target,” explains Jason Nurse, associate professor in cybersecurity at the University of Kent.
So, faced with tight budgets and an increasingly fast-moving and sophisticated threat that mutates its methods often, what can schools do to ensure they’re not subjected to an attack?
Nurse says a “holistic” security risk management approach is paramount.
“It’s about adopting policies, procedures and techniques to prevent attacks,” he reveals. You then need adequate measures to detect an attack at the earliest opportunity if one occurs, he continues. And finally, it is about adopting comprehensive response and recovery strategies, which focus on the technical response but also the sociotechnical issues (for example, corporate communications and cyberinsurance).
“Attackers may be looking at educational establishments as a lucrative target but it’s important to push back on this and demonstrate cyber resilience,” he concludes.
The road to recovery
The good news is that the DfE is currently developing a tool that allows schools to assess its cybersecurity provision. And there are lots of resources already out there – many of them free – to help schools build up the requisite level of resilience. A good starting point is the NCSC website (ncsc.gov.uk), which features several key mitigation techniques that should deter the majority of attacks at either low cost or no cost.
The government agency has also developed a cybersecurity for schools web page (ncsc.gov.uk/section/education-skills/schools), which contains practical resources for school IT managers and helps them prepare their school to respond to cyberincidents, such as ransomware.
In addition, it has produced free cybersecurity training to raise awareness and help school staff manage some of the key threats facing schools. This is available as a self-learn video or a scripted presentation pack.
As a spokesperson for the NCSC says: “Recovering from a ransomware attack is rarely a speedy process; the investigation, system rebuild and data recovery often involve weeks of work. That is why it is so important to practise these steps before an event occurs, and the NCSC’s cyber exercise creation guidance can help you to do exactly that.”
Sadly, even well-prepared schools remain vulnerable to attacks – after all, teachers are experts in pedagogy, not global IT threats. So, if you are targeted, what can you do?
All is not completely lost. There is an option to call in cybersecurity experts to clean the data but this can be really expensive and cost “hundreds of thousands of pounds”, says Tankard. The average recovery costs have doubled in the past 12 months.
Thankfully, there are some free options that may help, says Nurse. For example, he explains that ransomware decryption keys can be found via the No More Ransom Project – an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and cybersecurity companies Kaspersky and McAfee – with the goal of helping victims of ransomware retrieve their encrypted data without having to pay the criminals. Schools should also consider sending details of the attacks to the NCSC and the national reporting centre for fraud and cybercrime, Action Fraud, to see what support they can offer, advises Nurse.
The alternative is to switch your systems off and start all over again by buying new hard drives and rebuilding your data from scratch, which is costly and time consuming, and you may still end up losing some valuable data.
“It’s basically a restart,” says Tankard.
Of course, schools could opt to pay the ransom, which can be anywhere from tens of thousands to hundreds of thousands of pounds. However, Tankard strongly advises against going down this route.
“I would always say don’t pay the ransom because, yes, they might give you your data back but, guess what, they’re not going to take the malware out and maybe in six or 12 months’ time, they’ll just switch it [the ransomware] back on again because they know you’re going to pay,” he cautions.
However, the vast majority of schools should never get to the point of the attack actually taking place. Security experts stress that this is a threat that is not going away. It is, instead, increasing every day and these criminals will have no issue targeting education – indeed, they will actively seek it out. What the sector needs in response is a change of attitude, from the government down to individual teachers, about the reality of the situation, along with the funding and infrastructure to enable schools to protect themselves.
“This is what’s lacking in the education sector at the moment. The message is not getting through clearly,” says Tankard. Or, at least, not for those yet to be targeted. For the schools that have already been victims, the lesson has been learned the hard way.
Simon Creasey is a freelance journalist
This article originally appeared in the 10 September 2021 issue under the headline “Hacked off”