This article was originally published on 3 February 2023
In October 2020 Kellett School was subject to a ransomware denial-of-service (DoS) attack orchestrated by a Russian criminal hacker group.
The attack was deliberately timed for the evening prior to a four-day holiday weekend in Hong Kong so the hackers had maximum time to encrypt and, potentially, extract our data.
Quite when the hackers got access to our servers, we do not know, but it was probably weeks, if not months, before the attack.
A post-mortem diagnostic showed that they had most likely got into our system through a member of staff clicking on a link in a phishing email, which, because staff had admin rights to their school devices, installed malware on the school system.
The malware then trawled our network until it found a disused adminstrative account that had been created at least nine years previously that everyone had forgotten about.
With administrative-level access, the hackers were able to take over control of our network and to trigger a ransomware attack on the day of their choosing.
The school under cyberattack
Although the hackers timed their cyberattack for maximum damage, we were lucky in two significant ways.
Firstly, a member of the network team discovered the attack when he went into work the next morning - despite it being a religious holiday.
This enabled our network team and our IT managed-service partners to limit the scope of the penetration so that, importantly, no data was extracted and stolen.
Secondly, we had recently moved a number of our key systems (including our email, admissions, the school management information system and school policy documentation) from being hosted locally to cloud-based services.
This put them beyond the reach of this hack. Six months earlier and we would have been dead in the water.
The result was that the school was able to function. We still had access to Google Classroom so teaching and learning continued unaffected. Our email was working and we could take registers and access most of our school information.
Nevertheless, the attack encrypted our local servers, preventing access to all of our admin systems that we hosted on-site, including our finance and HR records.
Given that the school was operational and there had been no data loss, we decided not to respond to the hackers’ demands that we pay them for the ability to unecrypt our files, nor did we report the incident to the police.
Instead, the team set about the long and laborious task of restoring our data from the back-ups. The disruption to the finance and HR teams lasted about a fortnight.
It had been a close call and we knew that we needed to do a lot of work to ensure that we would never be in such a vulnerable position again.
Leaving the front door open
Looking back, the situation that we found ourselves in at Kellett was typical of many schools. We had prioritised ease of access over security.
With the best of intentions, we had given teachers admin access to their school devices so that they could download any software from home that they needed during the period of home learning.
We had not got protocols and procedures in place to ensure that access to the school network was limited to current staff. And we had not made sure there were additional controls in place on the creation and deletion of admin accounts.
We had not made anyone change their school passwords for years out of a concern that it would overwhelm the IT helpdesk and distrupt the day-to-day running of the school.
We had not forced shutdowns and updates on school devices, which meant that some machines were running on very out-of-date anti-virus software.
We hadn’t ever trained the staff in cyber-awareness.
The network team had been working away putting in the latest firewalls and cyberattack counter-measures, but when push came to shove, we had done the cyber equivalent of leaving the front door open. It was a turning point.
“Six months earlier and we would have been dead in the water”
One of the greatest challenges with cyber security is that “you don’t know what you don’t know”.
We have a great IT tech team at Kellett, but, with hindsight, we lacked knowledge and skills at that time in managing cyber risks. Our journey since the dark days of October 2020 has been a steep learning curve.
In response, we set ourselves the monumental task of attaining the ISO27001 accreditation, the internationally recognised standard in data management. The standard provided an audit framework that enabled us to know where we were in relation to best practice.
The process started will a “gap analysis”, outlining where we fell short in terms of our processes, procedures and documentation.
Over two years on, we are celebrating receiving ISO27001 accreditation - we are the first school in Asia and one of only a handful of schools in the world to get it.
It has taken time to implement our cybersecurity improvement programme and to put in place an incident response plan that we believe will stand us in good stead when the inevitable next attack comes.
Six things school leaders can do to reduce the risk of a ransomware attack
Since the incident, I have reflected a lot on what we learned from it all, and I think there are six key lessons worth sharing to hopefully stop others from suffering a familiar fate - and getting out of it if they do.
1. Lead from the front
Cybersecurity cannot be delegated to one person or even to the IT team.
Senior leadership buy-in is essential to set the tone, to make it an important part of the organisational culture and to ensure that the school invests sufficiently in this area.
Managers need to be in the vanguard of key initiatives, such as completing training and changing passwords.
2. Everyone must play their part
Like safeguarding, cybersecurity is the responsibility of every member of the school community. It is hard work, and everyone needs to play their part.
Moving to more complex passwords and two-factor authentication can be a pain - no one likes doing it - but it is an essential part of protecting the community.
Given that the most likely way of malware getting on to a school’s system is through a staff member clicking on a link in phishing email, it is important that senior leaders make cyberawareness training compulsory for all teachers, support and admin staff.
3. Make sure policies and procedures are followed
It may sound obvious but it is vital that data protection policies and procedures are followed correctly.
For example, it is easy to have a policy that dictates that all leavers are removed from the school IT systems, but ensuring that this happens in practice is a very different matter.
This means school leaders need to ask the awkward questions and follow up where practice on the ground falls short.
4. Have cyber insurance and emergency support in place
School leaders need to ensure that appropriate levels of cyber insurance are in place.
There is more to this than simply purchasing a policy. It is important to have conversations with your insurer in advance of a breach or incident about what its expectations are in terms of what the school needs to put in place.
At Kellett we now also have an emergency retainer with a third-party company, which will manage any cybersecurity crisis we face. It is pre-authorised by our insurer and already has a basic understanding of our systems, saving important time in the event of a crisis.
5. Have an incident response plan - and know how to use it
School leaders should plan for a data breach, and test the effectiveness of the school’s incident response plan.
The UK National Cyber Security Centre has published some excellent online resources (”Exercise in a box”) to help organisations find out how well-defended they are to cyberattacks and practise their response in a safe environment.
6. Call in the experts
Many schools don’t know what good cybersecurity looks like, and particularly what it looks like on the ground.
If a school doesn’t have a sufficient level of in-house expertise, school leaders should consider bringing in experts to conduct a cybersecurity audit and to help put a plan of action in place.
Mark S Steed is the principal and CEO of Kellett School, the British International School in Hong Kong; and previously ran schools in Devon, Hertfordshire and Dubai. He tweets @independenthead
