This was originally published on March 2, 2018 in Tes magazine. 

The teacher who was sitting at the computer was, to put it politely, technologically challenged. A self-styled Luddite, they could tell you what Microsoft Word was, and not much beyond that. But within just five minutes, they were launching a ransomware attack on their own school. The kind of ransomware attack that can steal or encrypt all of the data on your server or freeze your IT operations - and one that is often only ended when a big sum of cash is paid out (the “ransom” for ending the software attack and returning the data).

And here’s the thing: I - director of IT services at the school in which that teacher works - watched them do it.

Why on Earth would I want to encourage anyone to perform such a potentially destructive task?

The simple answer is: knowledge.

We were in the controlled confines of an information-security training session, in which the focus was not on what not to do, but more about understanding the threats and risks out there.

Because there are plenty of security risks for schools. Expensive, destructive and potentially disastrous risks. And schools, are surprisingly ignorant of them.

Related

• GDPR for schools 
• How to ensure your school is GDPR compliant

Cyber security in schools

Schools do not typically view themselves as a potential target for cybercrime. After all, historically, schools have only been the target of scattered, uncoordinated attacks. But the sense of safety within the education sector is a mistaken one. Things are changing: schools are in fact increasingly at risk of devastating security breaches and targeted cyberattacks.

The criminals have already shown that they are prepared to attack public services. The NHS was hit hard in early 2017, as part of a global ransomware attack that also targeted some schools outside the UK.

With the number of schools in the UK totalling more than 24,000, the education sector is a potentially lucrative hunting ground. According to security vendor Symantec, the average ransomware fee in 2016 was £525; if a mass attack was launched against all of our schools with just a 5 per cent success rate, it would represent nearly a £640,000 payday for the criminal.

It could be much worse for schools. In January 2017, a Los Angeles-based college reportedly paid a $28,000 ransom to regain access to its systems. (In mid-October 2017, the US Department of Education issued a specific warning regarding data theft and subsequent extortion against schools.)

The art of cyberwar

But the spoils of a cyberwar against schools would not be limited to ransom packages. Schools and staff process, and have access to, significant quantities and varieties of data regarding staff, students and parents. The cache might include medical records, financial information, reports on special educational needs and contact details. The pickings are rich.

And the tools of war? Well, they’re frightening.

The example I gave at the start of this feature demonstrated that a complete IT novice could launch a hugely damaging ransomware attack. With no guidance, the teacher in question completed the build and scheduled the launch in just under five minutes, using one of the growing number of click-and-build, ransomware-as-a-service platforms. These platforms are basic, tick-box-powered applications that allow anyone with limited technical skills (a disgruntled employee or annoyed student) to create, target and launch an email- or website -based ransomware attack. These platforms work on a commission-based business model whereby a cut is taken of the illegally generated revenue.

And consider the potential effects of the following types of attack, which are all real-life examples:

* An attack that prevents access to all electronic documents, files and systems for days or even weeks.

* A ransomware attack that blocks access to all coursework and other material relating to public examinations.

* A distributed denial of service (DDoS) attack that causes an independent school website to be down for days or weeks during the busy 11+ application period.

* A DDoS attack that prevents all staff from accessing the management information system (MIS) and blocks pupil access to a virtual learning environment.

* A data theft followed by the publication of all staff emails and documents, such as internal and private comments, appraisals, notes of concern, complaints, special educational needs reports, pupil reports and staff disputes.

* An attack that results in the computer, MIS and email passwords of staff being stolen, allowing an attacker the ability to impersonate staff and access systems remotely.

* A phishing attack that results in parents being sent false changes in information, such as accounts for trip and extra-activity payments, or even fees, in the case of independent schools.

* An attacker managing to connect a small keyboard-video-mouse device to the back of a reception computer without it being noticed. This device then sends the attacker all of the user’s keyboard strokes, giving them passwords and remote access.

* A worm virus that goes from machine to machine in your school network, destroying all files permanently.

The bad news is that things are getting worse. As with all technology, the growth in the sophistication and power of threats is increasing rapidly.

Instead of malware fitting neatly into one category, variants are merging to offer multiple damaging characteristics and methods of propagation. For example, previously, ransomware typically infected a machine and encrypted files. But in 2017, we saw a rise in ransomware that also had worm functionality: it would attempt to spread the infection to other machines on the network, to increase the potential number of files that it could encrypt.

Developers have also released versions with an especially malevolent way of propagation. Once infected, the victim will be given the default option of paying a ransom to get their files back, but they will also be given an alternative option to regain access: sending the malware to infect two or three other people.

This is not rudimentary, unsophisticated stuff. The criminals are intelligent and vicious in how they go about their work.

It would be easy to think that your antivirus software is going to protect you from all of this. Unfortunately, that won’t always be the case. In the same way that some websites adapt, depending on whether you access them from a computer or mobile phone, some malware is “aware” when it is being scanned by antivirus software and changes its activity to avoid detection.

Often poor user knowledge means viruses can be invited in, too, and this bypasses any security features that may be in place.

Don’t get me wrong, antivirus software is certainly part of the solution, but it should never be the only fix.

The good news is that most threats can be stopped by small shifts in behaviour and a strategic, risk-based approach to information security. Here’s how:

1. Run your system updates

At the most basic level, the importance of update management for your systems cannot be overstated. A large percentage of the world’s biggest attacks have been made possible by missing, but available, system updates that close off weaknesses where viruses can sneak in.

2. Educate everyone in the basics

The next step is to raise awareness and educate staff, students and parents about information security. Telling people what to do, and what not to do, is not enough. A good, but basic understanding of the risks is key to the behavioural changes and core skills needed to identify and avoid current and future threats.

As school staff, I strongly believe that we need to break the cycle of successful, exploitative attacks by equipping students with fundamental online security skills. I’m rolling out a whole-school information-security programme within our PSHE stream to build up this ability.

Information security is underpinned by the principles of confidentiality, integrity and accountability (CIA). Often referred to as the CIA triad, confidentiality means only allowing permitted people to access information; integrity relates to only allowing permitted people to make changes to data (including deletion); and accountability means keeping a record of who has accessed which information, and when.

Every person involved in a school should know of, and abide by, these rules.

3. Make a plan

From this foundation, you can build a strategy. The worst mistake that can be made at this stage is to look at the sheer number of differing threats and think that they must all be tackled. This is guaranteed to end with you feeling completely overwhelmed, and nothing being done.

A risk-based approach is critical:

* Analyse all of the potential risks to your students, staff, data, systems and buildings.

* Rank these risks based on the potential threats, possible cost and likelihood of occurrence.

* If you do not have the in-school expertise for this risk assessment, find a supplier to help who has good recommendations from prior educational customers.

* Once you have your list of threats, tackle the most severe ones first.

* Create a longer-term plan, spanning a few years, to deal with the wider range of your identified risks.

* Accept that for some risks, the effort and costs required to mitigate them are simply not worth it, but this must be driven by your risk analysis.

* Once you know what needs to be addressed, perform an appraisal of your school’s internal ability and skillset to address the risks. If these are not present, you must invest in upskilling your staff or again seek external, professional support. You must also invest in the technical tools to monitor and detect attacks.

* Your school may eventually become the worst-case scenario. Develop an incident-response plan to deal with any such occurrence and ensure that you have a robust back-up strategy in place, along with offsite replication.

* Policies must address these risks as a living document that is measured and monitored.

4. Make it a high-level responsibility

Senior leadership and governors have no choice but to accept the need for information security as an essential part of running a school. These attacks can cripple a school’s ability to operate, and can harm individuals. The incoming 2018 data-protection laws - the General Data Protection Regulation - will result in a large number of information-security breaches needing to be reported, so you must have in place the technical tools and ability to detect breaches.

5. Make in-depth response plans

Mitigation plans must adopt a defencein-depth approach to create protective layers against each threat. This might sound complex or expensive, but neither is necessarily the case.

Let’s take malicious emails as an example. A defence-in-depth approach could include the following:

* Staff training, resulting in a larger percentage of staff identifying, reporting and deleting a malicious email.

* Anti-spam filters to block some malicious emails from being received.

* Policies to guide user behaviour and minimise the impact if a malicious email is opened.

* Antivirus software to protect computers in the event that malware gets through.

6. Remember, this isn’t a one-hit wonder

Information security is an ongoing process and every school needs to continually reassess the risks, keep up to date with changing threats and adjust the mitigation where necessary.

The governance of information security lies with senior leadership and governors, but the responsibility is shared with everyone. We must all ensure that we possess the skills and knowledge to minimise the risks in our information-rich world.

7. Be aware that physical security is important to online security

There is an old information security adage that once they’re in, they’re in. This makes physical-information security just as important. Think about your points of access and how secure they may or may not be. How do you keep track of who should and should not be on site, and in particular, visitors and visiting staff? As a minimum, visitors should not be able to get any further into your buildings than the reception area, without recorded authorisation.

Most schools have paper information everywhere: in filing cabinets, drawers, folders, pinned on walls and sitting on desks. Control access to this information by using lockable storage and locking doors when rooms are unattended. Staff rooms should be secured at all times. Remove paper information from environments that are used for meetings with students, parents, or even some staff, to maintain confidentiality.

Unattended computers must be locked or logged out. Open computers grant anyone access to services such as shared drives, emails or management information systems containing sensitive data. This compromises confidentiality and integrity.

For certain types of data or sensitive information, assess whether access needs to be logged to ensure accountability.

For some, this will all sound incredibly scary. When delivering training sessions on this issue, I am used to seeing, at some stage, a sea of highly perturbed staff with expressions bordering on panic. This is understandable. Information-security risks and threats are serious, and when laid out, they are scary because your awareness is raised.

But do not let this initial reaction stop you in your tracks. I want to repeat an earlier comment: information-security threats can be stopped by small shifts in behaviour. It is not even that difficult, and only requires that you recognise the severity of the issue and then take appropriate action at all levels.

Schools are experts at this from having to manage safeguarding and other, similar processes, so simply apply the same level of care and attention to IT security, and you cannot fail.

Toks Oladuti is the director of information systems for an independent girls’ schools trust in London. Prior to that, he has consulted and managed IT in the corporate world. He can be reached on t_oladuti@outlook.com