Blog Layout
Are Educational Institutions at risk from a phishing attack?
Lee Wallings • 29 September 2022
Absolutely they are!
The Cyber Breaches 2022 Survey Education Annex has some brilliant insights into what educational institutions are currently facing in terms of cybercrime and as in previous years, phishing is the top detected cyber-attack and it’s easy to see why.
You don’t need any technical knowledge to send an email. As humans we are easy to trick when we are just faced with skilled manipulators and in today’s hectic workplace, many of us work through our emails as quickly as possible without considering the overall picture.
In the last 12 months educational institutions have identified any breach or attack.
Phishing:
- Primary : 88%
- Secondary : 87%
- Further Education 93%
- Higher Education 97%
When an average of 90.25% of institutions have detected a phishing attack, institutions need to make sure they are doing all they can to prevent this constant barrage of attacks from causing significant damage.
As one of the respondents said
“The biggest challenge is getting people to understand the 'even with multi-layered defences... a single person can still bring down the whole system” Higher education institution
And it’s not just emails that phishing attacks can come through, it can be any form of communication including texts (smishing), voice (vishing) or now even QR codes (quishing).
But despite phishing being acknowledged as the biggest attack vector, not enough schools are training their staff to be aware of the risk and how to deal with it.
percentage of educational institutions that have carried out the following activities to identify cyber security risks in the last 12 months:
Testing staff awareness and response to mock phishing etc.
- Primary : 37%
- Secondary : 48%
- Further Education : 71%
- Higher Education : 65%
Tips for defending against phishing
The National Cyber Security Centre suggests these four layers to defend against attacks:
1. Make it difficult for attackers to reach your users
- Employ anti-spoofing controls so that attackers can’t pretend to be you: DMARK, SPF, DKIM. As an educational institution you can sign up to NCSC free Mail Check service which will let you know if your anti-spoof controls are all in order
- Understand what information is published that could be used to create spear phishing email – those targeted to a particular person/department with personalised content. You might want to have at look at what a corporate internet investigation might highlight.
- Filter or block incoming phishing emails using your email provider or specific service
2. Help users identify and report suspected phishing emails
- Ensure your staff know the warning signs of a phish but understand that they can be very difficult to spot
- Ensure staff know what to do if they get a phishing attack and what to do if they are tricked
3. Protect your organisation from the effects of undetected phishing emails
- Consider which devices need what defence. It might be disabling macros, the autorun feature or blocking specific extensions known to be used by specific malware.
- Use a proxy service to block any attempt to reach websites which have been identified as hosting malware or phishing campaigns
- Set up 2FA/MFA wherever possible
- Use a password manager or a single sign on method. Due to the autofill component, then user will get used to not having to fill in their password and may be more likely to question it when they have to.
4. Respond quickly to incidents
- Use a security logging system to pick up on those incidents that your users are not aware of.
- Have an incident plan ready and test it. The ECRC has a free template you can download and use for your organisation is you haven’t got a plan yet and you can test your plan with Exercise in a box.
Reporting phishing
You want your staff to report a phishing attack as soon as they realise they have fallen victim, rather than waiting until a forensic investigation identifies it.
The National Cyber Security Centre (NCSC) have created an enterprise Outlook add-in for staff to be able to report email phishing directly from their email box. The NCSC will the actively seek to disrupt the criminals sending these messages, protecting you from them as well as the wider community.
And you can report more than emails.
- Reporting a suspicious website - https://www.ncsc.gov.uk/section/about-this-website/report-scam-website.
- Reporting a suspicious email – forward to report@phishing.gov.uk
- Reporting a suspicious text message – send to 7726. This free-of-charge short code enables your provider to investigate the origin of the text and take action, if found to be malicious.
Further guidance & support
The Eastern Cyber Resilience Centre provides both individual and corporate internet discovery so you can see what information could be used to craft that phishing attack. We also provide Staff Awareness Training, but did you know your local police protect officer might be able to do this too? We train and mentor local university students, so when we say affordable, it really is. Find out more here.
The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.
You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.
We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.
Policing led – business focussed.
Children are attached to their internet devices like never before and are spending more and more time online. As parents/carers it can be difficult to have that conversa tion with them not just about being safe online but also how important it is to protect their privacy. Read below for some tips: 1) Check their social media privacy settings, some social media platforms set their privacy settings as standard which in turn include location trackers 2) Understand the potential privacy risks in your home, remember devices like Alexa and internet connected toys gather your data, be mindful when setting them up and ensure you check their privacy settings 3) Make your child aware of internet data and privacy, have a conversation with them, make sure they understand where their information is going and how it could be used 4) Be careful when using insecure free public wi-fi, this can leave you at risk of your personal information being stolen, risk of hackers to snoop on your device activity 5) It can be hard to remove content online, deleting an image or video from the internet does not mean it has necessarily gone, someone may of taken a screen shot or could be available via an achieve website 6) Regularly check in and take an interest in what your child is doing online, having an overview can give you an idea of potential privacy issues you may need to explain to them, not everyone is what they seem 7) Think about what you post on line about your child as a parent, parents can reveal personal information about their child, re school, places they visit a lot etc. By, mindful who can see the photos or videos you may share With thanks to our friends at Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada for the excellent cartoon and Professor Nash from the Oxford Internet Institute, University of Oxford for her bullet points and article. You can access Professor Nash's full article and more here https://lnkd.in/eWVpGKzx
The ICO has produced a suite of school resources for teachers to use when discussing privacy issues and the value of personal data. The lesson plans cover what counts as personal data, why it’s valuable and how to keep it safe when using social media. The resources are free to download and use. There is also a set of worksheets for each PowerPoint to facilitate discussion. They have added a set of lesson plans specifically on the Children’s Code, which is a set of rules designed to make the internet a safer place for children to learn explore and play. It requires organisations to put the best interests of the child first when they are designing and developing apps, games, connected toys and websites that are likely to be accessed by young people. There are specific programmes that can be used for both Primary and Secondary schools. Teachers can use these to help children identify where they can go to for support, including what they should do if they suspect an app, game or website is misusing their data or not conforming to the Children’s code. You can access the Primary school material from the ICO website here You can access the Secondary school material from the ICO website here
A new report by the Digital Futures Commission recommends that the government ‘s Data Reform Bill should regulate data taken by educational technologies (EdTech) services widely used in schools. “It is near-impossible to discover what data is collected by EdTech. Data collection is so extensive that we think that once combined, it is likely to be sufficient to construct a full profile of each individual child, including their identity, location, biometrics, preferences and abilities,” report author and barrister Louise Hooper. Test studies were conducted on Google Classroom and ClassDojo, an app designed to help teachers manage pupil behaviour, as they were both widely adopted by schools to provide remote and hybrid learning during the pandemic and have remained since. The main issue being that relatively strong data protection terms applied to education-focused services including Google Classroom stop applying when a child moves to other Google products such as YouTube. Due to government pressure in Germany and the Netherlands, Google has changed the way it handles children’s data but does not appear to have done this in the UK. The report recommended that under UK data protection law the government should introduce specific rules for EdTech suppliers “to relieve schools of the impossible burden of managing data protection without impeding uses of education data to benefit children and the wider public interest”. Rectifying the situation in children’s best interests is difficult because the size of EdTech companies’ and the lack of real clarity in their privacy policies and legal terms making it almost impossible for schools and children to counter or renegotiate how companies process data from children. For more information read the DFC report here
We would like to thank our friends at the “Office of the Privacy Commissioner of Canada for sharing these great games. How to play activity sheet You need a game piece for every player and a die. The person who most recently did something to protect privacy goes first. Take turns rolling the die and move your game piece forward that number of spaces. If you land at the bottom of a ladder, skip ahead. If you land on a snake tail, slide back down. You must land exactly on the last square to win. Snakes 21 - Oh no. You shared a picture of a friend without asking them if it was ok. 29 - You used a phone that is not yours without asking. 41 - You shared a password with a friend. That’s not a good idea! 47 - You used your real name to play a game online. (It’s better to use a make-believe name.) Ladders 10 - Yay! A grown up you trust helped you to make a password. 19 - Great! You told your parent that you don’t play a game anymore. Now they can delete it. 31 - Good job! You told a grown up someone was being mean to you online. 35 - You checked with a parent or guardian before buying a game online. Kids go online earlier in life than ever before – which means that parents and guardians should start talking about the digital world and online privacy much sooner than they used to. We created this activity sheet as a fun way to get the conversation started. This activity sheet is available free of charge; we encourage you to copy and share it. To learn more and find more games go to https://www.priv.gc.ca/en We’ve developed this activity sheet and other materials to help to raise awareness of privacy issues among young Canadians and provide information to help them reduce privacy risks. Visit youthprivacy.ca to find our resources and download copies.
SWGfl published a report 15th June 2022 on the lack of Cyber Security training in schools. Cyber Security: Key Findings Data gathered from the survey has shown many interesting findings around how well schools have implemented cyber security through policy and practice as well as what risks are currently being posed towards their communities. Some of the top trends include: >62% of schools have not received any cyber security training >Out of schools who reported a cyber-attack, 48% were Ransomware attacks >31% of respondents do not have an IT security policy >17% say they have no cyber security concerns >76% of respondents say the internet is key to their job The body content of your post goes here. To edit this text, click on it and delete this default text and start typing your own or paste your own from a different source. You can download the full report here We have attached a downloadable, easy to follow, scripted training guide for school staff from the National Cyber Security Centre please click here to visit their page and download the training. We get that Schools are super super busy but cyber criminals don't care, they see you as an easy target so make the time to train your staff. If you need help please contact us in the usual ways...
The ICO has published guidance on the processing of personal data by video surveillance systems, click here to go to the ICO website The guidance outlines how data protection principles must be complied with when using certain surveillance systems including CCTV, automatic number plate recognition, body worn video, facial recognition technology, and school entry systems. The key points are set out below and provide a useful tool for any school looking to use surveillance technologies. Surveillance systems should only be utilised if they are a necessary and proportionate response to the issue being addressed. Before using any new system, a Data Protection Impact Assessment ("DPIA") must be performed for any type of processing that is likely to result in a high risk to individuals such as processing special category data, large-scale public monitoring, and monitoring individuals in the workplace. As with all data processing, a lawful basis is needed for processing data. The most appropriate ground is likely to be on a public task within the school. In terms of fair and lawful processing, surveillance should only be used in places where individuals have an expectation of privacy or where it is necessary to deal with very serious concerns. People must be informed when they are in an area where a surveillance system is in operation. Signs should be positioned near the places monitored to enable individuals to recognise the circumstances of surveillance before entering the area.
As outsourced DPOs for a number of schools, we have spent a great deal of time advising clients to gain Cyber Essential accreditation. We are well aware that it is not the highest level of IT security accreditation but it does demonstrate an appropriate level of commitment to protect against cyber threats for many organisations in line with GDPR requirements. As of January 2022 the National Cyber Security centre introduced an updated set of requirements for the Cyber Essentials scheme. This update is the biggest overhaul of the scheme’s technical controls since it was launched in 2014 and is in response to the evolving cyber security challenges that organisations now face. This has also meant an increase in the cost rising from £300 to £450 for some schools. We have been asked many times if we feel it is worth undertaking or renewing. Our clear belief is that it is of huge benefit. Not only as it proves that the school is taking IT security seriously (a fact recognised by the ICO) but also because it includes free cyber insurance cover of up to £25,000. The following incident occurred on the last day of term before the Christmas holidays. Without going into too much detail, one of our School Academy Trust clients discovered that they had suffered a brute force cyber attack back in mid November. The Outlook email account of a member of the Senior Leadership Team was hacked that resulted in a change to the “rules” and several thousand emails redirected Not surprisingly there was a degree of panic not only in what data may have been lost but also finding out at 4pm on a Friday before a 3 week close down. The breach was reported to the ICO due to the potentially sensitive information stolen. The Trust first completed the IASME accredited Cyber Essentials process in May 2019 and continued thereafter. They duly followed their guidance in reporting the incident to their insurer immediately. The response was fantastic. Within 2 hours the insurer had arranged for a conference call for 3pm on the Saturday which had not only ourselves, the Trust’s Data Protection lead, the school IT provider but also a leading City law firm and a cyber security expert from KPMG. The cyber specialist was allowed access to the schools network and within 4 hours had discovered how the incident occurred, rectified the problem and provided a report on the incident. At the same time the Law firm had assessed the potential repercussions and made their recommendations. Within 18 hours of the incident being discovered reports had been written and collated and the information sent to the ICO. This week we received a letter from them the ICO stating that they were satisfied that the Trust’s data had been "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)” The case is now closed. For anyone who doubts the value of Cyber Essentials this will hopefully clear any doubts. Firstly, the professionalism of the services provided by all those connected with the insurance claim was first class and put the client’s mind at ease. Secondly the ICO’s acknowledgement by following Cyber Essentials the Trust had taken appropriate measures in its protection of data is good to know. As we stated at the start of the article it is not the silver bullet. However, in this example, the £450 spent on Cyber Essentials scheme has proven to be great value and we will continue to urge all organisations to consider it. Contact us to learn more about Cyber Essentials.
The UK government recently issued updated guidance on record keeping for academies and trusts to assist them with their record keeping obligations. Click here to be taken to the Government site. https://www.gov.uk/government/publications/record-keeping-and-retention-information-for-academies The new guidance covers finance records in addition to pupil, staff, parental and governance records, complimenting much of the existing handbooks and documents. More specifically, the new guidance includes: An introduction to record keeping The minimum to be kept Storage of files Transfer of records Retention of records How to dispose of records Transfers within a local authority For schools that already follow existing schedules such as the Information and Records Management Society Toolkit guidance, then this is not a huge change although cross referencing is advisable.
Core Principles of Data Protection Data must be processed lawfully, fairly and in a transparent manner Data must be collected for specified, explicit and legitimate purposes The data collected must be adequate, relevant and limited to what is needed Data should be accurate, and where necessary, kept up to date Data is kept no longer than necessary for the processing Data must be processed in a manner that ensures appropriate security by technical and organisational measures The Rights of Individuals To be informed To access To rectification The right to object to processing The right to restrict processing The right to erasure or the right to be forgotten The right to data portability Rights in relation to automated decision making and profiling
One of the most common questions we get asked concerns sharing data with law enforcement offices. The UK GDPR does not prevent you sharing personal data with such bodies such as the police (known under data protection law as “competent authorities”) who are discharging their statutory law enforcement functions. The UK GDPR and the DPA 2018 allow for this type of data sharing where it is necessary and proportionate. The police should however be asked to provide “212” form apart from emergency situations. (DPO for Education can provide a sample document on request). This is good practise, not only as it gives to accountability for your actions but it also proves that they have collected data in a way that could make it admissible in court. When might you need to share? Where you want to proactively share personal data; for example, you want to report a crime to the police and provide relevant personal data you hold; Where you receive a request from a law enforcement authority for personal data you hold for a valid law enforcement purpose; for example, the police may request personal data from you to help them investigate a crime; or Where a court order or another legal obligation compels you to share personal data with a law enforcement authority. If you want to share personal data with the police you need a lawful basis under Article 6. If you want to share criminal offence data you need both a lawful basis, and either ‘official authority’ or a separate condition for processing under Article 10. The DPA 2018 sets out specific conditions for this.