Fact: the rate of ransomware attacks in schools has doubled in the last 24 months. By the end of 2023, 80% of schools will have been attacked, with many paying a ransom to get their data back [Sophos 2023 Report].
These alarming stats are based on interviews during January-March with 3,000 IT/ cybersecurity leaders across 14 countries in the Americas, EMEA, and Asia Pacific. The survey sample included 400 education respondents: 200 from primary and secondary schools, and 200 from tertiary.
The Australian experience mirrors these numbers. Michael Emmanuel ANZ MD of Secure Schools said: “Last year, on average a school reported a cyber-attack every two hours. There were 1600 successful cyber-attacks …85% of the time a human being was the final line of defence that made the error. They were the ones that clicked on a link and let the attackers in.”
According to the Australian Cyber Security Centre, the education sector reported the most ransomware incidents of all reporting sectors in 2021-22, rising from fourth in 2020-21.
Founded by former head teacher Gill Foster and education cyber security compliance specialist Paul Alberry, UK-based Secure Schools has 1000 schools in its Pro Support plan, with many others working their way through Audit and Assurance.
Alberry said: “Since the EU General Data Protection Regulation (GDPR) came into force (May 2018), UK schools have had very cyber security specific requirements and a handbook of rules to follow.
“Australia is not far behind the UK in this.
“Our role is to educate stakeholders about the risk and risk level, the legislation and the regularity landscape and help them to prepare against attacks.
“The principal, or others in authority at the highest level, must be involved to develop a successful a cyber security policy and plan.
“A huge part of Secure School’s success in working with schools is that we only work in schools. It isn’t a process that is inflicted on schools, though sometimes that can seem the case, especially with stressed teachers with a workload that is higher than the hours available.
“It takes the right combination of professionalism and a friendly ‘we’re all in this together’ approach.”
An initial audit to establish the school’s present level of preparedness and vulnerabilities is the basis for the school’s policy, strategy and a cyber security plan.
With the plan in place, external and internal infrastructure vulnerability assessments identify the school’s cyber security strengths and weaknesses. Using the tools that attackers commonly use to break into the school’s system, a Secure Schools team scans and analyses the vulnerabilities in internet facing IT systems and uncovers devices in the school’s network that are susceptible to further exploits.
All-of-staff training on how to defend against cyber-attacks follows, with simulated phishing attacks used to identify staff that need help.
“Many major breaches are inadvertent,” Alberry said. “Phishing techniques are very clever and designed to exploit weaknesses - teachers are very helpful people, it’s in their nature. Coupled with the ongoing transition towards digitally driven education, this makes teachers an attractive target for criminals.
“Cybercrime has evolved into ‘crime-as-service’ and the forecast losses in 2023 are huge (Sophos 2023 Threat Report). Being well-prepared, and always on your guard, will go a long way towards protecting your school and your families’ data.”