Schools and universities like all other businesses and organisations have a high demand for IT and not least Internet access. Online services are key to many schools’ administrative systems and operative processes, and a significant part of the learning and teaching environment: a ‘mission critical’ element of the education system.
The use of broadband in schools has also introduced another factor that impacts on all businesses and organisations: cyber threats. With security threats evolving at a rapid rate, the challenge of securing school networks is significant. Not only is providing an adequate broadband service a challenge for many schools, in a sector that has historically had problems providing the standard of connectivity required to meet demand, once that provision is in place it needs to be protected.
Insider Threats In Schools
A study of global corporate executives by the Cert Division at Carnegie Mellon University put ‘insider threats’ at the top of their list of cyber security risks for businesses. In this instance ‘malicious insiders’ were the main cause for concern and, as with any organisation, schools’ are not immune to attacks from disgruntled employees or other insiders. However there is another key issue for school leadership teams that is unique to the education sector: students!
We all know how students are often more digitally aware than many teachers and other school employees. This can lead to the introduction of new technologies or digital platforms into the school environment without the knowledge of staff. This insider threat to schools from students (and staff) is generally not malicious; instead it’s an issue of negligence in some cases, or lack of awareness in others.
While teenagers may be digitally savvy, they’re not always so security conscious. The consequences of exposing the school network to a data breach or cyber attack may not be properly understood. Furthermore, as they are not legally culpable for any actions that might result in a breach, there is less of an incentive to take responsibility.
Of course adults are also potential insider threats; a teacher may bring a corrupted USB stick into school with their learning resources, or school admin staff may open and respond to a phishing email without understanding what it is. This is why schools must keep on top of their security policies and enforce them across the whole school community.
Schools’ Cyber Security Best Practice Advice
As well as the risk to a school’s network from malware, viruses, intrusions and outsider attack, schools’ also need to protect students from inappropriate material and inappropriate contact. Therefore there is also a safeguarding issue that sits alongside other cyber security considerations. With the increased use of Bring Your Own Devices (BYOD) in many schools, e-safety and network and data security become more closely linked, as schools’ need to protect both students and themselves from their own devices.
UKN Group provide network management services to secondary schools such as Little Heath in Berkshire, and as the school’s trusted IT partner, we have advised and implemented measures to address these key issues. The following points form the backbone of a resilient school IT security strategy:
- Awareness Of The Threat Landscape
Lack of awareness about the kinds of attack a school network may be subjected to, what they look like, and where they come from is a major problem for the school as a whole. All parties - IT departments, network managers, school leadership teams, teachers, school employees and students - need to be aware of the threat landscape with relevance to their internet and network usage. Regular training should be part of the schools’ IT acceptable use policy (AUP), raising awareness of the consequences of cyber attack to the school and individuals personally – which might include disciplinary actions.
- Network Protection
It goes without saying that school networks need robust defences in place to protect from threats such as malware or distributed denial of service (DDoS) attacks. Antivirus, web filtering, firewall and perimeter security, device encryption, mobile data management, penetration testing and virtualisation security, should all be updated regularly and reviewed to keep pace with new threats and new technologies.
- Managing User Privileges
An effective way of limiting the potential damage an insider threat poses – whether malicious or accidental – is to rigorously manage who has access to the network, and what they can and can’t do. Staff and students alike should only have limited access to the school’s network based on their requirements, reducing the opportunity for malicious or accidental misuse of the network. Managing user accounts should also include regularly reviewing what access individuals require, blocking access to some systems if individuals no longer need them, and deleting users when they leave the school.
- Monitoring The Network
UKN Groups’ Network Management Services at Little Health school monitors the network to ensure that it meets the demands of users, maximising resource availability and performance, but also monitoring user activity and security threats. An important deterrent and motivator to ensure staff and student comply with a school’s AUP is to inform them that their activity is being monitored, and that reports and event logs are maintained so that in the event of an incident user activity can be reviewed to identify any misdemeanours or user errors.
- Remote Access, Removable And Mobile Devices
With students and staff needing to access the school’s network from home, BYODs becoming an important element of providing IT provision in schools, and individuals bringing removable devices such as USB sticks into schools, security policies must address the risks these pose. We recommend that school-owed devices should be encrypted to prevent unauthorised access, and that passwords are strong and unique to users. Staff and students need to be educated specifically about the security risks remote and mobile working present, including the risk of theft of devices and data, the introduction of malware into the school IT environment, and the potential for hackers to access the school network from unprotected devices.
The cyber security issues schools’ face are not dissimilar to that of any other organisation, which is why a business approach to cyber security policies is just as important in the education sector. It’s also an ideal opportunity to educate students about cyber security issues, installing best practices that they can use throughout their working lives.
For more information about how UKN Group support IT in the education sector, please contact me on +44(0) 845 643 6060 or email Chris.Telfer@ukngroup.com