Enemy at the school gates: A guide to enhancing cybersecurity in education
The digital revolution – and the pandemic -- have transformed the education landscape, making schools increasingly reliant on technology to deliver quality learning experiences.
However, this rapid technological advancement has also made educational establishments vulnerable to cyber threats. In this article, we delve into the current state of affairs within schools, the reasons behind attackers targeting the education sector, and the unique challenges faced by educational establishments.
We will also discuss a real-world pilot that sheds light on the need for stronger cybersecurity measures and propose strategies that schools and IT professionals can adopt to safeguard their data and infrastructure.
The Changing Educational Landscape
In 2013, a significant shift occurred in the UK education system with the introduction of academies. Local authorities relinquished control over schools, giving schools greater autonomy to manage their budgets and operations. This led to the establishment of multi-academy trusts (MATs), enabling schools to collaborate and share best practices. Today, there are approximately 32,000 schools in the UK, with around 24,000 in England, including specialist schools and pupil referral units.
That's a lot of people, a lot of data -- and a lot of exploitable vulnerabilities.
Schools Under Attack
With the adoption of cloud-based solutions from the likes of Microsoft and Google during the pandemic, educational establishments have become prime targets for cyber attackers. According to the National Cyber Security Centre (NCSC), around 97% of schools reported that infrastructure disruptions would cause significant problems. But less than half said they felt adequately prepared to deal with a cyberattack.
The Consequences of Attacks
Cyberattacks on schools have far-reaching consequences. Financial data and coursework can be accessed without authorisation, leading to data breaches. Incidents disrupt coursework and create anxiety among students, potentially impacting their academic performance and future opportunities. Additionally, schools hold sensitive data about children, making data confidentiality as vital as any other aspect of cybersecurity.
The education sector faces unique cybersecurity challenges compared to commercial entities. The large and ever-changing user base, including young students, makes enforcing multi-factor authentication (MFA) challenging. Schools also operate in a shared credential environment -- a successful breach of a single credential could compromise multiple accounts.
Traditionally, the focus in schools has been on data backup and restoration. However, this approach is not enough to address modern cyber threats effectively. Schools must invest in security as a core principle and foster a culture where staff understands the importance of cybersecurity.
The lack of established frameworks for security testing in the education sector is concerning. Schools must have access to standardised models for assessing and selecting security providers based on their capabilities and effectiveness. Establishing governance and regulations around security testing will help schools adopt proven security measures, conduct regular security assessments, and prioritise data confidentiality and integrity.
To better understand the security baseline of schools, a pilot project was conducted at a local academy, applying approaches used in commercial settings. Cyber Essentials, which sets baseline and common controls, is available for schools, but it doesn't always test pathways and attack vectors through the organisation.
The goal of the pilot project was to test specific controls related to device hardening, data access and segregation, as well as identifying privileged escalation routes that attackers might exploit.
The pilot project revealed gaps in control implementation despite some awareness of the risks. The school had certain controls in place, such as AppLocker, but there were still vulnerabilities that allowed for malware introduction and network access.
The feedback from the pilot project was positive, and the school was open to further improvement to enhance security. The executive team recognised the need for more investment in security, while the technical team focused on validating and justifying security measures. Collaborating with the school's leadership, the project aimed to ensure that potential breaches or unauthorised access could be detected and addressed effectively.
There are several strategies that can help enhance cybersecurity in schools, with just a few listed here:
Prioritise staff access and device security: Ensure robust security controls for staff accounts and devices, as many compromises stem from users with privileges on a device.
Understand data location: Identify where sensitive data resides within the network and remove unnecessary data to reduce the sensitivity of potential compromises.
Establish processes and procedures: Develop comprehensive policies for handling cyber threats and security incidents with clear reporting mechanisms.
Implement effective alerting: Enable logging and monitoring capabilities to detect anomalous activities and potential security breaches.
Conduct thorough testing: Validate controls through threat emulation, penetration testing, or red teaming exercises to identify vulnerabilities and weaknesses.
Trust in backups: Confirm the reliability of backups to ensure the successful recovery of data in the event of an attack.
We are well aware the education sector faces significant cybersecurity challenges, necessitating a proactive approach to protect sensitive data and infrastructure. But by establishing governance, implementing security best practices and conducting regular security assessments that include real-world cyber-attack simulations, schools will strengthen their cybersecurity posture and provide a safe learning environment for students and staff alike.
Cybersecurity is not an option; it is an essential aspect of modern education that demands attention, action, and collaboration. Only through collective effort can educational establishments fend off the enemy at the school gates and ensure the continued success of their institutions.