Managing Cyber Risk in Schools and Educational Institutions

With analyst group Gartner valuing the annual global spending on educational technology at over £17 billion ($21 billion USD) in 2015, there's no doubt that technology implementation is shaping the future of education systems. The appropriate integration of technology guides students, teachers, and administrators towards clarity and extensibility. As today's educational institutions place greater reliance on technology for management and day-to-day operations, they face a multi-faceted threat model: rapidly evolving outsider attacks compounded with the shadowy presence of potentially malicious insiders.

The challenges of cyber risk

A present-day example: in the wake of "numerous" attempts by criminals to deploy targeted ransomware through social engineering, the UK's national fraud and cyber crime reporting centre Action Fraud issued a public alert in January. The threat actors rely on cold calling as the initial attack vector; they claimed to represent the Department for Education before requesting the head teacher's email address — on the pretext of transferring information regarding examination guidance, mental health assessments, or another sensitively classified topic. Risk perception is crucial There is a clear need for schools to protect students and teachers from inappropriate and illicit material in the Bring Your Own Device (BYOD) age. Safeguarding is a crucial "cyber risk" challenge, which is why "strengthened measures to protect children from harm online" were implemented in the UK several years ago. The Cyber Threat Landscape encompasses the tools, techniques, and targeting methods employed by today's cybercriminals. However, when reviewing this landscape from a holistic standpoint, school leaders and IT administrators must not forget the acceptable and responsible use of network facilities inside their educational institution. The acceptable use policy (AUP) formally outlines how an institution expects students, teachers, support staff, and stakeholders to conduct themselves when using information systems. An alternative term that has surfaced in recent years is the "responsible user policy" — incorporating positive objectives for integrating technology with day-to-day school life. A typical school AUP covers the following points:

• Vandalism and misuse of physical equipment
• Use of removable storage devices
• Use of print and copy facilities
• Use of school email facilities
• Content filtering and monitoring
• Access to school-specific platforms (e.g. VLE)
• Password usage and strength guidelines
• Best practices for safe computing
• Accordance with state and/or national laws

All network users should receive regular training on the cyber risks they face as part of their role, with additional guidance for staff in a privileged role. Security awareness training helps staff gain a better understanding of cyber risks and has a significant effect on minimizing your institution's exposure to emergent threats. Consequently, this means that schools must consider the cause, impact, and mitigating factors of cyber risk across the board — safe computing is everyone's priority. Consider the Principle of Least Privilege On the topic of user access levels is the Principle of Least Privilege (occasionally referred to as Least Authority). As the name suggests, this core tenet of information security management recommends that accounts have the least amount of privilege required to perform their job functions. Least privilege principles should be considered across the institution's entire inventory of systems. Staff and students alike should only have limited access to the school's network facilities based on officially stated requirements. Administrators must conduct a regular review of users' access and take the appropriate actions in response to common scenarios, such as termination. Where possible, privileges should be assigned using a role-based access model. Focusing on user groups rather than specific users, the role-based approach is far more manageable for administrators and prevents the accrual of extra rights in the long term — a phenomenon known as "privilege creep." Don't forget data security Data security is concerned with keeping your information safe from damage. In terms of cyber risk, there are seven key ways in which data security may be compromised:

• Exfiltration through social engineering attacks
• Loss or theft by ransomware and malware infections
• Corruption by defective disks and storage media
• Theft by unauthorised access to computing devices
• Destruction by natural disasters or external forces
• Intentional destruction or alteration by users
• Accidental destruction or alteration by users

To mitigate data security risks, we can look to the information assurance concept of Defence in Depth — which OWASP defines as "layered security mechanisms" used to increase security of the system as a whole.

"If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system."

Administrators should implement and maintain a multi-layered set of defences to protect from data destruction, corruption, and exfiltration. Hardware and software solutions may focus on malware protection, VPN provisioning, data loss prevention (DLP), and institution-wide backup routines.

Conclusion

There are clear parallels between managing cyber risk in schools with the corporate world, which is why a business approach is just as vital. Educators are driving transformational change through technology — but we must not overlook the risks that emerge when information security is concerned.  

Image

About the Author: Yasin Soliman lives and breathes information security. In addition to working as an independent research analyst, Yasin writes for the award-winning site Graham Cluley Security News. You can find him on Twitter at @SecurityYasin. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.