Schools must be super-vigilant in cyber risk management
By Emma Westwood
Writer | Editor | Content & Digital Strategist
We asked our partners at CTRL Group to talk through some of the unique challenges schools face when it comes to cyber security. This is what they had to say...
In the face of constantly increasing cyber threats and the Internet providing a springboard for both cyber-criminals and predators, Australian schools and students are in a position of vulnerability.
The education sector continues to be one of the prime targets for cyber attacks. Increased dependence on technology for schools and K-12 students alike requires that best-of-breed cyber security services and technology countermeasures are employed.
Technology has evolved more quickly than we are securing it. The best approaches for management of cyber risk begin with building a cyber risk management strategy. This includes all the elements of cyber risk that can impact schools and their students, and steps that have been, or will be, taken to reduce the risk to a set of manageable operational functions.
Enterprises and government agencies that work with sensitive data have clearly defined cyber risk management strategies. These include – among others – data classification, risk remediation and mitigation guidelines, as well as business continuity, crisis management and incident response plans. Mature organisations regularly test their plans and feed the results back into their strategy.
Due to the rapid nature of the education technology evolution over the last 20 years, the education industry has been playing catch-up with enterprise and government in terms of building and implementing their cyber risk management strategy. To implement all the above may seem impossible, however, many of the component parts will already exist. The key is to tie the various components together, and ensure all stakeholders are aware of the strategy and their role in supporting it.
Many of the key areas of risk and measures that should be taken and enhanced fall into these categories:
Schools store and transmit a large amount of personally identifiable and sensitive information about staff and students.
The most concerning area of data management risk for schools is the potential for data breach leading to information being used to target students and staff. It goes without saying that these incidents also lead to brand and reputation damage to the institutions, the risk of fines and penalties from the government, and the potential for legal action against the school by those impacted.
As with all industries that deal with sensitive information, effective information handling techniques should be employed to reduce the risk of data being compromised. Good data risk management begins with classifying the data, understanding how it is stored and transmitted, and who has access to it.
Most organisations that work with sensitive information classify data into four main categories:
1. Secret 2. Confidential 3. Business use only 4. Public
Classifying the data in this way allows for system administrators to define data management procedures according to the risk associated and secure access to data as appropriate. For example, any information that relates to student health and behaviour should carry the highest classification (i.e. Secret), and any information that is available on the website can be considered Public.
It is up to the school to determine how their data should be classified. For schools, due to their requirement to be highly trusted, any data breach can lead to damage to the school’s brand and reputation.
Once the data is classified, the best practice is to then define who controls access to the data, how it is accessed and those responsible for creating and maintaining the data records.
Data security techniques such as encryption, strong password policies and multi-factor authentication should be deployed based on the classification. If not already, access to sensitive data should be monitored and logged. This allows for effective remediation of issues and provides data required for incident investigation.
Student Use of Technology
Use of the Internet brings inherent risks to all users.
K-12 students are well-versed in the use of technology for both social and school applications. Unfortunately, the wealth of information available on the Internet and the benefits of real-time social interaction bring threats, including cyber bullying and exposure to negative and potentially malicious content.
Many schools employ Internet usage monitoring and filtering solutions for student devices, and this serves to reduce a large amount of unwanted content. There are questions of how much monitoring is too much and what this means for student privacy.
Every school must assess their understanding of 'duty of care' and implement solutions that follow their risk management strategy. This strategy, and what it means for the users of school (or school-managed) devices, must be clearly articulated to staff, students and the parents/guardians.
Acceptable usage policies (or their equivalent) are a proven tool to raise awareness in the rights and wrongs of Internet usage and provide clear agreement to the organisation’s cyber risk strategy. This is very important in determining responsibilities and courses of actions when an incident occurs.
Classroom management and eLearning systems are commonplace; many of them are cloud-based. These systems can cause major issues if they are misused or compromised by malicious actors.
The cyber risk management strategy should address each system that contains information about staff and students. These systems must be secured using industry best-practices, and third-party service provider contracts be reviewed with both their security posture and incident handling frameworks scrutinised and alignment with the schools’ risk management strategy confirmed.
Regular penetration testing of the systems (at the very least, annual testing) is recommended in ensuring vulnerabilities are assessed frequently and updated.
Incident Handling and Communications
While schools will have crisis management plans in place and have run emergency drills to test them, this level of incident preparedness is often not undertaken for cyber incidents.
The cyber risk management strategy should have the risk scenarios itemised in a cyber risk register, with impact and remediation measures defined. An incident response plan will outline steps that should be taken when these scenarios transpire.
It is important to keep in mind that incidents will happen. Building and maintaining a thorough cyber risk management strategy, then articulating and testing it, are the primary methods to minimise the impact of cyber incidents to students and the school.