According to recent data published by SchoolsWeek, schools across the UK have seen a 43% increase in the number of reported data security incidents since the GDPR came into effect.
According to the ICO, there were 511 reported incidents during the second quarter of 2018, which implies that schools are failing to keep up to speed with the latest cyber-security trends. However, it should be noted that this doesn’t necessarily imply that there has been a significant increase in the total number of security incidents, more that schools have started to report them to the Information Commissioner’s Office (ICO).
Security incidents typically involve the loss or theft of paperwork, or the accidental and unauthorized disclosure of sensitive data via email, or some other communication protocol. Additionally, between July and September this year, there were 44 reported incidents involving ransomware, phishing or some other form of social engineering attack. This is compared to 26 incidents during the same period last year – a 69% increase. Some incidents were the result of targeted phishing attacks designed to convince unsuspecting members of staff to pay a fake invoice. Additionally, there were a number of reported incidents where fraudsters were able to hack into phone lines and make premium rate calls, some of whom lost as much as £145,124.
How Can Schools Improve Their Cyber-Security Posture?
The education sector is faced with the same problem as the healthcare sector, in that, they do not have a sufficient number of employees who are trained in cyber-security. As with healthcare, it is likely that some schools have no trained staff whatsoever.
In response to this, the Government has published guidelines for schools to follow to help them improve their security posture. Naturally, educating employees about security best practices, especially in relation to ransomware and other forms of social engineering, is the most important first step. Schools are also advised to implement and/or configure technologies, such as firewalls and Intrusion Detection & Prevention Systems (IDPS), to detect and prevent unauthorised access to their network.
Additionally, schools are advised to tighten up their access controls, in order to prevent unauthorised access to their critical data. Under the GDPR, schools are required to enhance their privacy policies and provide clear notification about how they intend to use the data collected from their students, as well as appoint a Data Protection Officer (DPO).
As cyber-attacks become more targeted and sophisticated, perimeter-based technologies and anti-virus solutions are not as effective as they used to be, as hackers can easily find ways around them. As such, educating employees and monitoring access to sensitive data will deliver the best results. Since educating employees will take time, schools should look towards implementing a GDPR solution, which will help them meet GDPR compliance – at least on the data protection side of things.
Such solutions can monitor access privileges, detect suspicious file, folder and mailbox activity, detect and mange inactive user accounts, and automate the process of reminding users to reset their passwords. Most real-time auditing solutions provide a feature known as “threshold alerting”, which can detect and respond to events that match a pre-defined threshold condition.
This can be used to help prevent the spread of ransomware, and to respond to anomalous failed login attempts. Naturally, in order protect our sensitive data, we need to know exactly where it resides. Fortunately, most real-time auditing solutions provide built-in tools which can automatically discover, classify and encrypt a wide-range of data types.