13 February 2023
Cyber is Everybody's Business
Welcome to Everybody’s Business, our new Cyber Security blog series.
It's easy to see the word 'Cyber' and think that's the IT Department's job (or whoever is in charge of keeping your digital lights on) and that's quite a reasonable assumption until you get to know more about it. The unavoidable fact though, is that these days it's Everybody's Business.
In our Blog series we're going to cover the basics of Cyber Security, some of the most common threats and why it's becoming more and more important that everyone understands how they can help protect themselves and their School community, how Teachers can manage their online footprint and some of the most up to date free resources for Schools to help keep information, communities, and people safer in the digital world.
CYBER SECURITY BASICS
Schools have become a really attractive target for Cyber criminals over the past couple of years. So much so that in March last year the National Cyber Security Centre (part of GCHQ) updated their Guidance. You can read about it here: https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector
(It's a good idea to share it around too)
A lot of the jargon surrounding Cyber Security can be very confusing and doesn't help matters much when you're trying to understand the topic. It's always been trendy to give quite simple things complicated or obscure labels but once you get past all of that it's really fairly easy to understand.
Threat Actors (see, I told you about the jargon and we've started already!) are groups or individuals who may want to launch Cyber attacks against a particular person or organisation. They fall into some fairly well defined categories but the most relevant for Schools are:
- Script Kiddies - unsophisticated attackers who generally use other people's code to launch attacks designed to vandalise sites and networks and generally cause trouble. Mostly in it for the Kudos and bragging rights.
- Hacktivists - more sophisticated attackers driven by ideology and a desire to disrupt for good or bad.
- Criminals/Organised Crime - prolific attackers who are in it for the money. They know data is a valuable commodity and will use it to commit fraud etc. and will frequently sell/trade it with other criminal organisations.
- Insider Threats - Sometimes people can get upset or angry and decide to seek revenge. Maybe they've been in trouble or aren't happy with the way things are run. More often though, Insider Threats come from people making mistakes. They aren't malicious but can inadvertently cause quite a lot of harm.
Most attacks start by criminals finding a way to infect a network with malicious software, called Malware (more jargon!). There are millions of strains of malicious code floating around the internet and criminals are constantly updating them to bypass Security firewalls etc. They also trade code among themselves and often provide it as a service to those who don't know how to write it on their own. There's an excellent book by SOPHOS Labs called the Threatsaurus which explains how all of the most popular Malware works and it's free to download: https://331.cybersec.fun/Threatsaurus.pdf
(There are some great pictures that i've used for lessons and quizzes in there too...)
COMMON THREATS TO SCHOOLS
Malware can be hidden in almost every kind of message; pictures, emails, website links, text messages, adverts, videos, music files.. the list is endless which makes it all the more difficult to spot. But it's what the criminals put inside that counts. Ransomware, for example, is one of the most common attacks against Schools but it's constantly being used globally across almost every kind of organisation from big companies to charities and even governments. The NCSC definition is:
"...a type of malware that prevents you from accessing your systems or the data held on them. Typically, the data is encrypted, but it may also be deleted or stolen, or the computer itself may be made inaccessible."
If you think about a Ransomware attack like a bank robbery, the malware is the car but the robbers are the code that helps them steal all of the money.
Ransomware works because the code inside the Malware will make it impossible for anyone on your network to access any data. In Schools this can be things like cousework, grades, COVID testing data, financial records (including HR and payroll information), timetables and anything else you use to do your work and run your School. There have even been cases where Ransomware attacks have shut down networks and nobody could pay for their lunch. Then they will ask for money to give you your data back. It's not all that sophisticated when you break it down but it works.
Unfortunately though, it doesn't stop there. Lately criminals have seen opportunities to make even more money and will often steal the data to use or sell during and after the initial attack. It's also not uncommon for criminals to threaten to publish the data to prove they have it and shame their victims into paying up. Stolen data can often re-appear months, or even years later.
Data theft is a particular vulnerability for Schools. Once they have your data and are demanding their ransom criminals will keep a copy. Things like Passport numbers, dates of birth, bank details, addresses etc. allow fraudsters to build fake identities and open new bank accounts, apply for mortgages and credit cards etc. They can use Teachers, staff and parents data to do this but most people will eventually notice and report identity theft. So their favourite is young learners information. They can do exactly the same and be safe in the knowledge that the individual victims probably won't notice for a few years until they are old enough to try and apply for all of those things legitimately themselves.
These are just a couple of the most common threats to Schools from Cyber criminals right now but it's not all doom and gloom. There's an awful lot of free training and guidance available to help your School community build a culture of good Cyber hygiene but the very first step is to get everybody on board. It really is Everybody's Business to do their part. It's a good idea to understand your network and who else is using it. That's the best way to assess where you're security is strong and more importantly where it might be weakest. Its easy to forget, when you use the same functions every day, like email and Google etc. that the network is much wider than that and things like HR, orders and deliveries, payment systems and information, lesson plans, home addresses and emergency contacts, other staff and suppliers, Governors/Inspectors, records and grades, safeguarding information etc. (it's a very long list) are all on there and accessed at different times by different people.
The best place to start is with 'Cyber Security for Schools' from the National Cyber Security Centre: https://www.ncsc.gov.uk/section/education-skills/cyber-security-schools
They have free resources for almost everyone in your professional School community including:
- Governing Boards and Senior Leaders
- School Staff
- School IT - Admin teams, procurement and suppliers
- How to report a Cyber Incident at your School
They also have guidance on how to use Video Conferencing platforms securely.
MANAGING YOUR ONLINE FOOTPRINT
Most private sector professionals have an easy time of it when it comes to managing our online presence and footprint. We use LinkedIn for the work stuff and Social Media for everything else. A simplistic view but it works for me. It's often said that LinkedIn is just Facebook for grownups but actually it's fairly well community-policed and more personal/frivolous images and content is discouraged. Unfortunately the same isn't true for public sector professionals, especially Teachers, where platforms like Facebook and WhatsApp are essential to communicate with the various groups of colleagues, students and parents etc. involved in day to day School business.
It's fairly essential to operate more than one account if you want to keep your professional and private lives separate. It's a safe bet that most of your students will be doing the same and it's also vital for your own Security to do so.
Social Media content is the first port of call for certain Cyber criminal groups as they can use your information to put together very believable messages from friends, family or other people in your network to dupe you into clicking links, downloading Malware, sending money or just giving even more of your private data to them to use or sell. This is very basic Social Engineering but can be highly effective as victims think they are interacting with their private network and are consequently more trusting. Separating your work profile from your personal profile can offer some protections.
Private online posts, geo-tags, images and other content can be reputationally damaging and in extreme cases have been used for bullying, blackmail and career-ending situations.
The UK Safer Internet Centre have some excellent Professional Reputation advice and strategies for Teachers: https://saferinternet.org.uk/guide-and-resource/teachers-and-school-staff/professional-reputation
(They also have a lot of free online safety content)
If you want to take things a stage further the National Cyber Security Centre have some useful guidance on the use of personal devices in the workplace (called Bring Your Own Device - BYOD- more jargon!): https://www.ncsc.gov.uk/collection/device-security-guidance/bring-your-own-device
UPPING YOUR GAME
On April 26th 2022 the National Cyber Security Centre opened up access to two more free Cyber Security services to Schools as part of their 'Active Cyber Defence Programme': https://www.ncsc.gov.uk/section/active-cyber-defence/introduction
They're called 'Web Check' and 'Mail Check', and have been free for further education colleges and universities for a while:
"The Web Check service scans websites to check for common, significant vulnerabilities and sends a report to organisations flagging any issues according to severity alongside advice on how to fix the problems.
And Mail Check is designed to help technical teams assess and improve two areas of email security: anti-spoofing controls to prevent attackers sending emails pretending to be from your organisation, and email privacy measures to prevent data being altered or read in transit."
Schools Minister Robin Walker said:
“Schools have embraced technology to support the invaluable face-to-face learning provided by teachers, but this has reinforced the need to ensure that their online systems are secure.
“The Web Check and Mail Check tools that are being offered will help protect schools from the threat of cyber-attacks, which have the potential to have a significant impact on school networks, and as a result, pupils’ learning.”
You can read the full press release here: https://www.ncsc.gov.uk/news/schools-offered-free-cyber-defence-tools-to-help-keep-out-attackers
They have university sign-up rates of 75% to 80% so it makes perfect sense to let Schools install them too!
However you decide to secure your School community it's vital to remember that everybody needs to know what you're doing and why you're doing it. Security can really get on people's nerves. It's always one more thing in the way of them getting their work done, chatting to their friends, playing their favourite games, doing their shopping or any of the other long list of things digital citizens use the internet for. The trick is to explain why that one more thing is protecting their access or their information in a way that they will understand and take seriously.
If you decide to use any of the resources we talk about in this series maybe you can find someone who knows a bit more about it from your School community and ask them to present at a Staff meeting or put on an assembly.
Or you could ask a STEM Ambassador to come and do it for you: https://www.stem.org.uk/stem-ambassadors
Cyber Security really is Everybody's Business. Look out for our Blogs and other content on the CAS Network. We need your help. It might be Everybody's Business but not everybody knows it yet!!!
Brian Higgins is a Security specialist, media commentator, presenter, writer, and researcher. He has multi-sector Cyber Security experience including law enforcement, corporate, not-for-profit and charities in his professional portfolio along with considerable engagement with Schools over the past decade.
Download this post as a time-saving, useable teacher resource with ideas of how you can use this information in the classroom