Welcome to the final part of our deeper look at the cyber security standards for schools and colleges. In this piece we will wrap up the final three elements left, namely:
- Serious cyber-attacks should be reported
- You must conduct a Data Protection Impact Assessment by statute for personal data you hold as required by GDPR
- Train all staff with access to school IT networks in the basics of cybersecurity
These final elements are almost entirely devoid of technical solutions and rely heavily on policy and processes being in place. Although they are marked for completion as soon as possible in truth as they are in a lot of cases tied to existing requirements of the GDPR they should already be up and running. The additional layer being that these relate primarily to cyber attacks rather than other forms of data breaches.
Reporting Attacks and Attempted Attacks
The first step in meeting this standard is to ensure that whoever is managing your IT infrastructure has in place systems that can identify and investigate potential cyber incidents and that they have an agreed duty to notify the appropriate senior team of any cyber attack, whether they believe that attack was successful or not.
The National Cyber Security Centre (NCSC) defines a cyber incident as a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).
This is quite a wide ranging definition but some of the typical activities that would apply are:
- Attempts to gain unauthorised access to a system and/or to data
- The unauthorised use of systems for the processing or storing of data
- Changes to a systems firmware, software or hardware without the system owners consent
- Malicious disruption and/or denial of service
As noted, the attempt does not have to have been successful for it to be reported internally. Any and all attempts that are found should be recorded, investigated and reported. An unsuccessful attempt may simply be a precursor to further attempts so it is important that senior teams are aware of the risk landscape they are facing.
Data can be compromised in a number of ways, including:
- stealing of data
- copying data
- tampering with the data
- damaging or disrupting the data
- unauthorised access
It is worth noting at this point that these attacks and data compromises can be from either internal or external sources. They could also be deliberate or accidental, however they occur they should be recorded and reported.
What happens next will depend on the nature and scope of the attack and potential data compromise. What is crucial is that there is a well-understood policy and process to ensure that decisions can be taken in a consistent and proportional manner.
Clearly where an attack has taken place and data has been compromised there is an existing duty under GDPR to report such a data breach to the Information Commissioners Office (ICO) and there should already be a policy and process to record and report via this route.
In addition, cyber incidents should be reported toe the Department for Education sector cyber team at sector.incidentreporting@education.gov.uk.
Academy trusts have a specific requirement to report attacks to the ESFA and section 6 of the Academy Trust Handbook has details of this including an absolute requirement to seek ESFA approval before paying any ransom to resolve a ransomware attack.
Where an attack is sufficiently serious that it requires school or college closure or has serious financial implications there is also a duty to inform the NCSC and of course, in these cases there would also be an expectation that the police would be notified.
However, even where attempts are not successful there may be an appropriate reporting mechanism, for example, if phishing emails are received, particularly if there is a targeted campaign against the organisation, these should be reported to Action Fraud at report@phishing.gov.uk.
Indeed, where cyber incidents include any financial or fraud elements they should be reported to Action Fraud.
One of the key purposes behind this requirement is to allow those bodies to whom reports are submitted to maintain a sector-wide view of attacks and guide schools and colleges to help protect them from similar attacks. Over the last few years the sector has become a real target for cybercriminals and information is one of the key assets available to help stave off attacks.
As with disaster recovery and business continuity, to successfully deal with a cyber incident and to ensure that the correct reporting mechanism is in place it is vital that there is a robust and tested plan for incident response and that all those who need to be part of the response, including senior leaders, are well aware of their responsibilities. It can also be useful to extend the reporting of incidents to governors/trustees to increase transparency and maintain focus on the subject of cyber security.
It is worth noting that the base assumption from bodies such as the NCSC is that organisations will at some point be attacked and that in many cases that will lead to a breach. The planning should therefore be balanced between technical mitigations to limit the success of attacks and incident response planning to stop and recover from attacks that are successful.
Data Impact Assessments
I’m not going to spend much time looking at this particular standard as it simply reiterates the existing statutory duties under the General Data Protection Regulation (GDPR) and as such it is something that should already be in place. However, just as a reminder, to meet the standard you must:
- understand the definition of personal data
- assess the risk of compromise, and the degree of damage caused by a security compromise, to work out the resources required to protect the data
- pseudonymise or encrypt any personal data while stored and in transit to a third party
- ensure the confidentiality, integrity and availability of the data and systems processing them
- restore complete and accurate data after an incident in a timely fashion
- design and apply processes for testing and assessing the effectiveness of all measures used to safeguard data and its use
Staff Training
One of the most critical elements of the standards in improving the overall position in relation to cyber security is to ensure that everyone who accesses the network and resources is trained to understand some of the key concepts.
The standard states that basic cyber security training must be given to all staff who access the network at least once a year. The same training should be part of the induction training for new staff.
This training should include as a minimum information on:
- phishing
- password security
- social engineering
- the dangers of removable storage media
It is also important that everyone understands the reporting mechanisms for suspected breaches and who to contact if they think they have been subject to an attack. This can extend to attacks against their personal accounts as there are many cases where that is the starting point of an attack on an organisation, particularly where they re-use passwords between accounts (something that should be covered in the training!).
The NCSC provide free training materials for school staff which can be used either as-is or as a starting point for a wider set of topics.
It is also necessary for at least one governor to complete the same training although I would argue that engaging the wider governing body/board of trustees would be a worthwhile exercise to reinforce the importance of cyber issues to the organisation. Further, the NCSC provide a document on school cyber security questions for governors.
Ironically, one group who sometimes gets missed from training are the IT team themselves. Depending on whether you use an internal, external or hybrid approach to your ICT service delivery there is a need to ensure that those offering support to users have a good understanding of the cyber threat landscape and what they need to do to help improve the security. Obviously, if you have a specialist security role they will need enhanced training but everyone in the IT team should be encouraged to see IT security as a key part of their role and trained accordingly.
Although it doesn’t appear in the standard I would strongly recommend that after training has bedded in, testing is undertaken to check that the messages are embedded. One way of doing this is to run a simulated phishing campaign to ensure that users are still aware of this aspect. This isn’t a name and shame exercise but one designed to reinforce the messaging. Phishing remains one of the greatest weaknesses to an organisation so regular reminders for vigilance are vital.
Summing Up
The fact that it has taken five articles to cover the DfE standards demonstrates the breadth and depth included in them and I think that these are broadly extremely positive developments. As previously noted, the standards include implementation expectations ranging from already should be in place to as soon as possible and this urgency is not misplaced. The education sector in its broadest sense has been a major target for cybercriminals in recent times and there are already quite a few examples around of breaches. Although there are many challenges for school and college leaders the threat posed by cyber security weakness are among the biggest risk areas.
As noted throughout, the standards present a mixture of technical and policy/process recommendations to improve the overall effectiveness of cyber security controls. A starting point for most organisations would be to review how their current position sits against these standards to highlight any areas for improvement.
If you need any help with moving forward towards these standards please let us know, we have helped a number of organisations assess and move their cyber security preparedness further.
