Cyber threats are more common than people think. In New Zealand, cybersecurity attacks are increasing, with ransomware incidents tripling from 32 during the second quarter to 151 in the third.
Network for Learning (N4L), a crown-owned network connectivity provider for more than 2,450 schools across the country, reported a 17 per cent increase in cybersecurity threats in the second half of the year compared to the first half of 2020. In a day, N4L blocks 2.3 million threats a day, around 1,592 per minute.
Last year, several companies worldwide fell victim to the Kaseya VSA ransomware attack. Approximately 40,000 organisations, including several schools and kindergartens in New Zealand, use the California-founded company Kaseya's software for IT management. Hackers used software updates from Kaseya to instal malware into third-party systems.
Only two of the eleven schools identified running the software had been impacted. St Peter's School in Cambridge was one of them. Their IT team quickly shut down their system after staff reported unusual activity in the school network. Fortunately, St Peter's network was fully operational within 72 hours.
Although most education institutions won't fall for obvious scams like emails from the Nigerian prince, threat actors are targeting organisations with more sophisticated scams.
CERT NZ reported 1,431 incidents during the first quarter of 2021, with phishing and credential harvesting as the most common scams.
Securing data is very important for many schools. Imagine a student or teacher accidentally sharing confidential information by simply opening an email or clicking on a corrupted link, leading to a problematic data breach.
According to an annual IBM 2021 report, a typical data breach can cost up to $6.9 million (NZD) per incident, which is 10% higher than the previous year.
Due to the pandemic, many schools and organisations are finding it harder to contain security incidents due to the lack of resources. Therefore, preventing a data breach is easier and more cost-effective than recovering from one.
Here are some cybersecurity best practices for school.
Familiarise staff and students with cybersecurity risks
Usually, people avoid giving strangers personal information like birthdays, email addresses, and bank accounts. School data should be treated with the same caution.
Here are some actions schools can do to reduce the risks of cyber security breaches:
- Familiarise staff with common scams and regularly update them on new security risks.
- Make sure your staff knows what information they can share internally and externally, and with whom.
- Make teachers and students cautious of links and attachments from senders they do not recognise.
- Get teachers and students to notify IT of any suspicious activity.
Create a cybersecurity protocol for your school which breaks down the objectives and strategies in case of a data breach. This will also help protect staff and students and set rules on what they should do to prevent or reduce further risks of data breaches.
At the same time, you can encourage staff and students to update their passwords regularly. One way is to automatically set password reminders to prevent their accounts and school data from being compromised.
According to CERT NZ, creating a passphrase consisting of four or more words can make a secure password. Advise staff not to use personal information like a pet's name or birthdays, and instead use a verse from a song. Encourage teachers to create different passwords for work and personal accounts.
Consider subscribing to a password management application, like LastPass or NordPass, to keep staff credentials secure. It can make it easier for teachers to manage passwords by giving them access to store multiple login credentials. At the same time, applications like these can automatically generate complex passwords, eliminating the frustration of thinking of a strong password.
Ensure devices and network is secure
Threat actors keep up with technology and find different methods to infiltrate organisations. With everything so accessible online, schools need to ensure they have the best security tools to prevent educators' and students' devices from being compromised.
Consider regularly updating your school's devices, ensuring that it's on the latest version for optimal protection. Cybercriminals usually target outdated routers, making accessing people's devices easier.
At the same time, consider investing in a quality firewall and anti-virus system to protect devices from unwanted users trying to access them. Some anti-virus programs now come with AI features which learn from historical incidents allowing the software to predict and respond to threats.
Another way to add an extra layer of security is by implementing two-factor authentication on teachers' accounts. A two-factor authentication (2FA) requires users to input a generated code on top of their username and password.
Similarly, schools should also consider using Virtual Private Networks (VPNs). A VPN encrypts the internet connection between the device and the school's server, preventing unwanted people from prying through confidential data or implanting infected software on the device.
Backing up essential school data
With the surge of cyber and ransomware attacks during the pandemic, many education institutions are more susceptible to data loss.
Data loss can occur from various issues, like software corruption, local disasters, human error, theft, or ransomware attack.
Regardless of the cause, schools hit by data breaches face disruption, loss of parents' and students' trust, and reputational damage. Recovering from cyberattacks includes additional costs, which could take months or even years to restore fully.
Here are common ways to back up important school data:
- Removable media like USB sticks
- External hard drives
- Network Attached Storage
- Backup services
- Cloud storage
Cloud storage is becoming a popular solution for many organisations in New Zealand due to its flexibility and mobility. With the cloud, teachers can easily access files, which can be helpful when teaching remotely. It is a cost-effective solution, especially when maintaining local storage backups can get expensive.
To scale up local hard drives, schools need to invest in software applications, hardware, and a technician to install it, which eventually adds up.
Although the market trend is shifting toward cloud computing, with providers designing flexible and attractive packages for many organisations, local backups still benefit many schools. Schools can consider storing data using the cloud, making this accessible for teachers and students while keeping limited-access files secure on local backup servers.
3-2-1 Backup strategy
Using the 3-2-1 backup strategy is a helpful data protection guideline schools should follow. In a nutshell, the rule is to create three copies of your data on at least two different types of media, one of which is stored offline. This strategy reduces the impact of a single-point failure, like a corrupted hard drive or a stolen device.