2020 was far from an easy year for the education sector, with the strains of COVID-19, the forced move to remote learning and the constant moving goals of exams, assessments and certifications looming over the industry. IT improvements and IT budgets were shifted from infrastructure and enhancements to purchasing laptops and enabling learning over video. These changes have had a dramatic impact on all educational organisations. Unfortunately, we are starting to see the repercussions of this, with several educational organisations being hit by cyber-attacks.
This week we have seen the latest attack on the University of Northampton, this is unfortunately just another in a long line of victims of the last few years.
As many of you who have read my articles are aware, I have a long history in the education sector, working across schools, academies, and colleges. From this, I have a very first-hand experience of how budgeting works in education. I know its effect on the choices that we make when it comes to selecting solutions and ultimately protecting educational establishments.
When I read stories like the one about the University of Northampton, it churns my stomach. This is because I know that the ladies and gentlemen who work in the IT teams of these organisations will have been doing everything they could to protect the system. However, they are always constrained by the limits they have finically and with their current technology stack. Having personally experienced several attacks first-hand, the IT Team usually takes the brunt of the fallout from these events. In truth, it’s business management and senior management, who’s lack of understanding, allows these incidents to happen.
The real-world cost of an attack
When these kinds of cyber attacks in education occur, we all see the headlines and the public outcry about the fact these threat actors get into and disrupt educational organisations. What is very rarely discussed is the organisation’s cost.
The cost itself is not just that of recovering from the breach. Depending on what equipment has been affected and what can be recovered, the cost anywhere from £10,000 to £500,000!
However, on top of this, you have to add the cost of staff not working. The organisation not being able to deliver teaching and learning can easily cost an organisation over £50,000 a week.
We then have to consider the cost of the damage to the organisation’s reputation and any fines that may come in from the ICO if data has been lost. These costs can total into millions.
The worst part of all of this is that insurance will not always cover these costs if you have the wrong cover type. In a real-world example, we are aware of a case where an educational organisation had a total cost of an outbreak at £2.5 Million, this figure should be enough to make your senior management sit up and pay attention.
Where to start…
The question then is, how do we get our educational sector partners to a position where they can protect their data, deliver teaching and learning and ultimately avoid cyber attacks in education?
The answer is about prioritising spending and focusing on ensuring that a security landscape is in place that covers all bases and protects against all foreseeable attack vectors. We start this with solid anti-virus and anti-ransomware technology. Endpoint protection must be paired with a robust Endpoint Detection and Response product (EDR) or an Extended Detection and Response product (XDR). These technologies will give you a strong endpoint protection roster.
Then layered on top of this, you need to look at device encryption, which must be centrally managed. Then, on top of that, we need to pivot and look at the ingress points on your network, this being your email and your firewall. Both should be robust next-generation products that use both Unified threat management and a traditional stateful firewall approach.
And then there’s the human element
When we have tackled the technical delivery needed to secure the network, we need to look at your staff and the human firewall element of protection. From this regard, we should be looking at Phishing training, security awareness and data protection training.
When you have all these pieces in line and configured to best practice, then there is a good chance that you will mitigate most risks towards your organisation. Now, that doesn’t mean your senior management can wash their hands of cybersecurity. Proper cybersecurity protection is reviewed and maintained regularly, and this also means patching all your other IT systems; it’s a busy and full-on task to undertake. However, if you do it correctly, it’s advantageous knowing that you are keeping your learners, staff and visitors safe and protecting against the effects of a cyber-attack on the business, individuals and the wider community
If you would like to have a conversation about how we can review your security landscape and work with you to build a robust cybersecurity landscape for your organisation, then CLICK HERE to book a meeting with me, or you can email me at firstname.lastname@example.org and together we can work to align your organisation against the current and future risks.