When you pack up after a busy day teaching, you’ll close the windows, lock the doors and make sure anything worth taking isn’t left lying around. Basic cybersecurity works much the same way.
Cyber criminals look for easy, low-hanging fruit. Like burglars, they are opportunists. If they see a digital door is left open, they’ll dash in before it closes and look around for something to steal. They’d prefer to find a direct route to money; yet they’ll be just as happy if they find data they can hold to ransom or use in some other way.
You may think your school doesn’t have anything worth stealing, but cyber criminals don’t see it that way. Whether it’s data or digital resources, cyber attackers will find it interesting. Even the smallest schools can be at risk and there’s no such thing as being too small to be a target.
However, there are practical steps you can take to reduce the risk of an attack. So, how do you go about closing the digital windows and locking the online doors?
Step one: Make sure everyone involved is cyber aware
Everyone knows the drill with physical security. It comes naturally. The risks are easy to understand. But we may need to remind our people about good cybersecurity.
An online attack can damage a school’s reputation or disrupt learning and other activities. One small school in Aotearoa suffered an attack when an email arrived with what appeared to be an invoice. Instead, it loaded disruptive malware onto the computer system which left it without business email. Another school had its profile information used to create a false email identity which appeared to be the principal. It was used to phish staff members.
That’s why it’s important that ākonga and kaiako know where the dangers lie and understand best practices. This means using unique, strong passwords, and two-factor authentication (when it’s available) is also important. It also means knowing not to volunteer information that could help attackers and being wary of email phishing attempts or suspicious links in messages you’re not expecting.
After a while, these basic practices become second nature, just like basic physical security.
Step two: Create a practical cybersecurity policyNow that everyone knows they need to be aware of the risks, they should know what their responsibilities are. Document a set of policies in language that everyone can understand. Your policy might also include a plan of how to respond if there is a cyberattack. Make sure the policy is available to everyone. Encourage discussion. You want everyone to understand they are involved.
Step three: Keep software and systems up-to-date
Software developers and the companies that make digital hardware frequently update applications and operating systems. This not only fixes bugs, but often includes the latest security patches.
If criminals can’t find anything to profit from straight away, they might instead try and gain control of school systems and use them for a cyberattack elsewhere. Cyber criminals might conduct a supply chain attack, where they get inside a less secure system to gain access to another connected system. While your school might not be the end target of these attacks, you can end up being collateral damage.
Cyber criminals look for unpatched systems, so stay as up-to-date as possible.
Step four: Use encryption
When it comes to cybersecurity the risks are not always obvious. Criminals increasingly look for personal data they can use for identity theft and carry out fraudulent transactions in someone else’s name. Or they may want to lock up data and hold it to ransom.
Ransomware attacks are among the most common online crimes. This is because they can be easy to launch and have a quick, predictable pay-off. But there are other ways cyber criminals can do their dirty work with data. For example, they can use data they have accessed to set up new identities, impersonate people and carry out fraudulent transactions in their name.
Think of encryption as a way of putting a strong padlock on data. When you encrypt data, it is encoded, making it unreadable to anyone who doesn’t have authorised access. Encryption makes it harder for attackers to exploit any files they find.
You are not on your own
You’re not on your own when it comes to improving cybersecurity. N4L can help support the safety and security of ākonga and kaiako.
N4L recommends all schools connected to the Managed Network use N4L’s Safe & Secure Internet recommended settings. These provide a basic layer of protection. The Security team proactively monitors the network and the team can support your school with mitigation of cybersecurity risks, or remediation of cybersecurity incidents.
N4L’s Secure Access can help make your school or kura less vulnerable to security risks such as ransomware. It helps protect your school’s student data and gives you greater control over what happens on your network.
And, last but not least, N4L’s Email Protection solution provides an extra level of email security and added peace of mind. It’s fully funded for eligible schools by the Ministry of Education and complements schools’ existing Microsoft or Google email services.
Cyber crime can affect anyone who uses the internet. Small schools are no exception. Cyber crime is a constantly changing landscape with new threats emerging all the time. There are no foolproof ways to guard against the threats – even the world’s largest organisations find online security a challenge – but by working together we can reduce the risks and keep schools and kura safer.
Written by Bill Bennett, an experienced editor and journalist specialising in technology and business. He has worked for New Zealand and international newspapers including the NZ Herald and The Australian Financial Review. He is also a regular technology commentator on RNZ Nine-to-Noon.
For more information about N4L’s Security Services visit the website. And If you’d like to find out more about the Ministry of Education’s recommendations on how to protect your school from cyber attacks, check out their website or contact [email protected]