Government’s education cybersecurity warning

06 October 2020

The UK government’s national security body has warned the country’s education system about possible cyberattacks, as students across the country return to school following the nationwide lockdown that curtailed the last academic year.

Fears have arisen that institutions could face attack due to a lack of proper protection and the National Cyber Security Centre (NCSC) said that schools and universities need to take steps immediately to make sure they stay protected. This includes moves such as upgrading cybersecurity protection, ensuring data is stored securely, and making sure systems are backed up away from the premises.

The alert urged schools and universities to take immediate steps such as ensuring data is backed up and also stored on copies offline.

“This criminal targeting of the education sector, particularly at such a challenging time, is utterly reprehensible,” said Paul Chichester, director of operations at the NCSC. “While these have been isolated incidents, I would strongly urge all academic institutions to take heed of our alert and put in place the steps we suggest, to help ensure young people are able to return to education undisrupted. “We are absolutely committed to ensuring UK academia is as safe as possible from cyber threats, and will not hesitate to act when that threat evolves.”

Furthermore, the NCSC said it has been investigating an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges and universities over the past few months.

Fredrick Forslund, VP enterprise and cloud erasure solutions at international data security firm Blancco, said the NCSC’s decision to issue a cybersecurity alert to the academic sector comes as no surprise. “The global pandemic has resulted in an unprecedented shift to online working, mirrored by an increase in cyberattacks,” he told Networking+. “As schools and academic institutes return, vulnerable IT systems will be put to the test by a new wave of cyber threats, from contemporary ransomware attacks to phishing attempts. Education providers handle a lot of sensitive information about their staff, students, and the institutions themselves. As part of that responsibility, strict data retention policies are crucial. Failing that responsibility can mean breaching privacy laws, resulting in steep consequences – fines, plus a loss of reputation if there is a data breach.”

Educational institutions across the world were hit by a wide-ranging cyberattack attack known as Blackbaud (see Networking+ July edition) with schools and universities hit with ransomware assaults.

The NCSC advisory lists a number of ways it has seen criminals target schools in recent months, including phishing emails, unpatched or unsecure hardware and software, and remote desktop protocol attacks. Furthermore, the  rise in online schooling over lockdown may have contributed to a rise in the latter, with students and teachers alike using personal devices to log in to workplace networks or connect to lessons.

“The NCSC recommends that organisations implement a ‘defence in depth’ strategy to defend against malware and ransomware attacks,” the NCSC said. “Your organisation should also have an incident response plan, which includes a scenario for a ransomware attack, and this should be exercised.”

Forslund added that the way education providers handle data is changing in tandem with the new “blended learning” landscape. “For those responsible for keeping data storage clean and secure, it’s important to recognise exactly where your data is distributed and stored,” he said.

“Today we are dealing with sensitive data on-premises, at home and in the cloud, which all require varied data management approaches. The NCSC’s alert has urged academic institutions to take certain immediate steps, one of which is ensuring all data is backed up and stored locally.”

The recent Blackbaud hack saw universities and schools exposed after an attack on the cloud computing provider, which affected more than 125 organisations. Those affected included the University of Edinburgh and Aston University in Birmingham.