‘Ransomware attacks within education are on the increase because cybersecurity criminals perceive schools to be an easy and potentially lucrative target,’ says Sophos in its latest report The State of Ransomware in Education.

Here Gareth Jelley, Product Security Manager, edtech charity LGfL-The National Grid for Learning, shares his top tips on how to prevent, and also deal with, a ransomware attack on your school – a type of malicious software designed to block access to a computer system until a sum of money is paid.

Defending your systems and raising awareness

The first and most important action you should take is to defend your systems and educate staff about the growing threat presented by ransomware:

Policies and certification:

• Ensure that you have a comprehensive cybersecurity policy which outlines the school’s guidelines and security provisions that are there to protect its systems, services, and data in the event of a cyberattack. You can download a free template here https://elevate.lgfl.net
• Ensure cybersecurity risks are detailed in your school’s Risk Register, used to assess, evaluate, prioritise and manage cybersecurity risks.Remember too to keep your Governors informed.  You can download a free template
• Consider attaining the Cyber Security Essentials certification. Using the self-assessment option you can evaluate if you have the basic controls your organisation should have in place to mitigate the risk from common cyber threats, and obtain certification if you meet all the criteria.Alternatively, you can use it to map areas of improvement and implement a development plan based on it.

Subscribe:

• Subscribe to the Early Warning service from the National Cyber Security Centre (NCSC) designed to help organisations defend against cyber-attacks by providing timely notifications about possible incidents and security issues.

Educate staff:

• Educate staff and students about the risk of ransomware and their role.
• Run Cyber Security Training for School Staff from the National Cyber Security Centre (NCSC) designed to raise awareness and help staff manage some of the key cyber threats facing schools. It’s free.
• Run regular simulated phishing campaigns that are linked to training to raise awareness of how to spot phishing emails.
• Ensure staff are aware of what to do if they notice something suspicious on their machine, and who to report it to.

Protect your finances:

• Ensure there are appropriate finance processes in place when a company requests changes to bank details. New information should always we confirmed via an alternative method, not just email.
• Ensure requests for out of the blue payments/gifts/prizes are verified in person or via a phone call.

Reduce your vulnerabilities:

• Ensure any new systems/software are reviewed at the procurement/purchasing stage to ensure they meet security standards.
• Implement Role-Based Access Control (RBAC) where the level of access to the network is determined by each person’s role within the school, and employees are only allowed to access the information necessary to effectively perform their duties. Access can be based on several factors, such as authority, responsibility, and job competency. In addition, access to computer resources can be limited to specific tasks such as the ability to view, create, or modify a file.
• Install security patches as soon as possible to help resolve hardware, operating systems and application vulnerabilities that could be exploited by hackers.
• Install and monitor antivirus software – a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.
• Implement Multifactor Authentication – an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN – for all systems that support it.
• Run regular backups, check that they cover all relevant data and systems so you are able to recover from any incident (fire/flood/ransomware) and test that they work.
• Keep backups offline/offsite to prevent them being impacted by the ransomware (although online, some cloud backup solutions can be considered ‘offline’).
• Perform regular housekeeping and remove user accounts and files/software/systems that are no longer needed. This will help to reduce your exposure to risk.
• Replace software and systems that no longer receive regular security updates from their vendors, e.g. Windows 7/Shockwave/Flash Player.
• Schedule reviews of security configurations to ensure obsolete settings are removed, particularly on firewalls.
• Perform vulnerability scans of internal systems to detect and classify system weaknesses in computers, networks and communications equipment and to predict the effectiveness of countermeasures.
• Commission penetration tests to evaluate the effectiveness of your security systems.
• Ensure email is configured with SPF/Dmarc/DKIM – this will prevent hackers from impersonating your email. The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. Dmarc is an open email authentication protocol that provides domain-level protection of the email channel. DKIM (Domain Keys Identified Mail) is a protocol that allows an organisation to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify.
• Where possible limit the locations from where accounts can be accessed – e.g. prevent users logging on from outside the UK (Russia/China/Australia/America/etc) using geofences- virtual geographic boundaries.

Be prepared for an attack

Assume that at some point you will be affected and plan accordingly:

• Implement a specific Incident Response Plan for ransomware – including communication plans. You can download a free template here.
• Run desktop exercises of the Incident Response Plan to highlight gaps/updates. The NCSC has exercises here.
• Consider the DfE Risk Protection Arrangement (RPA) for schools as an alternative to commercial insurance, which includes cyber cover and may save time and money.

During or after an attack

If you are attacked, take the following steps immediately:

• If you have been asked for a ransom, or are a victim of cybercrime, contact Action Fraud, the UK’s national reporting centre for fraud and cybercrime and a central point of contact for information about fraud and financially motivated internet crime.
• Disconnect infected computers/laptops or tablets from all network connections.
• Consider if you need to disconnect networking equipment, or the school’s internet connection.
• Review cybersecurity insurance policies to see how they can support you.
• Wipe infected devices and reinstall their operating system and applications.
• Install, update, and run antivirus software.
• Check backups are not infected, and then restore them.
• Reset credentials, including passwords and Multi-Factor Authentication (MFA) registrations.
• Reconnect to the network and monitor systems.
• Review your Incident Response Plan to ensure lessons are learnt.
• Assume that at some point you will be affected again, and plan accordingly.
• Inform the Information Commissioner’s Office if you are subject to a personal information data breach.

For further top tips on cybersecurity for schools visit: https://security.lgfl.net