GUEST BLOG: Preventing and responding to a cyber attack

Neil Limbrick is an independent consultant who has worked in an IT Strategy Role with MATs and Schools for over 20 years. He is currently working with over 100 different networks through theEducationCollective made of up of 10,000 individuals in over 5,000 schools. Neil also joined us for an excellent webinar on this subject.

In this blog I will outline some real-world examples of how schools have been exploited and will, hopefully, serve as a useful tool to help understand where an attack might come from in your setting. All the examples given can be mitigated by undertaking two key exercises:

  1. Visit the Cyber Essentials site. While achieving Cyber Essentials is not necessarily the easiest thing to do it is an important step to take and will close 99% of the loopholes that you may have at could cause you problems. It could be worth considering employing an expert to take you through the process. While there may be an up front cost, this will outweigh the potential cost of a cyber attack. Even if you do not go for the accreditation itself, on the website there are a number of questions that you can work through to ensure that you have safeguards in place to protect yourself. 
  2. Do the National Cyber Security Centre’s Exercise In A Box to prepare your response in the case of a cyber attack.

We will now look at what the threats are focusing on practical advice on what to do to prevent an attack but also what you need to do to respond to an attack if it happens.

What is a threat?

It is difficult, if not impossible, to identify where the threat is coming from, what the hacker looks like or what country they are based in. We do know that any attack can cause a lot of damage to a school and its reputation. The impacts are wide ranging including:

  • Significant disruption to your school – maybe even closure​
  • Theft of confidential data​ – which you may never get back
  • Significant loss of work​ – including students’ course work that could impact on exam results
  • Unfavourable PR​
  • Loss of income

The good news is that there are steps that you can take to prevent attacks.

The Basics

While everyone should know this it is always worth reiterating them and making sure that everyone understands them:

  • Everyone must have strong passwords,
  • You must keep software up to date on user devices and firewalls – basically any device connected to your network.

I will go through a number of real-life scenarios to illustrate what has happened to MATs and schools that I have dealt with recently. I will also cover what could be out in place to prevent these incidents and also what you need to have in place to deal with the fallout from cyber attacks.

Scenario 1 – Multi Academy Trust, Phishing Attack

In basic terms, the following took place:

  • The finance lead was specifically targeted and their email account was compromised – they clicked a link and entered their password on a fake site.
  • ​The hacker set up an Office 365 rule to intercept inbound and outbound emails being sent to the finance lead and diverted them to their email. They also deleted incoming emails so the MAT were not aware of certain emails that had been sent – basically they had complete control of the finance lead’s emails.
  • This only affected emails from one or two senders and went on for several months until the hackers picked an email that they could use .
  • The hacker intercepted the invoice, put their own bank account on the invoice. They also sent an email claiming to be from the payroll provider (the CEO of Birmingham City Council, a copy of whose signature they had obtained) confirming the new bank details and offering a discount for quick payment. This should have been an immediate red flag as this would not happen. However, the finance lead thinking they could save the Trust money paid the invoice.
  • The Trust paid over £400,000 to the revised bank account​ – this happened twice. It meant they lost the money they paid to the hacker and they still had to pay the original payroll invoice.

Preventative Steps

Training

  • ALWAYS verify bank changes via a known contact​ i.e. not a phone number provided on the instruction to change​. Talk to the person who has sent the instruction.

Policy / Procedure

  • Apply two-factor authentication on email accounts – especially those who are involved in finance and IT​ and anyone on the senior leadership team.
  • Restrict access within the accounts package as much as possible to make sure people cannot just change the codes without a procedure– especially supplier payment details

Scenario 2 – Ransomeware attack

It can be very dangerous to give one person too much access and authority over a system as if one person is attacked then it can have a disproportionate impact Inone MAT I worked with, this is exactly what happened.

  • The administrator was sent an email asking them to download software.
  • On clicking the link, the software locked the computer, encrypted everything on the computer.
  • However, as the administrator had access to the school, 13 other schools in the Trust and a further 39 schools across South Gloucestershire, it also locked down and encrypted all their systems and every computer in those schools. In addition, it wiped out all the data.
  • This went on for several months which meant that staff had to bring in their own computers and mobile phones as the systems were completely unrecoverable.


This happened because one person had access to, and responsibility for, too many systems.

Preventative steps

Training

  • Try and help staff spot what might be a malicious email and create a culture where it is ok to ask before you click​.
  • Help staff understand what to do if they click on a link – i.e. shut down / disconnect etc.​

Policy / Procedure

  • Make sure people only have the access they need​ and do not concentrate access to one person.
  • Make sure IT Teams have a separate administrator account (for each school if appropriate) and only use them when they must – using a “standard” account should be the norm. This means that if they click on a malicious link it will affect their computer/account but will not be able to access the wider network.
  • Ensure people understand what they need to do in this scenario. In this case the recovery was hampered as the person did not come forward immediately. Ensure that people understand they can and should come forward when an error is made in order to limit damage.

Scenario 3 – The Enemy Within

They key take away message from this example, is to make sure that you know your own people, understand who you can trust and follow your procedures to the letter.

  • An IT Technician hid fraud conviction on application and was fired once it came to light​
  • However, the username and password remained active and they used it to log in and delete data, including data from students’ home computers​
  • At first it was quite casual but became more malicious when the whole system was wiped out.

Preventative Steps

Policy / Procedure

  • Ensure you have a robust employee exit process and that it is followed​.
  • Ensure you have a log of all user accounts that have administrative privileges and that this is reviewed regularly and justified​.
  • This includes all social media and third party accounts such as twitter, Facebook, Google Business, YouTube etc. Where possible link these to generic email addresses like twitter@school.org as these can be shared or easily redirected to three or four people to prevent being locked out.  If people set up an account for them specifically when they leave it cannot be reassigned easily and they may still have access to it if you do not have the policies and procedures in place to lock it down.

In The Case Of A Cyber Attack Be Prepared

If you are attacked then there are certain steps you need to have in place to respond and limit the damage:

Assess the damage

  • What impact it has – is there a threat to life, is there a threat to confidential data, is there a threat to you meeting statutory requirements.

Establish a chain of command

  • Make sure you know who the key decision makers are for questions like: do we pay the ransom, do we buy in expertise etc.​ – these are all decisions that someone needs to own.

Confirm communication paths

  • Establish how you will communicate with the wider workforce​.
  • What do you tell parents and students​ and how do you tell students.
  • How do you handle a press enquiry​ – you need to decide if you are going to talk to the press and, if you are, who is going to talk to them.

Business Continuity Plan/Disaster Recovery Plan

  • Ensure you have a clear route from a cyber attack into your plan – either by updating it or having an additional procedure document in place.​
  • Remember – if it happens you may not have access to your digital documents, so keep everything you might need on hard copy.
  • There is a trend for attacks to happen on a Friday evening to allow it to go unnoticed for as long as possible and maximise the damage.​
  • Ensure your policy allows for this.​ Ensure that you can check what is happening over the weekend.
  • Ensure the information you need is not locked in the building or reliant on remote access.

MAKE SURE EVERYONE KNOWS THE PLAN – there is no point having a plan if no one knows about it and how to action it.

The Key Things To Take Away

  • Train All Staff
    • This will have the biggest impact​. This has to be specific with regular updates and reminders. The way you are attacked will not change dramatically but people have to be reminded and be vigilant.
  • Prevent an attack by following Cyber Essentials. This includes:​
    • Practices and procedures​
    • Password and security guidelines​
    • Hardware rationale​
  • Prepare response​
    • Working through Exercise in a box on NCSC website will help you understand what you need to do.

Sign up to get our

Newsletter

Our weekly procurement briefings just for schools and MATs are packed with advice to help you save money. Simply pop your details in below and we’ll send you our newsletter every week.

  • This field is for validation purposes and should be left unchanged.

Need assistance?

Our friendly Executive Assistant, Plum Garland is here to help. Call today: 01256 213242

Not feeling chatty? Email us at team@minervapcs.com