Putting cyber security on the agenda

The business manager of a Wellington high school says the cyber criminals involved in a recent breach of the school’s systems knew what they were doing.  

“We suspect it was a team, and they went to great lengths to cover their tracks,” he says.  

Fortunately, the school was well equipped to deal with the breach, although the business manager – who doesn’t want himself or the school to be identified – says they have learned a lot from the experience.  

Unfortunately, such attacks against New Zealand schools are becoming more frequent, causing in some cases, data loss and significant disruption.  

One type of cyber attack with particularly severe impacts is ransomware, a type of malware (malicious software) that encrypts and locks out access to computer systems and can result in the stolen information being dumped publicly or shared among cyber criminals.  

The good news is there are practical cyber security measures that can be taken to help protect schools from cyber attacks like this.  

When applying these measures, schools must discuss them with their ICT providers or in-house IT staff and ensure that ‘cyber security risk’ is on the school leadership agenda since it presents a material risk to the whole school.  

What should schools do?  

While there are a broad range of strategies that can strengthen cyber security and significantly reduce the risk and impact of cyber security threats like ransomware, practical measures start with ensuring that:  

• backups of important information and data are performed regularly and are stored away from the school ICT network.  
• partial restore is tested at least once a year, and a full restore is tested at least once. Being able to restore data and systems from reliable clean backups allows school to recover quickly from the disruption caused by successful cyber attacks. 
• security updates also known as ‘patches’ for software and devices are applied when they are made available. Cyber criminals exploit security vulnerabilities in unpatched software and devices to launch cyber-attacks. 
• everyone is made aware of phishing and other email scams. As well as trying to steal passwords or financial information, phishing emails can also be used to deploy ransomware or launch other types of cyber attack. 
• antivirus software is installed on all devices. State and state integrated schools have access to funded software including Symantec Endpoint (anti-virus)(external link) protection to do this. 
• a secure connection to access the school ICT network remotely is used. Schools can be referred to N4L for help with this. 
• cyber security insurance is considered. This can help cover expenses including incident investigative and legal costs when recovering from a cyber attack. It is important to look at the policy details and consider what cover is required by the school.  

The business manager of the school that recently suffered the cyber-attack has urged other schools to take these measures to mitigate the risk of a cyber-attack and minimise the time to recover in the event of a breach.

Additionally, he particularly urges schools to take out cyber security insurance. He also suggests introducing a two-factor authentication of Google or Microsoft accounts for new device log-ins. And he urges schools to have a strategy in place to mitigate the risk for BYOD devices from home that might have bugs, as this can be a common way for viruses to infiltrate the school network. 

Backing up and restoring important data 

Taking regular backups of important data and storing them securely and separately away from the school network is of utmost importance. Having clean backups of important information, software, and configuration settings allows schools to be able to recover more quickly and minimise the disruption and data loss that can result from cyber-attacks.  It is good practice with backups to ensure that: 

• Backups of important information, software, and configuration settings are performed monthly at the very least, with a plan to move to backing up important information daily.  Important data that is stored locally on laptops or memory sticks should also be stored on the school network and included in the backup regime. 
• Backups are retained for one month at the very least, with a plan to move to retaining backups for at least three months. 
• Backups are stored securely, and separately away from the school network.  These backups can be stored either offline, or online in the cloud in a non-erasable manner.  Seeking an off-site backup solution that is completely separated from the school network is strongly recommended. 

It is also critical that the partial restoration of backups is tested annually, and full restoration of backups is tested at least once.  Having assurance that clean backups can be restored means that even in a worst case scenario the disruption to learning, teaching, and school business can be minimised. 

Security updates 

Ensuring that software is updated with the latest security updates (patches) helps reduce the risk of that a school’s ICT systems will be compromised by a cyber-attack.  This is because unpatched or unsupported software that has known security flaws are a popular target for cyber criminals intending to launch a cyber-attack.  In particular it is recommended that: 

• Security updates for devices, applications, and systems are applied as soon as possible.  At the very least security updates should be applied within two weeks of their release, however for security vulnerabilities that are assessed as an extreme risk it is recommended that these patches are applied within the 48 hours of being made available. 
• If a school is using ICT equipment or systems that are no longer supported with security patches, then those systems should be replaced with vendor-supported versions. 

Some software vendors e.g. Microsoft, release security updates monthly, while other software vendors will release security updates on a different cycle or when new vulnerabilities are discovered.  Regardless of the pattern of security updates, it is important that any software used on a school’s Network has the latest security updates. 

Phishing email scams 

Ensuring that both staff and the school community are aware and vigilant about email scams and phishing attacks, this can help prevent serious cyber-attacks. Phishing emails are a type of email scam where the sender tries to trick the recipient into giving away information, installing malware, or getting unauthorised access to systems to steal data or for financial gain.  Being successfully ‘phished’ can in some cases also trigger the start of a ransomware attack. 

These phishing emails are becoming more sophisticated. Increasingly scammers will use ‘spear phishing’ tactics where the scammer will first gather whatever information they can about their chosen target to make their emails more personalised and convincing. Often these scammers will also try to impersonate trusted people, organisations or the systems they use. Staff handling payroll or payments need to be particularly vigilant about these more sophisticated phishing attacks because payroll and accounts staff are a popular target for some phishing scams. 

Protecting against phishing scams is about awareness and knowing the warning signs that an email could be a phishing attempt. To help protect from phishing email scams it is recommend that staff and the school community: 

• Consider whether a received email was expected, and check the sender’s details carefully looking at the whole email address. For example, if you normally receive emails from a colleague at ‘firstname.lastname@schoolname.school.nz’ and you have now received an email from ‘first.lastname@schoolname.schoolnz.org.su’, then that is not the same sender because email’s domain (that’s the bit after the ‘@’ symbol) is different. 

• Treat with suspicion emails asking recipients to: click links, open attachments, enter passwords, make payments, change or enter bank account details, or any unusual requests. 
• Treat with suspicion emails pressuring recipients to perform any of the above actions urgently, even if the sender looks familiar. An unusual email from a known sender might be a sign their email has been compromised. 
• If in doubt, confirm the sender of the email by phoning them. If possible, use an already known phone number for that person or organisation. Don’t rely on phone numbers given in the email. 
• Always send emails to the school community from an email address that is associated with the schools domain name. 
• Do not send password information (e.g. for parent portals) via email. 

While email spam filtering will remove many harmful emails before they get into inboxes, there will always be some emails that slip through and these are the emails that school staff and people in the school community need to be vigilant about. 

Other steps schools can take to reduce the risk of cyber-attack include: 

• Make sure paper records intended for disposal that contain sensitive information are disposed of or destroyed securely. 
• Check that school websites are not disclosing any personally identifiable information that could be used by scammers. 
• Payroll, accounts, and leadership staff should also review what personal information they are disclosing publicly on social media and adjust their privacy settings if required. 

• Always apply your school’s payroll business processes when making changes or updates. 
• Use Multi Factor Authentication (MFA) to reduce the risk of password breaches on your ICT network. 

If you are a larger school with more complex IT systems, there may be a wider range of information and cyber security risks for you to consider. 

Schools that discover a cyber attack or are facing a cyber security incident or need support should contact Netsafe (external link)on 0508 NETSAFE (0508 638723) or email help@netsafe.org.nz and CERT NZ (external link)or call 0800 CERT NZ (0800 237 869). 

Where to seek help?

• See what Network for Learning(external link) (N4L) can do to help manage the school ICT network safety and securely.  
• For further help on strengthening your school’s cyber security, including advice for reporting cyber security incidents, visit the keeping your school network safe(external link) guide on the Computer Emergency Response Team (CERT) NZ website.  
• Check out the Ministry of Education website digital technology safe use guide for schools(external link).  
• Netsafe Schools(external link) is a free programme designed to help New Zealand schools and kura establish, develop and promote online safety, citizenship and wellbeing in their school community.