There's a whole range of proactive measures schools can take to safeguard against cyber attacks, failure to put in place the right technical and organisational measures in place can result in action by the ICO.
An example that springs to mind is Finham Park Multi Academy Trust, in December 2023 they were issued a Reprimand in respect of Articles 5 (1) (f) and 32 (1) (b). An unauthorised third party utilised compromised credentials to access and encrypt the Trust's systems. 1,843 UK Data Subjects were affected by the incident, and the ICO’s investigation found there were insufficient technical and organisational measure in place with regards to access controls. The following extract from the reprimand shows the ICO findings:
Article 5(1)(f) and Article 32(1)(b) Technical and Organisational Measures – Access Controls
• Finham Park did not have appropriate technical measures in place to ensure the confidentiality and integrity of their systems. Finham Park had an inadequate account lockout policy, and reversible password encryption was enabled. The National Cyber Security Centre (‘NCSC’) recommends having appropriate account lockout2 in place. Had these elements been addressed sooner, it could have significantly reduced the likelihood of a successful attack.
• Finham Park did not have multi-factor authentication (‘MFA’) in place. Extensive guidance was available via the NCSC which promotes the use of multi-factor authentication. Additional means of authentication serve to make unauthorised access more difficult and help to protect particularly sensitive personal data.
• Finham Park did not ensure that its employees had sufficient knowledge and understanding around the re-use of passwords. The NCSC emphasises that passwords should not be re-used across accounts. Had Finham Park educated its employees on password management more effectively, it is possible that this incident could have been avoided.
If you are wondering where to start, here's our top seven actions you should take to ensure you have appropriate technical and organisational measures in place to secure your organisation:
1. Implement Multi-Factor Authentication (MFA): Adding an extra layer of security can significantly reduce the risk of unauthorised access. This requires users to provide additional verification (like a code sent to their mobile device) beyond just using their password.
2. Educate Staff and Students: Training, training, training! Conduct regular training sessions on cyber security best practices, including how to recognise phishing attempts and the importance of safeguarding personal information. GDPRiS offers comprehensive education focussed awareness training and phishing simulations to help you ensure your staff continuously learn how to spot phishing emails. Find out what Ofqual recently uncovered about cyber awareness in schools.
3. Use Strong, Unique Passwords: Encourage the use of complex passwords and avoid reusing passwords across different accounts, or worse still using shared passwords! Provide staff with clear guidance on generating and managing unique passwords.
4. Regularly Monitor Accounts: Automated monitoring tools can detect suspicious login attempts and alert administrators to potential breaches.
5. Limit Access: Implement role-based access controls to ensure users only have access to the systems and data necessary for their specific roles. This minimises the potential impact of stolen credentials.
6. Conduct Security Audits: Regularly assess and update security practices and systems to identify vulnerabilities and ensure compliance with best practices.
7. Invest in Incident Response Planning: Develop a well-defined incident response plan that outlines steps to take in the event of a credential theft or data breach. Regularly review and practice the plan to ensure preparedness.
By taking the above steps, you can quickly improve your cyber security and better protect the data of your staff, students and parents.
Using a platform such as GDPRiS to log and monitor incidents can be a great way to learn from any incidents you do have and implement appropriate measures to mitigate future risk. Our education focussed phishing simulations and awareness training ensure your staff can quickly identify phishing emails. Ready to get a handle on data protection and cyber security?
Book a meeting with our team today about how our GDPRiS platform and associated services can help.