- Secure Schools ANZ Blog
- Clear Warning to Schools, from National Cyber Security Coordinator
Clear Warning to Schools, from National Cyber Security Coordinator
Appointed in July, Air Marshal Darren Goldie’s remit is clear: to make Australia the safest country in the world by 2030.
Speaking at a recent NAB event, the Air Marshal stated:
“If you’re going to write a strategy about anything, cyber security is as hard as it gets, because understanding what’s next and what’s in the medium and long term is extremely hard, and you end up with debates at the policy table about what 2030 looks like.”
While this is a national challenge, his statement will resonate with schools wondering where to start with a cyber security strategy.
He goes on to highlight the risks and vulnerabilities to schools:
“Amidst growing ransomware attacks, schools are becoming more prominent targets.”
“They are small enough not to have full-time cyber security teams and generally don’t have the resources for a 24/7 threat response partner. Unfortunately, these are the targets that cybercriminals can attack easily and demand a ransom.”
Steps in your cyber security strategy
Understanding the threat
Facing the threat can seem overwhelming, but understanding how criminals infiltrate school systems can make the cyber security challenge seem more achievable.
The Australian Cyber Security Centre’s (ACSC) 2022 Threat Report highlights that most compromises use simple tools and techniques. These include spear phishing, targeting third-party service providers and exploiting software and system vulnerabilities.
Spear phishing is a type of social engineering attack that targets specific people in the school. Anyone in school with high levels of access to systems, including financial systems, is at risk of spear phishing. This includes the senior management and business administration teams.
Targeting third-party suppliers
Cybercriminals looking for maximum impact can target your third-party suppliers. This can be anyone you buy products and services from, including software suppliers. By infiltrating a cloud-based software supplier, a cybercriminal can simultaneously release malware or a phishing attack to multiple customers.
Exploiting software and system vulnerabilities
At Secure Schools, not keeping software up-to-date, using outdated software and not configuring software and systems properly is something our cyber security assessors find in most of the schools they audit. This opens up vulnerabilities or holes in software and systems that cybercriminals can easily exploit.
Understanding what’s next for your school
Prioritising the most common threats is a good starting point for your cyber security plan.
Reducing the risk
- Train staff to spot a phishing attack and consider extra training for the most vulnerable staff groups.
- Introduce a no-blame reporting system for staff to flag phishing attacks.
- Check your third-party suppliers’ cyber security and data protection credentials and procedures. Query anything you’re unhappy with and move suppliers if they don’t offer reassurances.
- Ensure all software is kept up-to-date and implement updates within 14 days of release.
What’s in the medium?
Introduce a phishing simulation training programme
Check staff understood the training through a phishing simulation programme. This is when fake emails are sent to colleagues in an organised and planned way to ensure they understand the training. As with the reporting system, we recommend this is introduced in a supportive and no-blame way. Use the reports from the phishing simulations to highlight where staff need additional training.
Introduce cyber security policies and procedures
A set of cyber security policies sets out the responsibilities of the school and steers behaviour by outlining staff and governor responsibilities. Asking staff to agree to policies helps them to realise the priority placed on cyber security and their role within it.
Commission an independent audit of your cyber security
A useful way to check your progress is to commission an independent review. An audit will include various checks on your processes, whether software is configured properly and is up-to-date and staff interviews. These interviews help the auditors ascertain the school's cyber security culture.
The audit will produce a report highlighting the school’s cyber security stance and any vulnerabilities found. From this, an action plan makes recommendations based on their risk level.
What’s in the long term?
Continue to keep cyber security high-profile
Keeping cyber security high profile helps everyone remember their role in keeping the school safe. Do this by including cyber security on meeting agendas, during staff briefings, and annually updating policies and retraining staff through refresher training.
Commission a penetration test
Ethical hackers perform a penetration test using the same techniques a criminal hacker would use to try and hack into the school’s systems. Similar to an audit, their report highlights the school’s vulnerabilities and ways to mitigate them.
How Secure Schools can help
We offer various products and services to support your cyber security.
Our software platform includes staff cyber awareness training, a phishing simulator and a cyber security policy builder.
Cyber security services
We also offer cyber security audits, which can be self-assessed or delivered by our cyber security assessors and penetration testing.
Download our free cyber awareness posters by clicking the image.