One school IT manager we spoke to recently described their job as managing enterprise-grade IT on a small business budget. Nowhere is that more true than in the realm of cyber security. What can schools do that is low-cost or no-cost to improve their cyber security posture?
Thankfully, there are steps schools can take to improve cyber security without huge financial investment. This article explores achievable changes to processes and device configurations that support more robust data and system security.
Review network permissions and passwords
An excellent starting point is reviewing network and system access controls. The principle of least privilege is an essential element in the zero-trust model, which can protect against ransomware and cyber security threats. Audit which staff have permissions to access sensitive systems like student records. Remove access that isn't explicitly required. Additionally, ensure all staff use strong, unique passwords for network login and critical systems. When people have a suitably complex password for their work systems access, they can be tempted to use it for their online shopping profiles. Discourage this by including the rule in the school’s Acceptable Usage Policy. Upgrade any remaining single-factor authentication to multi-factor using cost-effective authentication apps on mobile devices.
Reduce data collection and availability
Schools collect large amounts of sensitive student data. Review what information is gathered and stored, and work to minimise non-essential data collection. Additionally, ensure the principle of least privilege by only allowing staff access to datasets required for their specific role. Finally, enable local or cloud-based backups with version histories in case records need to be recovered after an incident.
Keep software up to date
It's critical to maintain devices and software at the most recent versions. Establish policies and procedures to apply security patches and upgrades promptly once they are made available for operating systems, software, firewalls, web filters and antivirus tools. Review software versions across all devices and systems to identify any lagging behind that pose security risks if compromised. Identify any legacy devices and systems that the manufacturer no longer supports and cannot be patched. Knowing what vulnerabilities exist, and where they are, is crucial for establishing a risk register and creating a prioritised plan for improvement.
Review student and staff device policies
Establish secure device usage policies for school-owned and personally owned devices. Require strong passwords/PINs, encryption, and anti-malware software and publish reminders not to share access credentials. Set secure browser defaults with limited plug-ins enabled to reduce risks from web browsing on school networks. Finally, develop a bring your own device (BYOD) policy that governs access permissions and acceptable use standards for personally owned devices.
Provide ongoing cyber security training
A considerable risk schools face is accidental insider threats from staff and students resulting from limited security knowledge. Regular cyber security awareness training can significantly improve culture and understanding of risks. Set expectations around data handling, safe browsing, phishing identification, password policies and reporting of issues. Training options range from in-person sessions to free online modules from organisations like the National Cyber Security Centre.
Exploit community resources
Connect with industry groups, cyber security volunteers, university contacts and government agencies to learn about programs available to schools at low or no cost. Resources may help deliver training, provide technology, perform audits, handle reporting requirements, or offer guidance in developing effective policies and plans. Building relationships here can provide immense value. A valuable resource for children between the ages of 7 and 11 is Trend Micro's Internet Safety for Kids and Families (ISKF) programme, designed to help schools teach children cyber hygiene.
UK schools can achieve substantially improved cyber security postures despite budget limitations by focusing efforts on improving processes, policies and configurations as outlined above.
The building blocks of affordable and worthwhile security gains for schools are:
- managing access and data availability
- keeping systems updated
- securing devices
- providing regular training
- accessing community support
While not exhaustive, these focus areas provide immense value and are achievable for schools to tackle.