Fortifying Defences Against Cyber Onslaughts

<p><em>Paul Crighton is the Managing Director ANZ&comma; Barracuda Networks&period; In this opinion piece&comma; he shares his insights on how schools can protect systems for cyber attacks&period;&period;<&sol;em><&sol;p>&NewLine;<p>When the COVID-19 pandemic struck in early 2020&comma; schools&comma; like workplaces&comma; were forced to immediately move to a remote working model&comma; enabling a new norm that required students to learn from home using computers and communications technologies&period;<&sol;p>&NewLine;<p><a href&equals;"https&colon;&sol;&sol;school-news&period;com&period;au&sol;latest-print-issue&sol;" target&equals;"&lowbar;blank" rel&equals;"noopener"><strong>Read the Term 2 edition of <em>School News<&sol;em> HERE<&sol;strong><&sol;a><&sol;p>&NewLine;<p>Just like workplaces&comma; this shift exposed schools&comma; staff&comma; and students to increased risks of cyber-attacks&period; And while schools might seem less attractive a target than commercial organisations&comma; that didn&&num;8217&semi;t stop threat actors from going after them&period;<&sol;p>&NewLine;<p>While the strict social distancing measures implemented at the height of the pandemic have now eased&comma; COVID-19 continues to disrupt classroom schooling&period; As recently as May 2023&comma; the <em>Sydney Morning Herald<&sol;em> <a href&equals;"https&colon;&sol;&sol;www&period;smh&period;com&period;au&sol;national&sol;nsw&sol;hundreds-of-students-return-to-remote-learning-and-masks-amid-covid-outbreaks-20230518-p5d9fs&period;html">reported<&sol;a> that hundreds of students at Liverpool Girls High School had returned to remote learning due to a new wave of COVID-19 outbreaks&period;<&sol;p>&NewLine;<figure id&equals;"attachment&lowbar;24757" aria-describedby&equals;"caption-attachment-24757" style&equals;"width&colon; 292px" class&equals;"wp-caption aligncenter"><img class&equals;"size-medium wp-image-24757" src&equals;"http&colon;&sol;&sol;school-news&period;com&period;au&sol;wp-content&sol;uploads&sol;2023&sol;08&sol;Paul-Crighton-Managing-Director-Barracuda-Networks-ANZ-292x300&period;jpeg" alt&equals;"Paul Crighton" width&equals;"292" height&equals;"300" &sol;><figcaption id&equals;"caption-attachment-24757" class&equals;"wp-caption-text">Paul Crighton &vert; Image supplied<&sol;figcaption><&sol;figure>&NewLine;<p><strong>Australian education institutions increasingly targeted<&sol;strong><&sol;p>&NewLine;<p>The Australian Cyber Security Centre &lpar;ACSC&rpar;&comma; in its most recent <a href&equals;"https&colon;&sol;&sol;www&period;cyber&period;gov&period;au&sol;sites&sol;default&sol;files&sol;2023-03&sol;ACSC-Annual-Cyber-Threat-Report-2022&lowbar;0&period;pdf">Annual Cyber Threat Report<&sol;a>&comma; said the education and training sector had reported the most ransomware incidents in 2021–22&comma; rising from the fourth highest in 2020–21&period; It says the education sector is particularly vulnerable because its business model favours open&comma; collaborative environments&period; <&sol;p>&NewLine;<p>In February 2023&comma; one of Queensland&&num;8217&semi;s largest tertiary institutions <a href&equals;"https&colon;&sol;&sol;www&period;abc&period;net&period;au&sol;news&sol;2023-02-03&sol;qut-cyber-attack-university-staff-students-affected&sol;101929302">reported<&sol;a> admitting that 11&comma;405 people—2492 staff and 8846 former staff—had been impacted by the Royal Ransomware cyber-attack&period; <&sol;p>&NewLine;<p>In November 2021&comma; the NSW Department of Education also became the victim of a cyber-attack&period; Teachers were unable to access coronavirus guidelines&comma; emails&comma; calendars and Zoom&period; And in January 2023&comma; <em>The Age<&sol;em> <a href&equals;"https&colon;&sol;&sol;www&period;theage&period;com&period;au&sol;national&sol;victoria&sol;hundreds-of-parents-hit-by-credit-card-hack-at-lilydale-school-20230131-p5cgty&period;html">reported<&sol;a> that hackers had accessed the credit card details of about 400 parents whose children attended Mount Lilydale Mercy College in Melbourne&period;<&sol;p>&NewLine;<p>Unfortunately&comma; schools are increasingly becoming vulnerable to cyber-attacks&period; Such attacks&comma; if successful&comma; could expose the personal data of staff and students&comma; highlighting the need for educational institutions to be better equipped with proper cybersecurity measures&period;<&sol;p>&NewLine;<p><strong>Meeting cybersecurity challenge in educational institutions<&sol;strong><&sol;p>&NewLine;<p>Fortunately&comma; there are many ways schools can protect their systems&comma; staff&comma; students&comma; and parents from the impacts of a cyber-attack&period; <&sol;p>&NewLine;<p>First&comma; they need to understand their technology landscape&comma; including the network&comma; the devices connected to it&comma; who has access&comma; which applications are running&comma; what data is held and where&period; Schools need to identify the potential points of weakness and how to address them continuously&comma; including through software updates&comma; access restrictions&comma; offline back-ups&comma; and incident response plans&period; <&sol;p>&NewLine;<p>New vulnerabilities are being discovered all the time and swiftly exploited by cybercriminals&period; Software vendors release software updates to patch newly reported bugs&comma; so securing vulnerable systems as soon as possible is essential&period;<&sol;p>&NewLine;<figure id&equals;"attachment&lowbar;24758" aria-describedby&equals;"caption-attachment-24758" style&equals;"width&colon; 1024px" class&equals;"wp-caption alignnone"><img class&equals;"wp-image-24758 size-large" src&equals;"http&colon;&sol;&sol;school-news&period;com&period;au&sol;wp-content&sol;uploads&sol;2023&sol;08&sol;AdobeStock&lowbar;319496767-1024x576&period;jpeg" alt&equals;"Cyber security" width&equals;"1024" height&equals;"576" &sol;><figcaption id&equals;"caption-attachment-24758" class&equals;"wp-caption-text">© Fractal Pictures&comma; Adobe Stock<&sol;figcaption><&sol;figure>&NewLine;<p>Second&comma; schools need to implement a robust security solution that protects devices&comma; networks&comma; applications and data&comma; as this will do the heavy lifting when it comes to threat detection&comma; prevention&comma; and response&period; This means that even if hackers successfully breach defences&comma; they can still be stopped before doing significant damage&period; <&sol;p>&NewLine;<p>Third&comma; access to email accounts and online resources must be protected by multi-factor authentication rather than simply a username and password&period; Additional factors could be verification codes sent to a mobile phone or email or an email with a link that must be clicked on to complete the access process&period; There should be restrictions on who can access the most sensitive data&comma; such as student or financial records and core IT systems&period;<&sol;p>&NewLine;<p>The great majority of successful cyber-attacks are initiated by emails&period; Many try to lure the recipient into sharing data—a technique known as phishing&period; A more sophisticated type of phishing email&comma; known as spear-phishing&comma; presents a greater threat as the attackers use knowledge of their targets to hyper-personalise the phishing email&comma; making it look like the email was sent by someone the target personally knows&period; An AI-based email security solution will help to detect and block these types of emails before they even reach the intended recipient&period;<&sol;p>&NewLine;<blockquote>&NewLine;<p>Humans are also an essential line of defence&period; Education institutions must teach students&comma; teachers&comma; and administrative staff how to spot and report suspicious emails&period; <&sol;p>&NewLine;<&sol;blockquote>&NewLine;<p>Finally&comma; data backup is vital—but it must go beyond simply having a real-time copy of all data&period; A criminal can corrupt live&comma; and backup data before their attack is discovered&period; Hence&comma; the 3-2-1 rule must be followed&comma; which entails making copies of all data that must be protected&comma; storing these copies on two different types of storage media&comma; and keeping one copy off-site&period;<&sol;p>&NewLine;<p><strong>Protection is possible<&sol;strong><&sol;p>&NewLine;<p>In summary&comma; there are many ways educational institutions can protect themselves against cyber-attacks&period; At the heart of this is a comprehensive and streamlined approach that includes technology&comma; policies&comma; and procedures&period; <&sol;p>&NewLine;<p>Technology can help education providers create adequate barriers&comma; detect any breach of those barriers&comma; and create backup copies of sensitive data&period; Clear policies and procedures can ensure those technologies are used to full advantage&comma; lift cybersecurity awareness and minimise the chance of human error&period;<&sol;p>&NewLine;