After another busy academic year, schools across the country are heading into the summer holidays – and academic staff may even find time for some well-deserved rest and recuperation. However, as many bursars and IT heads can attest, cyber criminals will not be taking a summer break. Many will unfortunately ramp up their efforts to exploit a school’s increased vulnerability over the holiday period with the aim of disrupting the software and critical networks that are essential to a school’s operating infrastructure.
Why are school holidays targeted?
The issue is of course not limited to the long school summer break: any school holiday, exeat or long weekend increases the likelihood of attack. The National Cyber Security Centre has previously highlighted an increase in cyber attacks on the UK education sector during August and September 2020, and again in February 2021 (the spring half term).
The threat to the UK education sector reflects a wider global pattern. In the US, the FBI and CISA (the Cybersecurity and Infrastructure Security Agency) were moved to put out a joint statement ahead of Labor Day last September, warning all organisations of the risk of ransomware attacks. They were not acting on specific threat intelligence: rather, on the statistical pattern showing non-working days to be prime hacking windows. Many of our clients can attest to weekends and holidays lost to battling denial-of-service attacks; and, for cyber criminals, the longer the break the better.
Most schools will be operating at a significantly reduced headcount over the summer holiday, with key personnel harder to reach. This is a common scenario which opportunistic hackers will seek to exploit in the hope of encountering minimal resistance.
Aside from the business disruption, slow response times over extended holidays are a threat to a school’s legal compliance. First, a sluggish reaction could lose vital hours in the battle to contain and mitigate the issue, risking greater systems penetration and exfiltration of data. Then, if a school’s senior management team are not available to give swift and decisive instructions, there is the added headache of missing the statutory deadline to notify the breach to the regulator. It can be a struggle against the clock as it is to make a meaningful and satisfactory report to the UK ICO within 72 hours of detecting the breach (as will usually be required by UK GDPR in cases like this). That is before you consider whether you have to notify affected individuals.
Given this perfect storm of increased risk and weakened responses, schools will need a plan to pre-empt such attacks – and mitigate the regulatory and reputational consequences.
Hostile data breaches: a quick reminder
Given how frequently the topic is covered in bulletins and news reports, many of us are at risk of fatigue in being warned about cyber security doom scenarios. But the reality is that they are commonplace, and – while not always avoidable – they tend to follow familiar patterns.
Organisations vary in their sophistication, and to some extent their reliance on IT systems, but none are completely safe from cyber attacks: some of which are carefully targeted, others scattergun and stumble across vulnerable systems more or less at random. Schools are as much at risk as any business or charity: indeed, certain attacks are targeted at independent schools. One notoriously resilient scam involves a phishing attack to gain access to staff email accounts, which are then used to provide false bank account details to parents promising discounts on bulk advance payment of school fees.
Another concern is the upward trend in ransomware attacks (often accompanied by a “DDOS”, or distributed denial of service, attack). This is a type of malware which locks users out of their device, system or account by encrypting their files, which cyber criminals will then demand a ransom to decrypt. These types of attack have previously led to the loss of coursework, school financial records, as well as pupil health related data, such as COVID-19 testing information. As well as targeting schools directly, ransomware hackers may also go after third party suppliers (payroll, fundraising consultants, software providers, payment apps etc) – which can make it even harder for schools to take control of the situation.
Recent reports suggest that ransomware breaches have increased by 13 per cent this last year, which represents an increase greater than the past five years combined.
Although the above should rightfully raise alarms, precautionary measures can be taken before the summer holiday to help schools manage the risks associated with a hostile data attack and ensure compliance with data protection law.
Give your current cyber security measures a health-check.
Although the UK GDPR does not explicitly prescribe the data security measures organisations must have in place, it confirms that data controllers (and processors, such as your IT providers) must have “appropriate” security in place to prevent the personal data they hold from being accidentally or deliberately compromised. This includes implementing appropriate technical and organisational measures to minimise the risk of unauthorised loss or access. This is not simply a question of the latest or most expensive software: it can be as basic as who has access to what, internally, at your organisation. Segmented data storage and need-to-know access protocols make it less likely that a single entry-point will lead to total systems penetration. It can also include maintaining up-to-date offline back-ups to enable effective recovery.
Such measures can depend in part on the costs of implementation, the nature, scope, context and volume of the personal data held and the risks a data breach presents to an organisation. However, given the increased accessibility of many standard forms of data security (at a relatively low cost), such as password protection, multi-factor authentication, and data encryption, schools should do more than the bare minimum to ensure compliance, even if they are constrained by a relatively limited budget. Your investment in security and staff training will not make you immune to attack, but it should hamper and slow down hackers and – when the dust has settled – give you a softer landing with the regulator.
Check your legacy systems.
Many studies suggest older, unsupported legacy systems are the number one cause – other than human error – of data breach vulnerability. These might occur where your school is migrating data from one place to another, or failed to completely phase out old applications when updating its systems.
Adding to the issue is the fact that unsupported, “phased out” applications are less likely to be maintained or monitored (and may be harder for your current IT support to detect or fix). It may be that the threat is already sitting there on your older systems, dormant, waiting for the right opportunity. Big name breaches like Equifax in the US and TalkTalk here in the UK are some of the most salutary examples, but of course smaller and less well-resourced organisations are vulnerable to these errors too. And if you’re not sure where to start with this question, ask your IT people who might!
Understand your suppliers – and your contracts with them.
Very often, it will not be “your” school that will be the dedicated target of the attack. It will be the household-name supplier or platform you use. Shopify, WisePay and Blackbaud are all recent examples of commonly-used platforms in the retail, education and charities sectors respectively.
Organisations will need to check their third-party supplier (“data processor”) contracts to understand each party’s data breach obligations. This includes important commercial questions of liability caps and levels of cyber insurance cover; but there are also points of practical effect. By way of example, some third-party processors will attempt to limit their notification obligations so that they are only required to notify customers of a data breach within a “reasonable time” (the UK GDPR states without undue delay). Some contracts commit processors to a particular timeframe, however; this is often purposefully vague and inadequately defined.
Some may argue a reasonable time would be measured in hours, whilst others may argue weeks (or even months, as occurred with Blackbaud). It is important to understand these notification requirements and avoid open-ended reporting obligations if possible. If you, as a controller (end client), are not in fact notified by your contractor within 72 hours, that will not strictly place you in breach of UK GDPR – but it can cause substantial reputational damage, especially with the affected staff, students and parents you need to notify further down the line.
Get cyber insurance cover in place.
This can cover your own digital assets and data, or those of third parties, such as staff and students; it can cover losses and possible litigation arising from breaches (eg individual data subject claims); and it can make provision for expert or forensic IT support, in event of the worst happening. You will need to determine what cover is most suitable for your needs, but there is a wide range of policies now on the market. Remember also to include notifying your insurers within the breach response plan, and at the right stage, so the action you take does not risk invalidating your cover.
Have a plan.
Schools should adopt a response plan which expressly addresses what should happen in the event of a data breach over a holiday period. For example, suitably senior members of staff should remain on standby to respond to any data breach over a reduced head-count period. This should include an individual with an appropriate level of IT expertise and a senior member of staff with formal decision-making authority. Having these individuals on standby will allow schools to address data breaches swiftly and restore network functionality as soon as possible. It will also put a school in good standing to comply with the mandatory reporting requirements outlined in the UK GDPR.
The ICO has published useful guidance which can help a school plan, prepare and respond to a personal data breach.
Although the summer break is there to be enjoyed, you may be better set to sit back and relax knowing that diligent enquiries have been made to put in place a response plan for data breaches.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2022