SP-3197-Scrutton Bland-A4-Education-16pp-RGB-FINAL

Cybersecurity – an ever-increasing risk

Cybersecurity and data security continues to pose a business-critical risk within the education sector. The threat from cyber crime has become more dangerous, with a startling increase in ransomware attacks, in part a direct result of hackers taking advantage of the developing “ransomware-as-a-service” industry. Hackers are also moving into the more ominous area of so- called “killware” to put pressure on organisations to pay up.

The ability of even low-skilled hackers to purchase and deploy sophisticated off-the-shelf attacks should be on every organisations’ radar. Every day, this issue becomes more rather than less important, and this is clearly an emerging area of risk.

Keep your Board informed Organisations need to ensure that their Boards have a strong understanding of cybersecurity risks, noting that the risks are often transferred in part through the use of outsourced providers and cyber insurance. Board-level engagement is key and an awareness of cyber threats should be raised at Board level, with efforts made to report using a jargon free approach. Assurance is also needed that organisations are well-protected by strong cyber defences and regular up-to-date training. It is recognised that whilst third party providers can provide an effective solution to deliver these services, there are inherent risks associated with the use of third parties. This year has seen a shift to hackers targeting third-party suppliers with less mature security systems, noting that responsibility remains with the organisation that owns the data. This risk extends to cloud service providers. Cyber crime often involves attacks, such as phishing emails, that may lead to a hacker defrauding an organisation. Pure cybercrime, or cyber dependent crime, on the other hand, entails hacking to steal or ransom data, with technologies now enabling more sophisticated attacks to combine several elements in one infringement.

Has hybrid working increased the risk? The pandemic may have weakened many organisations’ cyber defences. Hybrid working practices now enable staff to work from home and remotely, meaning the culture around data security may have also deteriorated, with online communication becoming the norm. The use of spoof emails continues to be a regularly tactic employed by cyber criminals, and we will have all seen both convincing and blatantly fishy phishing emails. This risk needs to be continually managed through training and alerts so that people throughout the organisation become alert to the latest tricks that are being used. The most effective IT policies and standards will not mitigate those instances where people fail to follow the required cyber defence practice, and it is vital to create and monitor a robust security culture within an organisation. Ensuring that these cyber security policies have been practically implemented and well communicated to staff, that software patches are applied in a timely way, and reviewing which staff have access to systems is critical.

What can education organisations do to protect themselves? The completion of regular data breach simulations and tabletop exercises can make sure that systems designed to contain breaches work and are effective, and that everyone concerned knows their roles and responsibilities. That exercise can include ensuring there is redundancy in the system, so that if a key member of the response team is unavailable it does not stop the remediation process.

8 | SCRUTTON BLAND | E D U C A T I O N

E D U C A T I O N | SCRUTTON BLAND | 9

Made with FlippingBook Learn more on our blog