By Stephen Robinson, VP EMEA North at Arcserve
Let’s take it back to September 2020 when an independent schools’ group in Wales was attacked by a cyber gang intent on deleting files belonging to staff and pupils as well as encrypted Veeam onsite backups held on disk and tape. The attackers used Sodinokibi ransomware to penetrate the IT systems of Haberdashers’ Monmouth Schools and demanded £500,000, rising to £1m after six days, to decrypt the data safely. The malware variant penetrated the schools through a domain admin account, working its way through the main infrastructure to knock out file servers, Exchange, and SQL servers.
This narrative has far too often penetrated our news cycle here in the UK and around the world since then. More recently, 15 secondary schools in Nottinghamshire have had to shut down their IT networks after the Nova Education Trust and main system management core, was hit by a cyberattack. The attack method and those behind it have yet to be found, but this does share similarities with a spate of ransomware attacks in 2020 again, on Northumbria and Newcastle Universities. It’s evident that in the last year there has been an increase in the number of ransomware attacks on education establishments in the UK, including schools, colleges and universities.
The question now is not what could’ve been done, but rather, what can be done to prevent these sorts of cyberattacks from ever happening? Here, I will outline my top three picks and cyber proof considerations for the education system.
Create a cyber-aware culture
It’s true for businesses and now also schools and third-party affiliations within the education sector, in order to stand a chance of repelling incoming cyberattacks you must create and maintain an efficient cyber-aware culture. This is not just a one-off training enforced through to all employees, but more of a culture enforced by a continuous flow in educating them about the latest cyber threats out there, and really promoting cyber-healthy habits and hygiene. Whether that’s malware, phishing emails, or DDoS attacks, those in charge of educational institutions, much like C-suite level leaders in other organisations, must invest time and money in teaching the basics in cyber hygiene. This includes how to spot and recognise fraudulent emails that contain suspicious links, updating passwords to key endpoints such as emails and social media sites on a regular basis, and providing clear and simple IT guidelines/frameworks that will increase overall cyber literacy within an organisation. By going that extra mile and hiring technical specialists, they can also help promote practical and interactive training sessions that involve simulating certain attacks, to help boost a school’s level of experience and cyber maturity. Bottom line is that they need to think of themselves as any other organisation is and ensure they’re just as prepared or more so than others.
Be swift in responding and learn from the attack
I often compare this to a patient that is just being wheeled into an A&E room. The quicker you move, the more likely you are to save a life. And it fits this example perfectly. One an attack happens you need to start thinking about how to preserve the remaining data that hasn’t been compromised and how to disable remote access, internet connection, update firewall settings and change all passwords across the entire network. You then need to assess the damage, identify costs, aim to recover lost data (whether that’s by purchasing it back or dealing with the relevant authorities). It doesn’t end there either. You have to study, observe and learn from the attack and analysing how it infiltrated your system, highlighting your weak points, etc. Last but not least, think proactively about how to shore up your network defences, deploy trusted backup options, off-site servers and cloud services to ensure future business continuity in the event an attack occurs again. An attack will certainly happen, no one or no organisation is immune from it. You must be swift in responding and learn from it so that you may prevent future attacks.
Enable a multi-layered level of protection
The second step, and often the most important, is ensuring business continuity following a cyberattack. The National Cyber Security Centre’s (NCSC’s) advice includes a comprehensive checklist, and part of what GCHQ calls an in-depth defence strategy, ranging from cyber hygiene to anti-virus software updates, to having up-to-date and tested off-line backups. We look at it as a multi-layered approach, using lots of different techniques that can be deployed against the potential threat of malicious code. These range from basic of controls such as conducting an inventory of all data present, encrypting sensitive information such as employee data and financial records, and creating regular backups stored safely outside of the network. All the way to training staff in the latest cyberattack methods and ‘tricks of the trade’, to updating anti-virus software and backing up data via cloud and offsite through tape.
Backing up data – the golden key
There is a golden key here, and it’s ensuring that you have the appropriate backup system that can restore your data. Take for example the recent ransomware attack on videogame developer CDPR and their recent headline-grabbing video game Cyberpunk 2077. Soon after the attack occurred, the company immediately secured its IT infrastructure and restored data from existing backups. The company is being transparent about the attack in saying that it is not negotiating with the cyber-criminals, instead relying on well-managed back-up systems.
That strategy, in terms of recovering without delay, involves having an off-site cloud or on-premise copy of data that ensures the restoration of systems in full, instantaneously. Another affordable strategy is making use of immutable storage technology, such as magnetic tape or dedicated on premises or cloud-based immutable object storage. Once data is written, it cannot be changed or deleted, which completely removes the potential for a successful criminal attack. It also uses less memory than other forms of storage and it makes it practically impossible for equipment and human error to impact saved data. Basically, backing up data is the best way to ensure that even if data gets lost in an attack, there are external copies that can be accessed and used later.
Ultimately, education affiliations and organisations should be looking for an all-in-one DR and endpoint protection to make sure they receive consistent updates and fixes to keep up with the latest threats. By enabling and adopting some of these ideas we may just be able to stop the upwards trajectory of cyberattacks on the UK’s education system.