"Data is not the new oil - it's the new plutonium. Amazingly powerful, dangerous when it spreads, difficult to clean up and with serious consequences when improperly used."
Jim Balsillie (2019)
The reality and significance of cyber-attacks was evident to all Australians in the second half of 2022. Following a series of well publicised data security incidents, many of us found ourselves needing to change driver’s licences, apply for new passports, and update bank account details to avoid the potential misuse of stolen personal information. According to ACSC’s recent Annual Cyber Threat Report, the education sector reported the most ransomware incidents out of all sectors in 2021-22. In December 2022, changes to Australia’s Privacy Act 1988 (Cth) saw a significant increase in the penalties for serious or repeated privacy breaches. This amendment has increased the penalty from AU$2.2m to one of three options (whichever is greater):
- AU$50m, or
- Three times the value of the benefit obtained through the misuse of information, or
- 30% of adjusted turnover in the relevant period.
This means that, more than ever, schools need to take notice of their risk profile and define a comprehensive cyber strategy to protect their people, data, network, and business continuity to minimise the likelihood of being attacked and facing significant penalty costs. Increased expectations are being placed on schools by their board, their parents, and even insurance companies who are demanding to know what risk measures are in place to minimise the impact should a data breach or cyber security incident take place.
DATA GOVERNANCE IN THE EDUCATION SECTOR
Our schools are at a point in time where educational data has never been so vulnerable. Put frankly, cyber-resiliency in our schools is relatively poor and relies on reacting to an incident compared to having proactive measures in place to identify and mitigate risk. We are amassing huge amounts of student data being collected, stored, and shared within our ‘Educational Data Economy’. However in Australia, unlike other global jurisdictions such as the EU’s GDPR and USA’s FERPA and PPRA, there is no current federal or state privacy law governing the collection, use, retention, and protection of student data (Gillies, 2022). The protection of student data in our schools is based on a variety of “informed” decision-making by teachers, and what risk mitigation actions they consider when collecting and handling data. This raises concerns because, research shows that a lot of teachers have limited understanding or knowledge about the type, volume, and storage of information that is being collected about students, and themselves (Gillies, 2022).
COMMON CAUSES OF CYBER-ATTACKS IN SCHOOLS
Many schools are learning how a ransomware attack can cripple a school’s network the hard way, starting mostly through an email phishing attack. In 2021, a large independent school in NSW had their entire IT network destroyed and systems encrypted by attackers, who then demanded over $1m in ransom. Like the 2022 Medibank cyber-attack, a prominent Victorian Catholic school had their IT network compromised last term, with attackers threatening to release more than 100 students’ confidential information including birth certificates, visa applications, parenting arrangements and financial details.
And these recent data breaches are only the ones we know about. Many go undetected or are simply not reported in the media. Commonly, cyber-attacks in our schools highlight the lack of effective privacy controls and/or risk management programs (if there is one in place). Ensuring the destruction of personal information after it is no longer required, deactivating ex-employee accounts, enabling multi-factor authentication, setting up intrusion detection alerts on your network, and having a tested disaster recovery/response plan in place are just some of the controls schools should have in place.
So, what is causing cyber-attacks in schools? This boils down to two common trends:
- Poor user practice - human error is one of the biggest security threats faced by schools. According to Verizon's 2022 Data Breach Report, 82% of data breaches occurred due to a human-caused error. This includes incidents where a staff member exposes information directly or by making a mistake that enables cyber criminals to access the school’s IT systems.
- Poor data visibility - the more IT systems and applications that are introduced into a school’s IT architecture, the more data being created and processed both within the school’s network, and with external vendors and third parties. Not knowing how data is being created, where it is being stored, who is accessing school data, and how long data is being retained increased the likelihood of data being compromised, mishandled, and threatened.
WHAT IS A CYBER RISK STRATEGY IN SCHOOLS?
A school's approach to risk management aligns its strategic goals and operations against its risk appetite, appreciating that its people, processes, and technology offers the potential to contribute both to the problem (in terms of risk) and the solution (in terms of preventative measures and mitigation). Risk Management is the overall practice of assessing and addressing the risk to the school. A proper risk management model reflects a consistent, systemic and integrated approach that enables a school to best identify, manage and protect against risk and threats.
Risk Mitigation then limits the effect that risk can have to the school, based on plans in place against incidents and disasters, and having a way to lessen negative impacts. A proper risk mitigation plan will measure the impact of each risk and prioritise planning around that impact.
Risk Management Model
(C) RTG. 2023
But before any effort can be put towards defining a school's risk management model, and subsequently its risk mitigation plan, the first step is to determine what the school’s risk profile is. Not sure how to assess your school’s cyber security risk? ACSC’s Cyber Security Assessment Tool may be a good option to start with.
SO, YOU KNOW YOUR SCHOOL'S RISK PROFILE. WHAT NOW?
Cyber-attacks and threats in our schools are real. They are growing in prevalence and impact particularly as we continue to contribute to the ‘Educational Data Economy’ based on the large volume of data collected and processed in our IT systems, applications, and programs. School leaders and councils/ boards have a critical role to play and must recognise cyber risk will never be eliminated but can be effectively managed. Cyber threats are a part of every school’s risk landscape.
It all starts with knowing. Know where your risks are. Know where your data is. Know who is access and sharing your data. Know how long you are keeping data. And know when it’s time to destroy data when it is no longer required.
If a school doesn't know its risk and chooses to ignore it, everything they do in response to a security incident or data breach will carry a high chance of failure.
Want to talk further about identifying and understanding your school's risk? Let's connect to receive further advice on next steps, and where to start.
(p) 1300 362 456