Hannah H from National Cyber Security Centre (NCSC) tells us why it’s vital that everyone in the FE sector understands their own role in protecting their networks
The possible impact of a cyber incident
Like all organisations, colleges are increasingly reliant on IT and technology and, as a result, are falling victim to a range of malicious cyber activity. In recent weeks, for example, we’ve seen reports about a significant data breach at Swindon College and an attack by a so-called “ethical hacker” at South Staffordshire College.
Think about all the services used by your college that rely on your IT systems: not just teaching and learning resources, but administrative functions too, perhaps your phones, CCTV, safeguarding records and maybe even the way you pay for your lunch.
Losing access to this technology, having funds stolen or suffering a data breach through a cyber attack can be devastating, both financially and reputationally.
Cyber attacks faced by colleges
Many cyber incidents at colleges are caused by untargeted attacks that can potentially impact hundreds of thousands of victims. Those behind these sorts of attacks are often cyber criminals, who deploy a range of tactics to make money, often through quite sophisticated technical means.
Phishing emails are commonplace and getting more and more difficult to spot, and the deployment of ransomware – which encrypts data to make it inaccessible, with victims then invited to pay a ransom to decrypt their information – is a risk too.
Targeted attacks are more specifically directed at an organisation. We recently heard of a head of HR receiving an email seemingly from the college principal requesting their salary should be paid into a different account that month.
Colleges also need to be alert to the risk posed by insiders, such as a disgruntled staff member or student, past or present, who wants to discredit the college or cause disruption.
There are a range of measures colleges can take to make any attack less likely to succeed in the first place and, if they are affected, to reduce its impact. The NCSC website is a great place to start.
1. Help all users understand their own role
An NCSC product already being used in many colleges is the Top Tips for Staff e-learning package. This covers essential information on issues such as choosing strong passwords and spotting potential phishing attempts. This resource could become part of mandatory staff training and ingested into your own eLMS system. Best of all, it’s totally free!
Boards are pivotal in improving the cyber security of their organisations
2. Support technical teams
Many colleges have already been accredited through Cyber Essentials, a programme that ensures basic technical controls are in place. The Ten Steps To Cyber Security will also be of use to network managers and/or heads of IT. The NCSC website has detailed guidance on topics such as phishing and password policies.
3. Lead from the top
We know that cyber security can be a daunting subject, but boards are pivotal in improving the cyber security of their organisations. The NCSC’s Board Toolkit was created to encourage essential discussions about cyber security to take place between the board and their technical experts.
4. Check your cyber resilience
A particularly practical product is Exercise in a Box, which enables organisations to test their preparedness for a cyber incident with table-top exercises or simulations. Full guidance is given for each exercise – they don’t need to be led by an expert.
Get the right mindset!
It’s vital that we all know our role in keeping our networks and data safe. Colleges are an attractive target for cyber criminals and we want to ensure that, wherever the threat comes from, they are able to protect themselves in cyberspace.
We all have a part to play in keeping the UK the safest place to live and work online.
NCSC experts work closely with colleges and the wider academic sector to improve their security practices and help protect from cyber threats. For further information, please email email@example.com