How to plan for a data breach in your school network

At a recent webinar aimed at schools and the education sector I talked about how a data breach is a very different type of crisis to others that is likely to occur where a security incident leads to an interference of personal data. A data breach has its own set of common characteristics. I have outlined these below along with the most common causes of a breach and the differences between external and internal threats and highlight what your school should be doing now to prepare for the inevitability of an incident in the future.

What does a data breach look like?

If your school has had a cyber incident, you shouldn’t automatically assume that you’ve had a data breach. And if you’ve had a breach, it may or may not be reportable. For a breach to be reportable to the supervisory authority the risk to individuals needs to be likely (e.g. theft of payroll data which could lead to financial loss). Before we go into more detail about the key traits of a data breach, here is a quick overview:

  • A data breach is fast evolving and requires an equally rapid response to avoid further loss.
  • There are many stakeholders involved, which makes communication a key part of any data breach readiness plan.
  • The privacy, identity or financial interest of your school’s staff, parents and students may be compromised in a data breach. It is your school’s responsibility to protect its stakeholders.
  • When it comes to reporting a breach, (depending on your region), you have 72 hours to inform the regulator. Timing is everything.
  • Without a plan in place you’re putting your school’s community and reputation at risk.

What are the five common characteristics of a data breach in school?

  1. Fast evolving, misunderstood and there is no quick fix.
    Cyber incidents and data breaches evolve incredibly quickly and are often misunderstood. People often assume that they can call a member of the IT department and they will tell you exactly what has happened and how they have fixed it but in general there is no quick fix. It can be challenging and complicated to find out exactly what has actually gone wrong and whether a hacker is still in the network. Identifying your school’s assets is key to protecting and/or recovering them in the first place.
  2. A complex stakeholder environment and high expectations.
    If you’ve already mapped out the different stakeholders that would be involved in your school’s response to a data breach, you’ll see that there are many different moving parts. At the same time as managing these moving parts, your staff, parents, board members/governors will have very high expectations about how quickly you ‘fix’ a problem and to identify how a breach has impacted on individuals. Managing expectation and communication in this intense environment is near impossible without a tried and tested plan in place. 
  3. Confusion and an interesting victim vs villain environment!
    The facts are often unknown making the scene of the incident a confusing environment. An interesting victim vs villain dynamic often arises; if you've been the victim of a hack, you naturally feel like the victim and the villains are the hackers who broke into your network. However, if you're a data subject, for example, if you're a parent whose financial information has been compromised, then as a parent you think the school is the villain. So you think your school is the victim but your data subjects (parents, staff, alumni etc) think you're the villain! Schools should prepare for landing in this victim vs villain environment and consider the impact of this complex dynamic. If it’s not managed properly, it will have a negative impact on your brand’s reputation.
  4. Time frames are uncompromising.
    In the event of a data breach, there are some uncompromising time frames especially if you need to report to the regulator within a 72 hour time frame (as the General Data Protection Regulation (GDPR) requires). You must communicate with your impacted data subjects without undue delay. (What that means is a matter for debate and there's enough grey area there to keep lawyers busy for quite some time!)
  5. Attracts media, regulator and public interest.
    Data breaches attract a high degree of media regulation and public interest, especially when a breach relates to vulnerable individuals and the protection of their privacy and identity. It’s unfortunate but true that your school will never be remembered for handling a data breach well, but you will be remembered for handling one badly!

Data Breach Patterns in the Education Sector

A quarter of schools have suffered a data breach; 61% of those were phishing - 9ine Global Research: Data Protection 2019.

When it comes to cyber security, the education sector continues to be plagued by errors, social engineering and inadequately secured email credentials. With regard to incidents, ‘denial of service’ attacks account for over half of all incidents in the education sector. One quarter of schools have suffered a data breach; 61% of those were phishing attacks targeting school fees and payments.

With regard to data breaches specifically the top pattern types of incidents we see are:

  • Miscellaneous Errors
  • Web Application Attacks
  • Social Engineering
  • Phishing

Who is causing a threat to your school?

It’s a common misconception that it’s just people outside your organisation that pose a threat to your school network security. When we look at the facts about who these threat actors actually are, external sources represent 55% of the threat, whereas internal sources represent 43% of the equation. The final 2% is made up of a mixture of external and internal threats. Needless to say some of the internal issues are not necessarily malicious and they could be down to a typical human error; the issue often lies somewhere between the seat and the screen! Schools need to think carefully about the internal processes they have in place and how they defend against malicious activity as well as limit the capacity for human error.

Why are schools targeted by cyber attacks?

The majority of cyber crime incidents that take place in the education sector are motivated by financial gain. The majority of data breaches centre around the compromise of personal and financial information. Here’s a breakdown of the threat actor motives:

  • Financial (80%)
  • Espionage (11%)
  • Fun (4%)
  • Grudge(2%)
  • Ideology (2%)

As a result of a school data breach there are a few different ways in which data can be compromised:

  • 55% of data breaches result in personal data being compromised.
  • 53 % of data breaches result in data credentials being compromised allowing access to a school’s network systems and applications.
  • 35% of data breaches result in internal information being compromised which is often related to data espionage.

Don’t let poor security hygiene catch you out!

A recent IBM study suggested that the chances of any organisation having a data breach within the next two years is 30%. This turns the likelihood of a data breach a question of when, not if. There's a lot of work that schools need to get done in advance of the inevitability that there are people planning to break into your school’s network to try and steal financial information. Many of the breaches that are represented in the education sector are a result of poor security hygiene. It’s important that you do what you can to wipe out human error, for example, identify your school’s web facing assets and establish a baseline level of security around these assets.

How long does it take to identify and contain a data breach?

The average time it takes to identify and contain a breach within the education sector is 283 days. That is, 283 days between the initial incident happening and the incident or breach being identified and then contained. With this in mind I would suggest that there are two types of organisations in the education sector; there are those who have been breached so far over the past year and those who don't know about it yet. Often when hacks are made and you get criminal actors on the network they will sit there for a long period of time without announcing their presence simply sifting out the information that is important to them.

Make your friends before you need them!

Having a plan is an essential first step, but what’s even more important is that you regularly practise and test your plan against different scenarios. The methods that hackers use to attack school networks are changing on a regular basis as are the risk strategies and the technology available to combat cyber attacks. In the event of a data breach, you need to act quickly. So it’s critical, ahead of an incident, to understand the services and organisations that you have access to. Building relationships and knowing who to call upon when you need them is incredibly important. Schools are responsible for protecting their data subjects from being compromised and it’s not enough to just do what you can to prevent new issues from taking place...there could be someone in your network already.

Did you find this useful?