A new package of free cyber security training for teachers and staff at schools and colleges will help to shore up the first line of defence against cyber attacks – users.
It comes amid a wave of ransomware attacks that started late last summer and has devastated some colleges and universities. Last month, the NCSC, supported by Jisc, issued a ransomware alert to help to education organisations prevent these attacks.
The new staff training, available from the NCSC website, shines a light on the main threats education centres face and outlines the severe impact cyber incidents can have, with one case study showing how a school lost a substantial sum in school fees after reception staff fell victim to a phishing scam.
Another case study shows the importance of keeping passwords safe. A teacher had written their password on a note stuck to their laptop, which allowed a pupil to gain access to their computer, view more than 20,000 records and change their grades. The school was disciplined by the Information Commissioner’s Office.
Jisc’s own research carried out with colleges, universities and research centres, indicates the scale of the impact of cyber attacks isn’t known. The report covers the effect on staff, resource, students, researchers, reputation and budget.
It cites several case studies, including one from a university, which shared that, in one year, around 200 student and staff members had fallen for voucher scams resulting in each of them losing hundreds of pounds (£50,000 - £100,000 collectively).
Another university suffered a phishing attack, which required a response team of 15 staff members for three weeks and a further five staff members for three more weeks, equating to £65,000 worth of staff effort, plus significant legal costs.
The NCSC package complements a Jisc training course, developing effective security awareness campaigns, running next on 18 May, 2021. Course facilitator, cyber security service delivery manager, Jon Hunt, explains why security training is important:
“Our annual cyber security posture surveys shows that phishing and other forms of social engineering are top of the list of information security threats that members are most concerned about. These attacks target people, not technology.
“People are the largest, most accessible attack surface for criminals. But blaming end users as the ‘weakest link’ or single point of failure in organisational security doesn’t achieve anything. If you work in security, it is very easy to forget that security isn’t most people’s day job.
“If an incident occurs because a member of staff was not trained or supported effectively, is the incident their fault, or their employers?
“This course offers practical advice for developing a fresh approach to information security awareness and training, which is a key component of a strong security culture.”
In the NCSC training module, the four steps staff are being encouraged to follow are:
- Defend against phishing attempts: Reduce the information available about you, check for anything that looks suspicious, don’t be embarrassed to ask for help.
- Use strong passwords: Choose three random words for your passwords, have a separate password for your work account, switch on two-factor authentication where possible, keep passwords secure by saving them to your browser.
- Secure your devices: Don’t ignore updates, only download software and apps from official app stores, put a screen lock on devices (password, PIN, etc), if necessary, only use school-issued USB sticks.
- If in doubt, call it out: Report anything suspicious as soon as possible and do not be afraid to flag up IT security policies that make your job difficult.