Cyber Security: A Guide For Education Providers

Firewalls, data back-ups and training staff to verify email senders are some of the actions colleges should take to protect themselves against cyber-attacks, according to new UK government guidance. 

The Education and Skills Funding Agency has published advice after colleges fell victim to phishing scams earlier this year, where genuine-looking emails were sent by fraudsters to trick people into sending money or private information.

As well as the tips, the ESFA release warns providers that they “retain responsibility to be aware of the risk of fraud, theft and irregularity and address it by putting in place proportionate controls”. Phishing scams and malvertising – when malicious code is downloaded onto a victim’s computer after they click on, or even just hover over an advert online – are two traps the ESFA has warned providers of.

Five Strategic Questions for Education Providers
Academy/college audit committees and the management of independent training providers (ITPs) should use the following high-level questions, based on government guidelines and industry standards, as a starting point to consider cyber risk in their organisation.

As part of its assessment, the audit committee or ITP management should also consider the quality of the evidence underpinning any assurances provided.
1. Information held
Does the organisation have a clear and common understanding of the range of information assets it holds and those that are critical to the business?
2. Threats
Does the organisation have a clear understanding of cyber threats and their vulnerabilities?
3. Risk management
Is the organisation proactively managing cyber risks as an integrated part of broader risk management including scrutiny of security policies, technical activity, user education/testing and monitoring regimes against an agreed risk appetite?
4. Aspects of risk
Does the organisation have a balanced approach to managing cyber risk that considers people (culture, behaviours and skills), process, technology and governance to ensure a flexible and resilient cyber security response?
5. Governance oversight
Does the education provider have sound governance processes in place to ensure that actions to mitigate threats and maximise opportunities in the cyber environment are effective?
It goes on to list 10 “cyber security tests”, which are based on the National Cyber Security Centre’s ‘10 steps to cyber security’ guide.

As well as verifying email senders before sending payment or data, college staff should be trained to ensure they “understand the risks of using public Wi-Fi” and “understand the risks of not following payment checks and measures”, according to the ESFA.

Fraudsters, perpetrating a phishing scam, hacked into the email account of principal Chris Nattress and sent a link to his contacts to “review and sign”. When Nattress’s contacts replied to check if the email was genuine, the fraudster replied saying that it was. They also changed the college’s phone number in the email signature by one digit, and made up a mobile number, so contacts could not check in that way. The college’s digital team identified the issue before staff received any reports of a problem.

Education providers were first warned about phishing in an ESFA update in June, which said some had suffered “financial losses” after falling for this type of scheme, but it is unclear how many.

This is not the first time education providers have been attacked: in 2014, emails purportedly from the Skills Funding Agency were sent to providers, asking them to send details that would allow the fraudster to take money from the provider’s bank account.

FEWeek:           Gov.uk:         Image: Nick Youngson

You Might Also Read: 

Students Blamed For University & College Cyber Attacks:

 

« Transforming A Business The Data Driven Way
Foreign Cyber Intrusions On The USA »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

UpGuard

UpGuard

UpGuard's discovery engine brings visibility to complex IT environments, enabling teams to identify risk, confirm compliance and make business safer.

General Dynamics Information Technology

General Dynamics Information Technology

General Dynamics IT delivers cyber security services to defend critical information and infrastructure.

Packet Ninjas

Packet Ninjas

Packet Ninjas is a niche cyber security agency with specialized expertise in the use of digital intelligence to strengthen cyber security.

Aujas

Aujas

Aujas helps organizations manage information security risks by protecting data, software, people and identities in alignment with best practices and compliance requirements.

Cybero

Cybero

Cybero offers professional corporate cybersecurity training tailored to your business requirements.

Tricerion

Tricerion

SafeLogin from Tricerion is an entirely software based identity access management solution that uses picture based passwords rather than alphanumeric text.

SEEK

SEEK

SEEK create world-class technology solutions to address the needs of job seekers and hirers across multiple sectors including cybersecurity.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

FutureCon Events

FutureCon Events

FutureCon produces cutting edge events aimed for Senior Level Professionals working in the security community, bringing together the best minds in the industry for a unique cybersecurity event.

DarkOwl

DarkOwl

DarkOwl provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data.

CertiPath

CertiPath

CertiPath create products and services that ensure the highest levels of validation for digital identities that attempt to access customers’ networks.

Managed IT Services

Managed IT Services

Managed IT Services is a managed IT Services Company offering a diverse range of Cyber Security services and IT solutions.

Team Secure

Team Secure

Team Secure provide Enterprise-grade Cyber Security consultancy, managed security services and cyber security staffing services.

Hackuity

Hackuity

Hackuity is a breakthrough technology solution that rethinks the way of managing IT vulnerabilities in enterprises.

Catalogic Software

Catalogic Software

Catalogic helps clients backup, recover, manage, and protect their data across their enterprise and cloud environments with Smart Data Protection solutions.

KCS Group Europe

KCS Group Europe

KCS Group helps its clients to identify and deal with any risks, weaknesses and threats which could impact on the business financially or reputationally.