Cyber Security: A Guide For Education Providers

Uploaded on 2019-08-19 in JOBS-Training, FREE TO VIEW

Firewalls, data back-ups and training staff to verify email senders are some of the actions colleges should take to protect themselves against cyber-attacks, according to new UK government guidance. 

The Education and Skills Funding Agency has published advice after colleges fell victim to phishing scams earlier this year, where genuine-looking emails were sent by fraudsters to trick people into sending money or private information.

As well as the tips, the ESFA release warns providers that they “retain responsibility to be aware of the risk of fraud, theft and irregularity and address it by putting in place proportionate controls”. Phishing scams and malvertising – when malicious code is downloaded onto a victim’s computer after they click on, or even just hover over an advert online – are two traps the ESFA has warned providers of.

Five Strategic Questions for Education Providers
Academy/college audit committees and the management of independent training providers (ITPs) should use the following high-level questions, based on government guidelines and industry standards, as a starting point to consider cyber risk in their organisation.

As part of its assessment, the audit committee or ITP management should also consider the quality of the evidence underpinning any assurances provided.
1. Information held
Does the organisation have a clear and common understanding of the range of information assets it holds and those that are critical to the business?
2. Threats
Does the organisation have a clear understanding of cyber threats and their vulnerabilities?
3. Risk management
Is the organisation proactively managing cyber risks as an integrated part of broader risk management including scrutiny of security policies, technical activity, user education/testing and monitoring regimes against an agreed risk appetite?
4. Aspects of risk
Does the organisation have a balanced approach to managing cyber risk that considers people (culture, behaviours and skills), process, technology and governance to ensure a flexible and resilient cyber security response?
5. Governance oversight
Does the education provider have sound governance processes in place to ensure that actions to mitigate threats and maximise opportunities in the cyber environment are effective?
It goes on to list 10 “cyber security tests”, which are based on the National Cyber Security Centre’s ‘10 steps to cyber security’ guide.

As well as verifying email senders before sending payment or data, college staff should be trained to ensure they “understand the risks of using public Wi-Fi” and “understand the risks of not following payment checks and measures”, according to the ESFA.

Fraudsters, perpetrating a phishing scam, hacked into the email account of principal Chris Nattress and sent a link to his contacts to “review and sign”. When Nattress’s contacts replied to check if the email was genuine, the fraudster replied saying that it was. They also changed the college’s phone number in the email signature by one digit, and made up a mobile number, so contacts could not check in that way. The college’s digital team identified the issue before staff received any reports of a problem.

Education providers were first warned about phishing in an ESFA update in June, which said some had suffered “financial losses” after falling for this type of scheme, but it is unclear how many.

This is not the first time education providers have been attacked: in 2014, emails purportedly from the Skills Funding Agency were sent to providers, asking them to send details that would allow the fraudster to take money from the provider’s bank account.

FEWeek:           Gov.uk:         Image: Nick Youngson

You Might Also Read: 

Students Blamed For University & College Cyber Attacks:

 

« Transforming A Business The Data Driven Way
Foreign Cyber Intrusions On The USA »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MobileIron

MobileIron

MobileIron provides EMM capabilities to IT organizations that need to secure mobile devices, applications and content.

Redscan Cyber Security

Redscan Cyber Security

Redscan Cyber Security is a Managed Security Services Provider (MSSP) that enables businesses to effectively manage their information security risks.

ProPay

ProPay

ProPay provides secure payment solutions for organizations ranging from small businesses to large enterprises requiring complex payment solutions.

Alan Boswell Group

Alan Boswell Group

We are a Group of Companies providing specialist Insurance Broking and Risk Management advice and services including Cyber Risk cover.

Acuant

Acuant

Acuant is a leading global provider of identity verification, regulatory compliance (AML/KYC) and digital identity solutions.

ITonlinelearning

ITonlinelearning

ITonlinelearning specialises in providing professional certification courses to help aspiring and seasoned IT professionals develop their careers.

Cyber Resilience

Cyber Resilience

Cyber Resilience offer an intensive program designed to help you create strategies to quickly become cyber resilient and to manage cyber risks in a measurable and predictable way.

Angoka

Angoka

Angoka provide hardware-based solutions for managing the cybersecurity risks inherent in machine-to-machine communication networks.

Quintillion Consulting

Quintillion Consulting

Quintillion Consulting is a strategic risk based consulting firm. We help companies safeguard the core business and IT capabilities that deliver competitive advantage.

UST

UST

UST is a global provider of digital technology and transformation, IT services and solutions including managed security services.

Quantropi

Quantropi

Quantropi is bound to be the standard for quantum-secure data communications – forever unbreakable, no matter what.

CyBourn

CyBourn

Cybourn's diverse offerings include engineering, analysis, product development, assessment, and advisory services in the cybersecurity space.

VENZA

VENZA

VENZA is a data protection company that can help organisations mitigate their vulnerabilities and ensure compliance, keeping guests and their data safe from breaches.

Gathid

Gathid

Gathid is a unique and versatile identity governance platform providing organizations with the ability to model, explore, audit, and track complex access-related scenarios.

SGNL

SGNL

SGNL redefines identity-first security by integrating business context, closing critical gaps, and transforming how enterprises manage privileged access for a secure, adaptive future.

Axiler

Axiler

Axiler’s AI-driven self-healing architecture seamlessly detect, patch, and neutralize threats in real-time, ensuring systems remain secure and ever-adaptable.