Cyber Security: A Guide For Education Providers

Uploaded on 2019-08-19 in JOBS-Training, FREE TO VIEW

Firewalls, data back-ups and training staff to verify email senders are some of the actions colleges should take to protect themselves against cyber-attacks, according to new UK government guidance. 

The Education and Skills Funding Agency has published advice after colleges fell victim to phishing scams earlier this year, where genuine-looking emails were sent by fraudsters to trick people into sending money or private information.

As well as the tips, the ESFA release warns providers that they “retain responsibility to be aware of the risk of fraud, theft and irregularity and address it by putting in place proportionate controls”. Phishing scams and malvertising – when malicious code is downloaded onto a victim’s computer after they click on, or even just hover over an advert online – are two traps the ESFA has warned providers of.

Five Strategic Questions for Education Providers
Academy/college audit committees and the management of independent training providers (ITPs) should use the following high-level questions, based on government guidelines and industry standards, as a starting point to consider cyber risk in their organisation.

As part of its assessment, the audit committee or ITP management should also consider the quality of the evidence underpinning any assurances provided.
1. Information held
Does the organisation have a clear and common understanding of the range of information assets it holds and those that are critical to the business?
2. Threats
Does the organisation have a clear understanding of cyber threats and their vulnerabilities?
3. Risk management
Is the organisation proactively managing cyber risks as an integrated part of broader risk management including scrutiny of security policies, technical activity, user education/testing and monitoring regimes against an agreed risk appetite?
4. Aspects of risk
Does the organisation have a balanced approach to managing cyber risk that considers people (culture, behaviours and skills), process, technology and governance to ensure a flexible and resilient cyber security response?
5. Governance oversight
Does the education provider have sound governance processes in place to ensure that actions to mitigate threats and maximise opportunities in the cyber environment are effective?
It goes on to list 10 “cyber security tests”, which are based on the National Cyber Security Centre’s ‘10 steps to cyber security’ guide.

As well as verifying email senders before sending payment or data, college staff should be trained to ensure they “understand the risks of using public Wi-Fi” and “understand the risks of not following payment checks and measures”, according to the ESFA.

Fraudsters, perpetrating a phishing scam, hacked into the email account of principal Chris Nattress and sent a link to his contacts to “review and sign”. When Nattress’s contacts replied to check if the email was genuine, the fraudster replied saying that it was. They also changed the college’s phone number in the email signature by one digit, and made up a mobile number, so contacts could not check in that way. The college’s digital team identified the issue before staff received any reports of a problem.

Education providers were first warned about phishing in an ESFA update in June, which said some had suffered “financial losses” after falling for this type of scheme, but it is unclear how many.

This is not the first time education providers have been attacked: in 2014, emails purportedly from the Skills Funding Agency were sent to providers, asking them to send details that would allow the fraudster to take money from the provider’s bank account.

FEWeek:           Gov.uk:         Image: Nick Youngson

You Might Also Read: 

Students Blamed For University & College Cyber Attacks:

 

« Transforming A Business The Data Driven Way
Foreign Cyber Intrusions On The USA »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Perforce Software

Perforce Software

Perforce helps companies build complex software products more collaboratively, securely, and efficiently.

Cambridge Intelligence

Cambridge Intelligence

Cambridge Intelligence are experts in network visualization and finding hidden trends in complex connected data. Applications include cybersecurity.

Seceon

Seceon

Seceon OTM, is a cyber security advanced threat management platform that visualizes, detects, and eliminates threats in real time.

HYAS Infosec

HYAS Infosec

HYAS is a highly skilled information security firm developing the next generation of information security technology.

Crayonic

Crayonic

Crayonic digital identity technologies protect and guarantee the identity of people and things.

Redbelt Security

Redbelt Security

Redbelt is a cyber security consultancy. We integrate people, systems, services and products to transform how your information security is delivered.

Deepwatch

Deepwatch

The Deepwatch Platform helps organizations reduce risk through early and precise threat detection and remediation.

Blue Lance

Blue Lance

Blue Lance is a global provider of cybersecurity governance solutions. Our software solutions automatically collect and store the information necessary for investigations, audit and compliance.

NetSPI

NetSPI

NetSPI is an information security penetration testing and vulnerability assessment management advisory firm.

WidePoint

WidePoint

WidePoint Corporation is an innovative provider of Trusted Mobility Management (TM2) solutions.

Internet 2.0

Internet 2.0

Internet 2.0 is a Cyber Security technology company with a core focus on developing affordable but sophisticated cyber security solutions.

Vumetric Cybersecurity

Vumetric Cybersecurity

Vumetric is an ISO9001 certified company offering penetration testing, IT security audits and specialized cybersecurity services.

IQ4 - Cybersecurity Workforce Alliance (CWA)

IQ4 - Cybersecurity Workforce Alliance (CWA)

Cybersecurity Workforce Alliance, a division of iQ4, is an organization comprised of a diverse range of professionals dedicated to the development of the cybersecurity workforce.

Positiwise Software Pvt Ltd

Positiwise Software Pvt Ltd

Positiwise Software offers end-to-end software development solutions to accelerate the digital growth of businesses.

Project Cypher

Project Cypher

Project Cypher leverages the latest cybersecurity developments, a world class team of hackers and constant R&D to provide you with unparalleled cybersecurity offerings.

Afripol

Afripol

AFRIPOL was set up to strengthen cooperation between the police agencies of AU member states in the prevention and fight against organized transnational crime, terrorism, and cybercrime.