18 May What WannaCry [should have] taught schools
Dominic Norrish is group director of technology at United Learning and former chair of governors at an all-through academy. This guest post is reproduced with permission from its original version published on his blog, from where you can follow Dominic on Twitter at @DomNorrish. He has previously contributed the article Data breaches don’t just happen to other schools to the Modern Governor blog.
We all watched with interest, I’m sure, last weekend’s meltdown over the state of NHS IT and its vulnerability to ransomware. Many a school leader will have woken up in the middle of Sunday night wondering if the morning would bring an unwelcome and hugely disruptive exam-season crisis…
Why is this happening?
Over the past two years, schools have experienced a dramatic increase in the threats to the computer systems they rely on and the data which they hold. This is a global phenomenon due to the cheap availability of software tools via the Internet by which an amateur can create (or even just franchise) malware and distribute it – most commonly ransomware which encrypts data until a payment is made. It’s also partly down to how poorly the problem is understood in the education sector.
Public organisations like schools are being increasingly targeted as a successful infection would leave them little choice but to pay up, particularly considering the implications of losing control of sensitive personal data about children. The invention of crypto-currencies such as Bitcoin mean that this crime can be perpetrated with very little risk of being caught. This means it’s a growth industry: in 2015, 390,000 new pieces of malware were created daily . Until anti-virus companies can spot and react to each new strain of infection, schools remain vulnerable to such ‘zero-day’ infections.
I’ve heard about a number of schools that have been significantly impacted by this. In the most serious instance I’ve come across, ransomware entered the school when a member of staff opened an infected attachment to an email, which compromised their workstation and then spread out to all other computers it could reach. Data (including MIS servers, shared areas and staff/pupil documents) were encrypted by the ransomware and thus inaccessible to the school. Total loss was only prevented due to the existence of offline backups. The schools concerned lost 2-3 days of productivity at a critical time in the term.
Why weren’t schools hit harder by WannaCry?
My analysis is that the school system in general was less exposed to this most recent attack because:
- Almost all schools license Microsoft software annually, and will have upgraded to Windows 7 or 10 in recent years. I don’t know of any school making extensive use of Windows XP. This could worsen as school leaders make difficult decisions about licensing or employing sufficient local IT capability to run upgrades and manage their network effectively;
- 2015/16 saw a number of similar ransomware incidents in the public sector, including some schools, and this has resulted in lots of technical and management actions to reduce exposure;
- Few schools operate the same distributed model of IT (e.g. outsourced to a third party provider) which resulted in 11 NHS Trusts being incapacitated by an infection which likely began through a single user (a ‘patient zero’, if you will).
However [massive caveat alert]
I would speculate that if a future attack vector made use of a zero-day exploit to Windows 7 or 10 in a similarly co-ordinated and wide scale manner, many schools could be badly affected – consistent staff training is the only real protection against that. The scale of impact would range from very minor (some users unable to access some of their data), through serious operational impact (loss of multiple systems, extended time to restore), to complete loss of data and inability to recover in the medium term (particularly where the MIS and backups become encrypted).
That last one doesn’t bear thinking about, so don’t wait, take action today.
The key thing to remember is that no technical tool can totally prevent these attacks and that therefore schools must develop layered protection in depth from malware :
- Improving security through tighter policy, always in balance with operational needs. Can the reliance on USB sticks to transfer students’ work from home be replaced with something less risky, for example;
- Technical actions to stop malicious emails entering school systems – this is known as hardening, and network managers and/or your internet service provider should be all over this;
- Ensuring that anti-virus systems detect known threats and prevent infections spreading, on every device, using the latest definitions;
- Ensuring that data are safeguarded through reliable, secure back up regimes. People who pay ransoms do so because they have no backup;
- Most critically – and I cannot emphasise this enough – educating staff in better security practices, how to spot phony emails and to create a culture of accountability in all. This is the best (and last) line of defence.
What are the most important strategic actions for school leaders to take?
There are several management actions which school leaders should take as soon as practicable:
- Include ‘Data and System Integrity’ on the SLT’s and governor’s operational and strategic risk registers and document your actions to mitigate this risk. This will ensure that it will continue to be monitored as new threats/ mitigations emerge. Operationally, a named member of SLT should manage this risk and accountability should sit with the Network Manager;
- Consider the move of key systems and data from on-premises systems to the cloud over time, to limit the impact of infections. OneDrive or Google Drive (part of Office365/ G-Suite) allows schools to hold all user documents in the cloud and access them securely from anywhere. The other critical system to consider off-siting is your Management Information System. This isn’t a guarantee of avoiding encryption, but it’s an order of magnitude better;
- Use line management processes to hold technical staff to account on critical activities, which include your user security policy, the status of anti-virus systems and evidence of successful backups. To assure yourself that this is in-hand, the key questions to ask your local IT support today are:
- ‘Are all our servers patched with the latest security update for Windows?’,
- ‘How do you know that every PC and laptop is automatically installing Windows and Anti-Virus updates?’ and
- ‘Are our backups working and are they secured from themselves being encrypted?’
- Implement security training for all members of staff. Even if an email with malware evades all the technological defences, it will fail because a properly trained user will not open it. Training staff to share files within Office365/ G-Suite will reduce the need to email attachments and so heighten suspicion in staff when they receive them, and makes them less vulnerable to encryption and easier to restore. Training staff will also prevent them becoming a victim at home, and the additional anxiety and stress that would bring.
I always like to end on an upnote, so here goes…
“the malware threat is very real, infection is somewhat inevitable, and schools’ resilience to this will be dictated by the systemic actions school leaders put in place.”
Questions for your board
- Do we have a clear understanding of the risks posed by this sort of incident?
- Is ‘Data and system integrity’ on our risk register? Who within our school (or MAT) is responsible for monitoring this?
- Are our staff (any technical staff and all others) supported with CPD in this area?
- If elements of our technical support and infrastructure are managed by a third party provider, does our SLA cover the outcomes from, and mitigation against, this sort of incident? How does this affect our assessment of risk?
- In terms of the governance responsibility of ensuring the school’s funds are well-spent, can we afford (not to) deal with this issue?