The Importance of Trusted Providers in the Education Sector

• Matt Lorentzen, Principal Consultant at Cyberis

Over the last two years, the Education sector has been subjected to a barrage of attacks that have directly impacted schools’ ability to support learning. The main reason for these attacks appears to be that schools are considered “soft” targets. It is true that cyber security deployment in school environments vary dramatically. This result is often a combination of a lack of budget assignment, capacity to manage and gaps in internal skills for technical staff. Whatever the reasons, attackers are frequently seizing the opportunity to infect, disrupt and hold to ransom education establishments for reasons as old as time. Money.
During the pandemic, the shift to remote learning through cloud providers has seen fast-paced adoption rates with projects swiftly deployed to try and maintain some level of consistency within education. Teachers needed tools that they could use to teach, and students needed a way to receive that learning remotely. Many schools were forced to adopt deployment processes with little planning, and this inevitably allows gaps to creep in.

Emerging Market

There are several high-profile cases of schools being held to ransomware attacks, such as the Harris Federation, a multi-academy trust which fell victim to a ransomware attack that left 37,000 students unable to access their email. With attacks rising, the state of cyber security has become an important topic for heads and governing bodies. The latest academy handbook outlines that schools “must” now understand (https://www.gov.uk/guidance/academy-trust-handbook) the state of their networks. Cyber security is now firmly the responsibility of the school and the trusts that support them.

This creates an inevitable outcome. Schools need help. It is not feasible to expect schools to have a detailed understanding of all the facets within the cyber security industry. There is no doubt that network managers up and down the country are demonstrating an interest, focus and an understanding about the field, but even well-defined networks implementing baseline security controls benefit from an external perspective.

There are some schemes now available that allow schools to baseline common security controls (Cyber Essentials) and whilst these schemes are valuable tools in the management of cyber security, they do not provide the complete picture. Quite rightly, baseline compliance schemes start with the implementation of basic technical controls – such as routers and firewalls on the perimeter, backup processes and the correct use of passwords in the establishment. However, a baseline compliance scheme cannot determine the attack surface available, and can’t give any insight into what attacker could actually do.

The need for schools to seek help with understanding these challenges is creating an emerging market for security assurance services in the education sector. Cyber security testing has been a measurable approach to understanding risks in other sectors (Commercial, Government, Military) for decades and these approaches are now relevant to the education sector. The modern school network is not that different in terms of setup and requirements to that of a commercial business.

Penetration Testing

The only effective way to demonstrate attack chains is to exercise them. If a school wants to understand its exposure, then it needs to be subjected to controlled attacks to determine what the likelihood of success will be. The outcomes of these tests then allow these gaps to be addressed. Even if attacks are not successful, it is still useful to determine whether a school can see these attacks occurring. An attacker is persistent. Penetration testing demonstrates the impact of attack. It can also highlight how effective the controls around data are at preventing unauthorised attacks. GDPR regulation forced schools to consider the way that they handle sensitive information and the ramifications for data breaches are severe.

Lack of Governance

To deliver testing into the sectors mentioned earlier, providers will have to undergo a rigorous process of certification and adherence to standards. For example, the CHECK scheme ratified through the National Cyber Security Centre requires companies to meet criteria to test government environments. There are similar requirements for financial services, for example CBEST overseen by the Bank of England. These schemes also require that companies have personnel that have attained certifications in delivering these types of attacks. The benchmarks for these certifications are set high and expect the individual to have deep technical knowledge about penetration testing and cyber security to pass.

Currently, there is no governance in the education market when it comes to cyber security assurance. Schools are and will continue to be contacted about services that can help them, but there is no current standard required to perform testing any individual or company can deliver this. The danger is that this leads to false outcomes. Schools should consider the following points:
• How can a provider safely demonstrate the risk whilst minimising disruption?
• What background does the provider have in cyber assurance services?
• How will the provider handle any data accessed through testing or compromise?
• Does the provider have processes that can securely delete data after delivery?
• How will your school be supported in communicating the results to school leadership?

All these points should be considered when seeking assurance about the security posture of your school. As there are no current governance processes in place for providers, the responsibility is with the school to understand the risks and the ramifications.

Summary

Schools are now a viable target of attack as they shift to cloud approaches and broaden access to the students and staff. The consequences of a cyber-attack can be severe but the responsibility for understanding this relies on the school and the trust. Specialists in the field can support schools as they quantify the risk and use assurance services to practically demonstrate the gaps. These are effective tools as part of a security programme and this emerging market within education is welcomed. However, a lack of governance in the sector could leave schools at greater risk if providers cannot effectively demonstrate how these services can safely be delivered and what standards and ratification processes a provider has met to be recognised as an expert in the field. If these standards have not been achieved, then what assurance can a provider show that highlights the ability to demonstrate effective attack chains and put the findings of a penetration test into context. The goal of an experienced assurance provider should be to test current boundaries, determine how effective these controls are, communicate what can be done to improve them and provide digestible, prioritised information and advice to leadership teams.