Andrew Williams, Online Safety Consultant for SWGfL, explains Ransomware and the data protection challenges facing schools, and provides advice on how to tackle them.

How would you manage if your school IT systems were taken down by a Ransomware attack?

At SWGfL, we have helped several schools recover after the impact of a Ransomware attack, by providing expert consultancy and support. Last year we highlighted the challenges posed by Ransomware attacks, and it continues to be a threat faced by many schools.

Usually, Ransomware gains access to systems by manipulating individuals into sharing their confidential or personal information before encrypting, or locking, their data. What follows is a ransom message demanding payment in exchange for unlocking the data. Often these attacks take the form of emails with an invoice, or a request for a quote that links to a site where the malware is downloaded. SWGfL produced this Ransomware whitepaper in October which can help you protect yourself against Ransomware attacks.

As our annual assessment of UK schools reported recently, 35% of UK schools have no data protection policy in place. We should all be more vigilant and cautious when it comes to our data, particularly given the UK is set to implement new, stricter EU General Data Protection Regulation (GDPR) in May 2018. These will bring a whole raft of changes centered around the control that individuals will have over the use of their data. For schools, this will translate into (among other things):

  • Greater transparency and clarity about what they do with children’s data
  • More emphasis on obtaining clearer and auditable consent before sharing data
  • A legal requirement to notify a system breach within 24 hours and
  • A requirement to appoint a dedicated data protection officer

Recently the manner in which WhatsApp manages the encryption of messages has been brought into question. It does pose an interesting question for the type of communication that may take place between teachers. For instance, in some schools, it may be plausible that the teacher and support staff or senior leader may have a conversation about a pupil’s specific requirements via WhatsApp. However if the service is not secure, there is a risk that those messages could be intercepted and shared.

Many staff members in schools have access to large amounts of personal data, far more than in many other industries or jobs. Because this goes with the territory, it’s easy to become complacent, which in turn can lead to a more relaxed attitude to the security of that data. Unfortunately the most common cause of a data protection breach is a user, and in schools, they remain one of the least likely groups to have received training.

I recently heard about a teacher who shared a video taken inside her classroom on Twitter. The young people were enjoying the activity and sharing thoughts, but around the edge of the monitor in the background were post-it notes with login and password details! Not the best way to protect access to your data.

One of the most effective ways to secure your systems from attack, both personally and professionally, is still a good passphrase. Sadly most people tend to use a password, and the same one, in multiple places because they find them hard to remember, our recent blog offers some good advice on how to ensure your passwords and passphrases are secure.

For many schools a good source of advice is vital in understanding complex statutory obligations. In June 2016 we launched 360data, a new self-review tool which helps organisations test and improve their data protection policies and practices.

360data has been built on the award-winning 360safe self-review tool used by more than 10,000 schools in the UK. After completing the initial assessment the tool will suggest next steps for improvement, sources of good practice and even produce template documents for policies and usage.

So whilst the last year has been busy, now is the time schools should act to protect systems and data from attack.

Share your feedback:

This field is for validation purposes and should be left unchanged.