Bursars Review | Spring 2019 | Sample

Cyber security guidance for ISBA members For more information on the conference and to book your place please visit: https://members.theisba.org.uk/professional-development/2018-19-professional- development-courses/course.aspx?id=542 ISBA ISBA is pleased to offer its members a dedicated eight- page supplement focusing on the cyber security concerns affecting schools in this Spring issue of the Bursar’s Review. The supplement features valuable tips and advice from professional advisers working in the sector, including Mark Reynolds of Hable, who will be speaking at ISBA’s IT and Cyber Security Conference on 27th March 2019 in London. The association regularly hears from schools who have become victims of the increasing number of cyber attacks. In response, it has now produced a brand new chapter for its publication ‘The Bursar’s Guide’ outlining the practical steps that schools can take to protect themselves. Please keep this chapter and add it to your existing Bursar’s Guide folders for future reference, together with the updated contents list also included. In addition to the IT and Cyber Security Conference to take place in March, a programme of events focused on the subject will follow later in the year. Spring 2019 www.theisba.org.uk 8 SUPPORTING INDEPENDENT SCHOOLS WWW.THEISBA.ORG.UK Keeping knowledge secure Cyber security ISBA_SharingTheKnowledge_FC.indd 1 10/12/2018 12:07 1 . R CYBER SECURITY Cybersecurity isanotheraspectofsecurity thatschoolsare increasinglyhaving toaddress. Statisticsshow thatover20percentofeducation establishmentshavebeenhitand the resulting headlinescanbeprettystark: ‘Schools lose £145k to fraudstersposingasheads innewscam.’ Inanattack targeting theeducationsector in2018, fraudsters impersonatingheadteachersmanaged tocon48schoolsacross thecountryoutof tens of thousandsofpounds.Theactualfigureswere startling:12schools lost£145,124between them; oneschool lost£19,150 inonehit.Thisexample focusesonmoney loss,howeverallkindsofdata canbeunder threatand thenewGeneralData ProtectionDirective (GDPR)putsanadditional requirementonschools toprotect thedata in itscare.TheRegulationdoesnotmandatea specificsetofcybersecuritymeasuresbutexpects ‘appropriate’action tobe taken.Thiswilldepend uponaschool’scircumstancesaswellas thedata it isprocessing.Sensitivedataheldbyschools− suchaspupils’ medical records−are lucrative on thedarkweband ‘golddust’buildingblocks for identity fraud.For independentschools, the reputationaldamagecanbesevere. 1. CYBER SECURITY: WHAT IS IT? There ismuchmythologyaround cyber security. It is regardedasmysteriousanddifficultand, asa result, can fail tobeproperlydiscussed. The reality ismore straightforward. Cyber security isaboutprotectingorganisations, individualsornetworks from cyberattacks. It involves implementing controlsbasedaround the threepillarsof people,processesand technology .This three-prongedapproachhelps organisationsdefend themselves fromboth highlyorganisedattacksand common internal threats, suchasaccidentalbreachesandhuman error.The importantpoint to recognise is that cyber security isnot simplya technology issue. It canoftenbe regardedas suchand left to the ITdepartment to resolve. CYBER SECURITY 2. TYPES OF CYBERATTACKS Cyberattacksusemalicious code toalter computer code, logicordata, resulting in consequences that can compromisedata,devices and systemsand lead toanumberofdisruptive outcomes.The rangeof cyberattacks is limited onlyby the ingenuity, innovation, capabilityand resourcesof theattacker.Attacks can include: • Identity theft − thedeliberateuseof someone else’s identity togainafinancialadvantage orobtain creditandotherbenefits for fraud, extortionetc; • Malware (malicious software) including: º Pharming –directing Internetusers toa boguswebsite thatmimics theappearanceof a legitimateone; º Phishing − sending emailspurporting tobe from reputable companies inorder to induce individuals to revealpersonal information, such aspasswords and credit cardnumbers.Phishing isa subsetof non-technical ‘socialengineering’ attacks; º Spamming − sending the samemessage indiscriminately toa largenumberof internetusers; º Spoofing – sendinga communication from anunknown sourcedisguisedasa source known to the recipient; º Spyware −software thatgathers information aboutyourcomputerand the thingsyoudo on itandsends that informationover the internet toa thirdparty; º Trojans –a softwareprogrammedesigned tobreach the securityofa computer systemwhileostensiblyperforming some innocuous function; º Viruses –apieceof computer code,which is capableof copying itselfand typicallyhas adetrimentaleffect, suchas corrupting the systemordestroyingdata; º Ransomware −a typeof cryptovirology that threatens topublish thevictim’sdata orperpetuallyblockaccess to itunless BRG_CyberSecurityChapter.indd 1 15/01/2019 16:01