ISBA

70 www.theisba.org.uk HEADLINE PARTNER Modelling for the future: protecting schools and parents against cybercrime The COVID-19 pandemic has impacted the UK’s independent school sector in many ways. Pupils and school staff have had to adjust to learning, teaching and working from home, whilst adopting new technologies and communication methods on the fly. Bursars have shouldered the task of stabilising school finances throughout months of uncertainty. Government- mandated school closures have necessitated offering fee discounts for some, whilst international puplis struggled to return to the UK during lockdown and parents of others found themselves unable to pay fees, impacting student numbers. Accurate financial modelling has – and will continue to be – an essential undertaking for bursars in the wake of the pandemic, as the sector shows promising signs of recovery but budgets remain tight. However, whilst school staff strive to maintain high standards of education, the National Cyber Security Centre (NCSC) has sounded several warnings about rising numbers of cyber scams and hacking attempts targeting schools and other small institutions. ‘CEO fraud’ The most common and damaging methods employed by cybercriminals to target schools are business email compromise (BEC) and ransomware attacks. BEC, also known as CEO fraud, involves an email account or address within a school or business being compromised or spoofed. The scam involves sending an email that appears to have been sent from someone within the school – often from senior management or the finance team – asking for money to be paid to an account. In the current climate, schools may see an upturn in these kinds of scams as parents are lured in by the false promise of fee discounts. Ransomware involves compromising an IT system, accessing its data and encrypting it. The hacker then demands a ransom to decrypt the information. Schools that choose not pay a ransom are often hit with a second, more insidious demand. Ransomware is usually coded not just to encrypt important data, but to send this information back to the hacker. This is used as leverage in circumstances when schools refuse to pay, as hackers may then threaten to release sensitive data on the internet. Education sector encountered almost 64 percent of all malware attacks Alarmingly, more than 70 cyber-attacks targeting the education sector were recorded during the pandemic. In March of this year, cybercriminals carried out a targeted ransomware attack against one of the largest academy trusts in the UK. The attackers demanded £5.8m in ransom, before leaking sensitive school data online and costing a further £500,000 in new equipment and staff overtime. Stand 65