Cyber threats are no longer a rarity, they are expected. With recent ransomware attacks such as WannaCry and NotPetya, the potential theft or leakage of data, particularly confidential information in an educational setting, should be top of the list in risk planning.
“In Aon’s 2018 global risk management survey, cyber risk was ranked as the #1 risk facing educational institutions and is likely to remain so for the foreseeable future,” says Kerry Curtin, cyber risk expert at Aon South Africa. “The need to strengthen institutional resiliency against potential damage, compromising hacks and downtime is crucial,” she adds.
Schools, like any other business, are increasingly dependent on technology. As the Internet of Things (IoT) proliferates, a growing Bring Your Own Device (BYOD) culture in addition to tech and robotics labs at educational institutions poses very real risks and open doors for cyber criminals. The knock-on effect of a cyber incident at an educational facility has the potential to be financially and reputationally catastrophic.
As a simple example, in 2016 it was reported that the University of Limpopo’s website was taken down, leaking exam papers and the details of over 18 000 students, in addition to perpetrators publicly posting what was believed to be the login details for the university’s intranet.
From a general perspective, South African businesses of all sizes, including educational institutions have been particularly hard hit by an onslaught of cyber-attacks, although this is not always public knowledge.
Adopting and implementing better cyber security measures is the first line of defence against a potential cyber event.
“You can prevent your educational institution from becoming a statistic by employing the right cyber security and governance protocols. Education also plays a significant role in this space as it is crucial for students and staff members alike to be aware of potential risks and to spot obvious attempts in their daily interactions on the web, in e-mails and on devices,” explains Kerry.
The sheer number of cyber-attacks on educational institutions suggests that the sector is not as prepared as it should be in its efforts to safeguard networks.
Aon highlights the following considerations for the educational sector:
* Safeguard institution-owned devices: All computers, laptops and smart devices owned by the educational institution should at the very least have a current anti-virus program installed, in addition to adware and malware protection. One of the biggest threats to any business is the people operating these devices and their naivety regarding cyber risks, so education is key. A further aspect to consider is remote filtering technology, especially in instances where devices are used outside the institution’s network, such as laptops that staff members take home. It will channel the device to connect to the internet through a web security gateway that can remotely block harmful sites.
* BYOD Policy: The practice of students and staff members bringing devices to school or university that interact with the institution’s network is very likely. The first line of defence is keeping guest devices separate from the network, allowing the institution to keep data secure on an administrative network, as well as monitor traffic more closely. When it comes to sending sensitive information, it is crucial to implement a secure file exchange solution that can protect against cyber threats such as phishing scams.
* Multi-Factor Authentication: While passwords alone do not provide adequate levels of security and hackers are able to circumvent physical biometrics such as fingerprint identification as a single layer of authentication, Multi-Factor Authentication (MFA) is fast becoming the next line of defence. This is especially of concern to institutions who employ online learning programmes or methods. An MFA approach will require Individuals to present at least two of the following pieces of evidence to an authentication instrument: knowledge (something they know), possession (something they have) and inherence (something they are). An example is using voice recognition plus a PIN or password to authenticate a user.
* Social Media Policy: The policy needs to be an evolving and living document that adapts to changing social media trends and demands. Not only does the policy need to stipulate what is deemed as acceptable behaviour from employees and students, but it also needs to explain what the benefits are of becoming an ambassador for the brand and the legal ramifications inherent to social media platforms.
“Depending on the type of breach, appropriate government or regulatory offices may need to be informed of the breach to anticipate possible legislative or regulatory fines. In addition, there are many jurisdictional acts and bills that affect the cyber realm in South Africa with the potential for grave financial implications from third party liability claims, stemming from the Consumer Protection Act or even the Protection of Personal Information (POPI) act, to name a few,” Kerry explains.
“The nature of the breach will also need to be communicated to affected parties and the corresponding support will need to be put in place. This is especially critical in the event of sensitive information such as banking details or qualifications that are leaked, which lends itself to identity theft, fraud and the like. This is not even accounting for the public relations and crisis management that an educational institution will need to implement to manage its reputation and credibility in the marketplace, which comes at a significant cost,” she adds.
While existing forms of insurance sometimes carry a level of coverage, only specialist cyber insurance policies provide the extensive cover needed for a cyber breach. “There is no one size fits all approach to cyber risk insurance. That’s why having a professional Aon risk advisor by your side is an invaluable exercise in protecting your reputation, data, students, employees and bottom line,” says Kerry.