fbpx

All posts tagged IT support Essex

Cyber Security is on the increase, and whilst some schools are now taking it seriously and making changes, many are not. Wherever you are on your Cyber Protection journey, this blog should help you create a definitive plan should you be attacked by a hacker or other malware programmes.

Laptop on desk Showing Red Screen with Padlock icon.Computer has been blocked access to Data with Ransomware.

In 2019, two thirds of all organisations reported some type of incident relating to cyber-crime.

You could make a sure bet this figure rose significantly last year, thanks to criminals taking advantage of the pandemic.

The average cost of a data breach to a business is estimated to be around £337,000.  A school is still vulnerable for financial loss, and with today’s budgets, the loss can be catastrophic.  It can be crippled by taking away so many teaching hours trying to sort out for example: a system held to ransom, that it may as well have been a large financial loss.

The most common types of crime are ransomware, where your data is locked away until you pay a ransom fee.

And phishing, where criminals pretend to be someone else, to get you to click on a bad link. This is how they get access to critical systems.

School money can then be lost due to:

  • Any ransom demanded by criminals who lock your data and remove your access to it.
  • The cost of recovering your data, and undoing the extensive damage done.
  • Putting in place additional ongoing security measures after the breach.
  • Paying for goods and services that are being provided by a genuine service provider, but where the invoice had been intercepted and altered to pay a third party.

On top of the financial impact, there is the reputational one.

Unhappy teacher and girl at computer in class

Could you imagine picking up the phone to every parent and stakeholder, to tell them your data about them had been accessed and stolen? And was probably for sale on the dark web?

What would happen if the local media or news blogs got hold of this and ran a story about it?

You have to ask yourself very carefully: Could your school afford to be hit by a ransomware or phishing attack?

Truth is that many schools really couldn’t.

So why do so few education establishments have a plan in place to a) prevent and b) respond to cyber-crime?

Does yours?

If not, it is time to do something about it, as there has been an explosion in the number of ransomware and phishing attacks over the past couple of years.

If you don’t have an effective plan in place to help keep your business protected – and to minimise damage should the worst happen – you’re leaving yourself vulnerable.

Cyber-criminals are targeting everywhere, all the time, using clever automated tools that sniff out vulnerabilities. So it’s only a matter of time till your school’s defences are tested.

Here’s our recommended 5 step plan to prepare for an attack, and protect your business.

1) Training, training, training

Believe it or not, your devices and software are not the weakest link in your defence. Your people are.

Top view of people sitting at desks

Your team’s awareness of the risks, and their mindset towards spotting risks and acting on them, can make a dramatic difference towards your chances of being affected.

Although they would never knowingly do a thing to damage the school infrastructure or administration, all it takes is one click for them to bring you down.

One click. On one bad link. In one email.

Phishing scams are getting more sophisticated every day, and they are really easy to fall for. You don’t have to be an 80 year old email newbie to fall for a phishing scam these days. With some of the smartest social engineering, even the wariest person can be caught out.

Fortunately, with the right training, your team can be taught the tell-tale signs of a scam email, looking at:

  • The email address it was sent from
  • Who it is addressed to
  • The language used
  • The font and design of the email
  • How to check if a link is safe before clicking on it

There are other things that cyber security training can teach your people.

Things like closing RDP links; a techy term for a connection from your computer to another.

And looking out for signs you are under attack from ransomware.

Plus other areas of online safety that you may not usually discuss. Such as what information criminals can glean from social media.

There is a lot that can go wrong online. And the more people you have working for you, the greater your risk of one of those things happening to your business.

All staff should have regular cyber-security awareness training – including you.

Things change so frequently that it really is in your best interest to keep everyone’s knowledge topped up.

Check out the National Cyber Security website for more information on keeping your school safe: www.ncsc.gov.uk/section/education-skills/cyber-security-schools

They also provide an Exercise in a box, which they promote as “an online tool from the NCSC which helps organisations test and practise their response to a cyber attack. It is completely free and you don’t have to be an expert to use it.”

www.ncsc.gov.uk/information/exercise-in-a-box

2)   Use the tools available to you

There are a lot of tools out there to help keep your business safe and protected from cyber-criminals. Make use of them.

Some of the most commonly used tools are:

Password managers: These generate long random character passwords for new applications and remember them so you don’t have to.

Elegant blonde hair man using modern technologies.

Multi-factor authentication: This is where you enter a code from another device, to prove it’s really you logging in.

VPNs: A Virtual Private Network gives you a secure connection to your business when working remotely.

Encryption: This makes the content of your devices look like thousands of random characters to anyone without the encryption key. So, it’s only a minor inconvenience if you lose a device, not a major catastrophe.

Anti-Ransomware software: standard antivirus software will not protect your data from a ransomware attack, it is critical to ensure that your school has anti-ransomware software installed.

These are just the basics. There are always extra layers of security available.

Yes, this is complicated, and there are too many options to choose from. The trick is putting together the right blend of security tools for your specific circumstances. So you’re protected, but your security is not stopping your team from getting on with their work every day.

Your IT support provider will be able to make some recommendations. If you’re in the fortune position of having an IT partner, they will work closely with you to understand how your business works inside and out, before making recommendations.

3)  Back-up all data, all the time

We cannot stress this enough: if you don’t already have an automated back-up of your data every day, and at the very least the admin data is kept somewhere other than your schools’ premises, arrange this today.

It. Is. Critical.

IT Engineer inserting ethernet cable into a switch .

Keeping a copy of all your data in this way is your fall-back option. If anything ever goes wrong and your data is lost, corrupted, or held to ransom, you retain a copy of everything you need to keep your school functioning.

If you already have off-site back-up in place, well done. Now check that it is working as it should be. This is a process known as verification, and it needs to be done every day.

You’d be surprised to learn how many people leave their back-up unchecked until they need it… only to find the back-up stopped working a few days earlier; or the data was corrupted.

4)  PPP

Create a policy, protocol, and procedure in the event of a data breach. Sounds obvious, but this needs to be done before your school has a problem.

Your policy will set out how your school will deal with any form of data breach or cyber-attack.

Make your policy as detailed as possible, as it is a guide for your establishment to reach the most desired outcome (in this case, minimal impact from an attack).

Open laptop with email and alert symbols surrounding it

Include the things your people must do as a minimum to help keep the business safe, such as using a password manager and multi-factor authentication.

Every member of teaching and administrative staff should have a copy of this policy, ideally in your employee handbook. Maybe you could even get them to sign that they have read and are committed to it. That way, no-one can plead ignorance if they have directly put the school at risk.

Your protocol is a written plan that contains the procedures your people must follow in the event of a cyber-attack.

And the procedures you should include are:

  • Who to alert in the case of a suspected breach.
  • What are the steps that person should take to try to block the attack?
  • How everyone else within the business should react.

It is a good idea to include a procedure for lost or stolen devices too, so they can be wiped remotely for ultimate peace of mind.

Make everything in your PPP as accurate and detailed as it can be, so that people are left in no doubt exactly what they should do.

5)  Bring in the experts

If you are not an IT expert, a lot of this can seem very time consuming and complicated.

We completely get that.

However, you should understand that it is very much a worthwhile investment of your time and energy.

If you feel it is not something that you can do justice to, it is a smart idea to bring in the experts.

A great IT support provider  or partner – should be more than willing to help you.

A good IT company will assess your IT provision and provide a check list on changes that need to happen to enable your system to be as resilient as possible.

You should also have someone to monitor and maintain your devices and network, to identify and solve the majority of issues before you even notice them.

And someone who can make sure you are using all the right tools and software to optimise both security and staff productivity.

Often, it is unrealistic to have a full-time employee on your team to do this work for you. Fortunately, outsourcing is a superior alternative in most cases.

Not only do you get support when you need it, and benefit from all the above, but you also get access to a whole array of expertise.

If you don’t already have a plan in place to keep your business protected from cyber-attack, I hope you can see how vital it really is.

If you do have a plan, perhaps it is time to revisit it and make sure it is still effective in this ever-evolving world of cyber-security and cyber-crime.

And if you find you could do with some honest, expert help and advice, we’d love to be of service. Let’s talk.  Click here to book your 15 minute call with Murray.

Sue Kenneally
Marketing Exec.

man at PC with exclamation marks

As IT professionals in the education arena, we’ve seen some things.

Things that would horrify you.

Things you would never want to encounter in your own establishment.

We’re talking security breaches, data theft and file corruption. That have brought entire schools to their knees.

This is something that you – as the Headteacher, IT or Office Manager – really don’t want to happen.

Because it only takes one click from a well-meaning member of your team on one bad link. And that could mean the difference between a thriving school or office, and disruption so severe, it makes teaching impossible.

You don’t need us to tell you that data loss can lead to a huge loss of confidence from your suppliers and staff.

And often the cost of rectifying a situation such as this can be phenomenal.

So, we at Cablers want to share the secret behind keeping your business data safe

Of course you should have an IT partner protecting you with a blended security package (blended means getting the right mix of security products that protect you and your staff, without inconveniencing you while you’re trying to work. It’s a balancing act).

But there’s something else, that in our view every business should invest in, every year.

Cyber security training

Though it may sound simple, you’d be surprised to learn how many schools and businesses underestimate the importance of campus or company-wide security awareness.

And yes, we really do mean company-wide.

Your whole school, academy, trust or business, from the new entry level person to the Headteacher or CEO, should take part in formal data security training, regularly.

A strong cyber security culture is one of the best ways to keep your school or business safe from the increasingly sophisticated threats out there.

Because hackers use automated tools to look for vulnerabilities in every establishment, all the time.

And yes this includes yours. Remember, it only takes one click from a well-meaning member of your team on one bad link. And that can unwittingly let hackers into your system.

“But my people are savvy professionals. They’re not going to fall for a scam”

We hear this often.

And yes, your people are savvy, but so are cyber criminals.

Cyber-crime is evolving. And there is always another scammer or hacker around the corner waiting to take advantage of a technology flaw or stressful situation (hello, global pandemic).

Your business or school can never be too prepared.

Take a look at phishing for example. You’ve heard of that, right?

But do you and your team actually know what it is?

Phishing is a common tool used to extract information such as login credentials or credit card details by email, telephone or even text message.

You may think that your team are above falling for an email from their ‘long lost uncle abroad’. But phishing scams have come a long way since those days.

Today, phishing emails are far more convincing. They often claim to come from someone credible, such as your bank, a client or supplier, or someone else you know.

They’ll ask you to click a link to update your details, or change a password. But instead of being taken to a legitimate website, you’ll be taken to a very convincing duplicate.

And once your details have been entered, you’ve given them away.

For more advise on how to spot a phishing email, and how to report them, visit this Government website: www.gov.uk/report-suspicious-emails-websites-phishing

Other times, you’re sent an attachment – again, seemingly from someone you know – which, when opened, will install malware on your device (or across your whole network)

This can then allow criminals to steal data, or deny you access to your own information (that’s called crypto locking).

The Government’s National Cyber Security Centre has a lot of information on how to deal with this type of cyber attack and what to look out for to make sure you are not caught out.

www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

Then we have spear fishing. Instead of phishing, which is aimed at anyone, this is targeted at specific individuals.

Typically the attacker has spent time learning a lot of information about you (your name, role, company information, etc). And then uses this to their advantage.

If they target someone at the top, this is called whaling (also known as CEO fraud).

They’re targeting people at the top as they have access to the most sensitive data.

Whaling attacks are often planned for a long period of time. And when they work, give huge financial gain to the cyber criminals.

Then there’s pharming, which asks you to take an action on what looks like a familiar website.

Except if you look very carefully, the website address is slightly different to normal. It’s a scam site, and any information you enter will go to the criminals.

There is a scarier version of pharming where the criminals manage to divert traffic going to the real website. These are really hard to detect.

To ensure websites are secure and not as easily accessible to hackers, make sure they are certified by the small padlock symbol on the side of the URL bar. (To view the sites security credentials, click on the padlock symbol).

Often there are tiny little clues that give the fake sites away, if you know what to look for.

Spoofing is the term for when you receive an email pretending to be from someone you know – such as your accounts department. And it’s asking you to go to a link to reconfirm your details.

This type of scam is often used to download malware or ransomware rather than to steal your credentials.

Then we have smishing, which is phishing with text messages (SMS). And vishing, which is phishing on the phone, or voice phishing.

You receive a phone call from a blocked or unusual number. The caller will pretend to be from somewhere familiar and ask you to carry out actions, or make a payment.

These are pretty common. So if you or your team are ever unsure, make sure to hang up, then call the company back on the number you have for them (and never the number the caller gives you).

Can your school, academy or business really afford to underestimate the importance of good cyber security training?

As you can see, it really does take just one action to open up your school or business to this kind of threat.

This is not an exhaustive list. There are plenty of other ways that cyber criminals will attack your establishment.

You many think your people are pretty hot on cyber security. And hopefully you’ve got the latest security software protection across your whole network.

However, it’s always a great idea to add another level of human protection. Because schools and businesses like yours really are prime targets for cyber criminals.

If you’ve never implemented security training before, now is the perfect time to start creating new habits. After all, your team will have seen enough change this year to be open to just about anything!

Employee education is one of the best business tools you can invest in. And it could end up saving your organisation from disaster.

But the benefits of regular training don’t end there. It’s a great motivational tool, too. Your people will feel invested in when they have relevant training, increasing engagement all round.

Remember to make sure that everyone, from bottom to top, undertakes regular training. Because a cyber-criminal really isn’t fussy about who clicks that link… just as long as someone does.

If you don’t currently have an IT partner who can deliver appropriate data security training to your school, academy or business, contact Cablers today on 01787 221166.

Our team of experts would love to help keep you informed and protected.

About Us: Established in 1997 in Earls Colne, Essex, Cablers provides IT services to both the Education and Business market sectors in Essex, Suffolk, North & East London.

Murray Thorpe, Managing Director saw that many schools had legacy IT equipment that had been slowly going out of date, network security was patchy, and protocols were tired. Training school staff on usage of equipment was also under-utilised, so often investment had been made in equipment, but a lot of the staff didn’t know how to use them to their fullest potential.

Cablers was created to be a central solution for education and business. Our main ethos is to increase efficiency and minimise costs for our clients, by being a single port of call for support, software, hardware, cabling and training.

 
Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
While You're Here
Get our technology newsletter straight to your inbox, just fill in your details below
ErrorHere