Educational institutions today are too often proving to be high-value, low-risk targets for cyberattackers.
Criminals are not only drawn by the wealth of student and staff personal data that schools hold. They have also found it lucrative to leverage malware (such as banking Trojans and ransomware) within educational systems for financial gain. Hard-to-manage mobile environments, security investments that don’t keep pace with evolving threats, or security cultures that are not fully developed are common vulnerabilities putting schools at risk, no matter the grade level, size or geographic area served.
The education sector in Australia has seen its own surge of cyberattacks. For example, in October 2019, the company managing internet services for schools and kura in New Zealand recorded a 54% increase in the number of cyber security threats it had blocked for schools between the second and third calendar quarter of 2019. Also in October, a large university in Australia released a public-facing report detailing a major data breach that happened in late 2018.
Lay The Foundation Now to Facilitate Critical Investigations Later
Imagine a scenario where you discover that your educational organisation has experienced a cyberattack. Your ability to answer four key questions will directly affect how successfully your organisation can address the expectations of regulators, students, staff and other stakeholders:
- How did the attacker get in?
- When did the attacker get in?
- How did the attacker move laterally?
- Did the attacker exfiltrate any sensitive data?
Your educational institution will find it considerably more difficult, if not impossible, to answer these questions without the benefit of following some fundamental security practices. Two components that play a critical role in digital forensics investigations are logging practices and backup policies and procedures.
When digital forensics investigators are called in, they will immediately work to preserve and triage data to gain an understanding of what’s happening in the victim’s systems. In many cases, the digital forensics investigator concludes that the attacker deleted some of the logs, and organisations must unfortunately confirm there are no out-of-band backups. This is when many organisations discover in hindsight how overwriting logs every 30 days to save on storage costs can ultimately prove extremely expensive.
The inability to accurately determine the scope of the incident, particularly in the context of a notifiable data breach, can lead to several repercussions that might have been avoided or better mitigated. These include potentially higher notification costs, stress on data subjects, erosion of stakeholder trust and reputational and brand damage.
Get a Head Start with Breach Notification Preparation
If we continue with our scenario, imagine investigators establish that 10,000 student records, including their driving license details and passport information, have been exfiltrated. Your external counsel confirms this is a notifiable breach under the Australian Privacy Act (to which you are subject), based on the nature of the information compromised and the assessment that the breach is likely to cause serious harm to those individuals.
With time of the essence, where do you start? Educational institutions that have proactively created and updated a breach notification response plan can immediately activate their preselected support team. This team generally includes internal stakeholders, external counsel, an experienced data breach response service provider and crisis communications experts.
Your breach notification partner can draft and send customised notifications to your breached population in line with the requirements of the Australian Privacy Act. In choosing this partner, look for a firm with the resources and experience to support your efforts with services such as call centers staffed with multilingual representatives, FAQ development, and website development and maintenance, as well consultation and restoration services, identity monitoring and/or credit monitoring for affected data subjects.
Adopt Best Practices from the Front Lines
Kroll manages over 1,500 cyber investigations per year and has handled thousands of breach response engagements globally. Based on our experience and the guidance issued by industry standard security frameworks (e.g., the NIST Cybersecurity Framework, CIS Critical Security Controls and ISO/IEC 27001:2013), there are best practices that can assist educational institutions in lowering their risk and mitigating the harms from a cyber event, particularly notifiable data breaches.
- Inventory sensitive data. Know where data is captured and stored. This understanding directly informs the strategies you can employ to more effectively protect it.
- Create an incident response team. Enlist internal subject matter experts and resources enterprise-wide as well as external support partners, such as breach counsel, cyber insurance brokers, crisis communications experts, and digital forensics, cyber investigations and breach notification partners.
- Arrange mutual services agreements and/or execute retainers with external counsel, insurance companies and investigations partners to save time in the event of an incident
- Establish, practice and regularly update an incident response plan. Incident response team members must be clear on their assigned duties and be confident they can carry them out when needed. Practicing the incident response plan can isolate or uncover unforeseen gaps and provide the opportunity to update tactics or resources accordingly.
- Assess the cyber maturity of your organisation. A comprehensive security assessment performed by an independent, experienced cyber security firm can provide your organisation with a data-driven strategy for those areas where security investments should be prioritised. For those organisations looking to fast-track their efforts, especially until more permanent staff can be recruited, enlisting the expertise of a virtual CISO can provide the leadership to make an immediate difference.
Sharing Cyber Learnings May Help Protect the Education Sector
The Australian university that decided to share the learnings from its data breach marked an important departure from the typical approach of most organisations today. Certainly, many valid factors can influence organisations to not publicise the details of a cyberattack. We do know that cyberattackers will continue focusing their attention on educational institutions as long as they are perceived to be an easy target. But information-sharing — along with following basic cyber security best practices — may prove critical to helping educational institutions strengthen their cyber security posture and maturity, as well as preventing others from succumbing to the same attacks.
About the Authors
Keith Wojcieszek is an associate managing director in Kroll’s Cyber Risk practice. Keith joined Kroll from the United States Secret Service, where he served with distinction for 15 years. Keith is a strategic problem-solver, who draws on not only his wealth of advanced technical expertise, but also his extensive experience working with diverse international stakeholders on complex transnational investigations and initiatives.
Louisa Vogelenzang is an associate managing director in the Identity Theft and Breach Notification (ITBN) team of Kroll. Louisa joins Kroll after a distinguished career leading security technology, services and teams for Australia’s largest telecommunications group, a global systems integrator and managed services provider, as well as for the Australian government as part of its Cyber Resilience Task Force. In her new role, Louisa leads the expansion of Kroll’s ITBN practice in Australia and across Asia Pacific, helping organizations prepare for and comply with regional data breach notification laws as well as assisting consumers impacted by identity theft.