School may be out soon for summer, but you can be sure hackers and scammers won’t be on a break. So, taking some extra security precautions before wrapping up for the school year, could be the difference between having a relaxing holiday or one that’s disrupted by some cyber nasties.
Criminals don’t take vacations. In fact, quite the opposite. Globally, there are increasing instances where cyber attackers are targeting holiday periods to conduct their malicious activities.
Holidays can sometimes expose vulnerabilities in digital security because in general, and quite understandably, we’ve kicked back, relaxed and our security defences are lowered. This is an opportune time for hackers, scammers and other unsavoury characters to try knocking down some virtual doors.
In addition, over holiday periods, organisations often run at a limited capacity for an extended amount of time, which means IT staff might not be as responsive to threats during the normal working week. This can result in an ‘online field day’ for a cyber criminal who can get prolonged access to systems and in turn create more chaos, as it takes a little longer for on-call IT staff to notice the issue before responding.
At a personal level, when people are on leave and distracted by family time and second helpings of dessert, they can be a little more susceptible to inadvertently enabling malicious activity. We all may be more laid back, less suspicious-minded and perhaps click on links we normally wouldn’t. In turn, we’re probably less likely to follow-up with the IT team if something unusual has gone on with one of our accounts. This lack of monitoring and increased susceptibility can provide the vital pieces of the puzzle to a cyber attacker that allows them to inflict more damage than they typically would during a normal working week.
As we wind-up for the year, the timing is now ideal to shore-up those digital security defences and have procedures in place for responding to any active cyber threats.
Who’s on call?
Have a plan for who can do a check on your school network’s activity – this may just be a quick daily check-in by a staff member for anything that might look unusual. Also, have a plan in-place for who can be called on to respond to a cyber security incident. If you have an IT provider, now is a good time to confirm what level of support they offer over the holiday period and if they can support your school or kura in the event of a cyber attack in the holidays.
Check up on back-ups
Check your usual back-up processes are working. We recommend having a cloud copy and a physical copy of your most important information. As you wrap up for the year, consider all types of data in your environment. Are there any additional security steps or one-off back-ups that it might be worthwhile running at the end of the year?
Staff and students leaving
Limit the opportunities for cyber nasties to get in. One way to do this is to ensure that accounts are made inactive for staff and students who’ll be moving onto new schools in 2023. Accounts that aren’t used regularly are gold for attackers, as it gives them a little extra time looking around systems for data to exfiltrate before they get noticed. You can consider making their accounts inactive over the holidays, before removing those accounts a few months later in the new year. This allows students or staff to access (or save) any last-minute information or work they might need, or have forgotten to take with them, to their next learning environment.
As staff start to look towards planning next year, why not make a commitment to all switch on two-factor authentication (2FA) in 2023? 2FA adds another layer of defence and is the strongest way to keep cyber nasties out of school accounts. Even if an attacker has a password, they will need something else, like physical access to your phone to get into an account. According to Microsoft and Google, 2FA can prevent up to 99 per cent of untargeted attacks from happening. It’s a crucial control measure to protect data and information at your school. It’s most important for accounts or systems that store important, sensitive, or confidential information, like email, financial accounts and student management systems.
Advice for BYOD
Lastly, if you’re a school with BYOD devices, parents are often looking for and buying their devices over the holidays. It can be hard for them to know what to purchase and if you don’t want to be inundated with requests – or end up with inappropriate devices appearing on the first day of Term 1 – point them towards help and advice. CERT NZ and Netsafe, for example, have a guide on what to look out for that could be useful to share with wha – nau at your school (cert.govt.nz/individuals/ guides/buying-a-new-device/).
No one wants cyber nasties for Christmas. Take precautions, have a plan, be prepared … and enjoy the holidays. Nga – mihi o te Kirihimete me te Tau Hou.
Article supplied by the Ministry of Education’s Cyber Security in Schools team.
Subscribe to The Digital Download
To receive regular digital security tips and advice direct to your inbox, sign-up to receive the Ministry e-newsletter, The Digital Download, at bit.ly/3Nm1tOq
Cyber security resources
Check out the Ministry of Education’s website for posters and resources to promote cyber security in your school or
kura, as well as additional tips and support, at education.govt.nz/cyber-security
INTERFACE November 2022