We understand the pressure of managing your IT system – the external threats it faces, as well as risks posed by BYOD. Then there are the patches, passwords, backups and upgrades that are vital to day-to-day security.
Our secure online survey can help you understand possible weaknesses and identify the steps to address them. It gives instant tips and knowledge based on your responses, plus you’ll receive a free personalised action plan to help you prioritise your approach to securing your school’s digital environment.
You may also be interested in taking our Online Safety Review and Data Protection Review for further advice.
Please choose 1 of the 3 options: a, b or c
Your review will be full of key hints and tips to help you appraise how well prepared your school is today.
Review Firewall configuration, understanding which ports are open and whether they are secure or not.
Monitor your systems for unusual activity.
Arrange for a vulnerability scan of your systems.
Check internet facing services for security
Consider moving to a broadband provider that will provide you with a next generation firewall included in your broadband connection
A Firewall ensures that you are managing access to ports, protocols and applications by filtering and inspecting traffic at the network perimeter to ensure that only traffic that is required to support your school is being exchanged.They create a buffer zone between the internet and your own network.
Firewalls need to be carefully managed in a controlled way so that they do not expose parts of your network without the necessarily security controls.
You need to ensure that the person managing your firewall has the necessary training to ensure that it is correctly implemented and managed. It can be easy to change a setting that actually decreases the security of your network.
Some ISPs such as RM will also protect you against DDOS attacks that most standard firewalls will not do without substantial cost.
Automate alerts based on risk.
Check internet facing services for security.
It is essential to understand which parts of your network can be accessed from the internet. There are many circumstances where you allow this to occur; such as when you want your users to be able to access resources on your network from home but this needs to be done in a secure manner.
It is also possible that some internet-facing services may contain vulnerabilities that would allow an attacker to gain access to your network.
Conducting vulnerability scans is one way to identify what internet facing services you have and how vulnerable they may be to attack.
Remove email accounts from your admin accounts and ensure that they do not access the internet using those accounts through technical solutions or by policy.
Ensure your users only have access to the settings they need so that they cannot install malicious software or change settings that may make them less secure.
No action required
If your administrators use their admin accounts for every day tasks then the impact of misuse or compromise will be more severe than it needs to be.
Accounts that open emails and access web content are more susceptible to common cyber attacks. Should this happen on an admin account, the attacker may be able to access the entire network, all of the school’s data or compromise servers and devices.
Once an attacker has the credentials for an admin account they could change security and account settings to effectively lock the school out of their own network.
It is recommended that you don’t use your admin accounts for any email or web browsing activity.
Ensure your users are trained so they understand potential threats and security policies you have in place.
Implement multi-factor authentication for your administrator accounts.
Implement multi-factor authentication for accounts that have access to sensitive data.
Ensure you have an identity onboarding and offboarding process so that unneeded accounts are not compromised.
Automate alerts based on risk
Your admin accounts have access to global settings that gives them the ability to make changes across the whole network and access all your resources.
Credential theft is a big risk and should an attacker manage to get access to your admin credentials, they then have access to your whole network.
Multi-factor authentication ensures that even if the credentials for your admin account are stolen, there is an additional barrier to the attackers to gain entry to those accounts.
You may also have users in your school that have access to highly sensitive data, it is also good practice to ensure that those accounts have multi-factor authentication to ensure that should they have their credentials stolen, through a phishing scam for example, the attackers cannot easily gain access to that data.
Control removeable media to limit what data can be extracted to external media and potential threats that might be transferred to the network from external sources.
Do a training needs assessment for students particularly relating to the list of incidents.
Whitelist applications that can be installed on your devices.
Whitelist applications that can be used in the cloud through a portal such as RM Unify.
Remove local admin rights from your users.
Allowing your users to install software can be a security risk as some software may have security issues or vulnerabilities that you are unaware of – this is particularly the case with many instances of free software that is downloaded from the internet. This software may be passing sensitive data to 3rd parties or leaving your devices open to access by attackers. It is also important that your users can’t change certain settings that may make the device less secure. This also means that if an attacker does manage to take control of the device, the amount of damage they can do is contained and limited.
Students are more likely to install malicious software, but even staff members may inadvertently download a piece of insecure software or change a setting that makes the device less secure, they also tend to have access to sensitive data which could be at risk if the device is compromised.
Implement next generation anti-virus and anti-malware software across your school.
Regularly update your staff on the latest cyber threats and trends.
Traditional anti-virus and anti-malware solutions rely on a signature database to understand if a file or URL is malicious, it checks new files or URLS against that database to see whether it is known as a threat or not.
Free anti-virus software is often free because the company providing the software will use the data to help enhance their paid for versions, you should ensure you understand what personal information may be shared with these companies.
This type of software can have a challenge with the type of attacks we see on a daily basis whereby the attackers are creating new signatures frequently in an attempt to defeat the anti-virus software. Next generation anti-virus and anti-malware software uses those signatures and then also looks for similar files whereby small changes may have defeated the traditional anti-virus but this more intelligent approach broadens the view of what may also be a threat.
They will also commonly approach these threats with a sandbox approach, any files are opened up in the cloud to monitor the behavior of that file and if it looks suspicious then it will be quarantined. The same approach is used with URLs to see if the website is malicious.
This approach ensures that your users are protected against a wider range of known and unknown threats.
Implement additional security software for your email and online storage.
The current threat landscape points to email and malicious websites being the biggest cyber security threats to your users.
Whilst it is good practice to tell your users not to open emails from people they don’t know, open unexpected attachments or click on web links that they aren’t sure of – human nature means that it is easy to do all these things without even thinking about the security implications.
Adding an additional layer of security and preventing malicious emails getting through to your users in the first place is a far safer strategy than hoping your users are on alert at all times.
Your email security should also protect your users against potential phishing attacks or email fraud.
Relying on device based software means that your users could be at risk if they use their own devices to access your school email.
Without the additional layer of security on your email, your users could be subject to fraudulent emails leading to credential theft or data loss. It could also put their devices at risk of malware.
Apply security patches and ensure that your devices have a secure configuration at all times.
Create an update and patching programme that ensures you are regularly updating your devices and servers.
Create disaster resistant backups, ideally using the cloud to host those backups.
Check additional software for updates and patches to ensure they aren’t vulnerable to attack.
Create an incident management plan, identifying what would need to be done in case of a cyber attack.
Disable unneeded protocols on your network to prevent lateral spread of threats.
Schools will need to have a secure baseline build for all their devices and any functionality that does not support a user or school need should be removed or disabled.
Critical updates to operating systems, browsers and email should be deployed within 14 days. All other security updates for other software should be deployed within 28 days.
You may want to use automated patch management and software update tools to help you stay on top of these things. Only supported versions of software should be used.
Upgrade any devices and servers that have unsupported operating systems such as Windows Server 2003 or Windows XP.
Create an upgrade and migration plan for operating systems that will soon be unsupported e.g. Windows Server 2008 and Windows 7.
Move server workloads to SaaS where possible so that the security responsibility is shared.
The latest versions of Windows Server 2016 and Windows 10 offer an enhanced set of security features and are by their design more secure than the previous versions.
The operating systems also get regular updates that patch potential vulnerabilities much quicker.
Using older operating systems means that your devices are less secure and if they are no longer supported then they are also not likely to be receiving any security patches. This puts them and the data they have access to at risk.
You should keep an eye out for information from the providers of the software so that you can plan migrations and upgrades carefully to ensure you are always on a supported operating system.