We don’t usually comment on cybersecurity stories but the breaking news of the issues at Travelex (as reported by the BBC) made me think about the potential loss of access to critical information in an educational setting.
From the information available ransomware has been placed in the Travelex system, forcing the company to shut down its’ online currency exchange service and revert to paper and pen across all of its’ sites.
Ransomware attacks form a relatively small percentage of breaches reported to the ICO (39 in in the second quarter of 2019/20), but the education sector accounts for almost 20% of those reports.
Security provider Palo Alto, in its’ Cyberpedia resource, lists the three most common attack methods for ransomware as visiting compromised websites, malicious email attachments and malicious email links. Many of you will have received one of these emails, which have become increasingly credible in recent months.
If you do get caught by an attack there are various companies who say that they can help you recover without paying the ransom. However, it’s not uncommon for people to pay what’s demanded.
Ransomware in the Education Setting
In a school situation, a locked-up machine may restrict much more than access to your favourite games and websites. Many people hold large amounts of data on local drives, much of it including personal data and sometimes of a highly confidential nature. More recent attacks have also been shown to steal data as well as encrypt the files on the machine. Even if the ransom is paid, the data may have already been retrieved. Imagine all that information about staff or students being published online for anyone to see.
From a broader data protection perspective, the first question to ask is: Have you employed data protection by design and default? We know that data on a PC is vulnerable to this type of attack. If it’s personal data, what steps can be taken to remove the risk?
How to Protect Against Availability Breaches
Moving data off the local machine and onto some form of network storage is the obvious answer. Whether that’s in a local server or in the cloud, if the machine is compromised, moving away from local storage provides an additional level of protection.
This also solves the problems created by the use of memory sticks, an area of reportable breaches where education leads the field. If data is available online, then even if you move from location to location, it’s there for you when you need it.
It’s also worth considering whether some of the personal data should ever be leaving core systems. Most people download information because they want to manipulate it, but often this analysis can be done in the system itself.
Everyone in an organisation needs to be aware of the risk of clicking on links and attachments if they’re not sure of the origin. A golden rule is, if you’re not expecting an email think carefully before acting on it. If in doubt go the supposed sender (through a different contact route) and see if it was intended.
It’s worth remembering that computers can be lost, stolen or simply break down. It’s not only ransomware that can make the data on them unavailable. Good data protection thinking means that even if you can’t use a particular device, critical data should always be available to the people who need it.