Since early 2020, Australian schools have demonstrated remarkable adaptability and innovation, but they are also now at the forefront of a less than welcome trend.
In a July 2021 report, education was found to be the industry attacked most by global cybercriminals, with a rise of 17% from the first half of the year1. Little wonder, then, that as the government moves to mandate adherence to the ACSC’s Essential Eight security measures, education is high on the list for compliance. It is a test that has challenged most government entities. So, are schools ready for the task ahead, or do they need some extra study to lift their grades?
Over the last 20 years, school IT leaders have guided their organisations into the digital era, and the role of technology in the classroom has evolved dramatically. Even before COVID-19, students were largely moving from notebooks and textbooks, to paperless learning. Most schools adopted a tactical (and sometimes haphazard) approach, doing what they could to stretch resources to deliver the best student learning environment.
Undoubtedly, schools are responsible for highly sensitive data, and the 2020 ransomware incident involving a NSW Grammar School was a wake-up call. ICT managers have been pleading for additional funding from their boards and councils to bolster security, but many feel they are shouting into a void. The Essential Eight mandates may help to progress the conversation more urgently, so while challenging, we see this as a good thing. With specialist security expertise in short supply though, the task is far from simple.
Of the 60+ schools that I have met with recently, four distinct “tribes” have emerged:
The split across the groups is around 50:20:20:10.
With schools experiencing growth, many invested capital funds on building programs; with university-style buildings, flexible classroom spaces, new gyms and performing arts centres at the top of the must have list. To be fair, a significant portion of these facilities were funded by government grants, benefactors, and fundraising. Schools’ reputations hinge on campus facilities, teachers, curriculum, and co-curricular programs, so it makes sense.
However, at the same time, cybersecurity tops the risk-register for many school councils and boards; with leaking of personally identifiable information of parents, custody arrangements, and student data an enormous concern. Despite the danger, little is currently spent on understanding cybersecurity risks, so why doesn’t this add up to action?
From experience, there are two major factors:
As any great PE teacher will tell you, training and preparation are the keys to success on the sports field. The same applies to cybersecurity. Many large organisations seldom do incident response plans, let alone schools. However, many valuable lessons can be learned by rehearsing cyber incidents in a safe environment, before the event. Uncover the oversights in your systems, processes or people now before the real disaster hits. Regularly testing your Disaster Recovery, Business Continuity and Incident Response Plans will prepare you to enter the contest with cybercriminals with confidence you can win.
Few things are more stressful than being in the middle of a cyber incident, locked-out of your own systems, juggling demands for ransom payment and a school at a standstill. Here’s some prep work that should be made a priority. As one of my teachers often said, “You will be examined on this at some point, so you’d better understand it.”
Do these four things and you will have a good foundation to inform future technology projects and make a stronger business case for resourcing and budget. This is essential preparation for any school’s cybersecurity test.
As Microsoft’s largest Australian partner, Data#3 also offers a range of free Microsoft 365 workshops to approved customers. There are 12 workshops including threat protection, securing identities, sensitive data, endpoint management and much more – talk with our security experts to book your free workshop today.