Wed, Nov 6, 2019
Educational institutions today are too often proving to be high-value, low-risk targets for cyberattackers. Criminals are not only drawn by the wealth of student and staff personal data that schools hold. They have also found it lucrative to leverage malware (such as banking Trojans and ransomware) within educational systems for financial gain. Hard-to-manage mobile environments, security investments that don’t keep pace with evolving threats, or security cultures that are not fully developed are common vulnerabilities putting schools at risk, no matter the grade level, size or geographic area served.
The education sector in Australia has seen its own surge of cyberattacks. For example, in October 2019, the company managing internet services for schools and kura in New Zealand recorded a 54% increase in the number of cyber security threats it had blocked for schools between the second and third calendar quarter of 2019. Also in October, a large university in Australia released a public-facing report detailing a major data breach that happened in late 2018.
Imagine a scenario where you discover that your educational organization has experienced a cyberattack. Your ability to answer four key questions will directly affect how successfully your organization can address the expectations of regulators, students, staff and other stakeholders:
Your educational institution will find it considerably more difficult, if not impossible, to answer these questions without the benefit of following some fundamental security practices. Two components that play a critical role in digital forensics investigations are logging practices and backup policies and procedures.
When digital forensics investigators are called in, they will immediately work to preserve and triage data to gain an understanding of what’s happening in the victim’s systems. In many cases, the digital forensics investigator concludes that the attacker deleted some of the logs, and organizations must unfortunately confirm there are no out-of-band backups. This is when many organizations discover in hindsight how overwriting logs every 30 days to save on storage costs can ultimately prove extremely expensive.
The inability to accurately determine the scope of the incident, particularly in the context of a notifiable data breach, can lead to several repercussions that might have been avoided or better mitigated. These include potentially higher notification costs, stress on data subjects, erosion of stakeholder trust and reputational and brand damage.
If we continue with our scenario, imagine investigators establish that 10,000 student records, including their driving license details and passport information, have been exfiltrated. Your external counsel confirms this is a notifiable breach under the Australian Privacy Act (to which you are subject), based on the nature of the information compromised and the assessment that the breach is likely to cause serious harm to those individuals.
With time of the essence, where do you start? Educational institutions that have proactively created and updated a breach notification response plan can immediately activate their preselected support team. This team generally includes internal stakeholders, external counsel, an experienced data breach response service provider and crisis communications experts.
Your breach notification partner can draft and send customized notifications to your breached population in line with the requirements of the Australian Privacy Act. In choosing this partner, look for a firm with the resources and experience to support your efforts with services such as call centers staffed with multilingual representatives, FAQ development, and website development and maintenance, as well consultation and restoration services, identity monitoring and/or credit monitoring for affected data subjects.
Kroll manages over 1,500 cyber investigations per year and has handled thousands of breach response engagements globally. Based on our experience and the guidance issued by industry standard security frameworks (e.g., the NIST Cybersecurity Framework, CIS Critical Security Controls and ISO/IEC 27001:2013), there are best practices that can assist educational institutions in lowering their risk and mitigating the harms from a cyber event, particularly notifiable data breaches.
The Australian university that decided to share the learnings from its data breach marked an important departure from the typical approach of most organizations today. Certainly, many valid factors can influence organizations to not publicize the details of a cyberattack. We do know that cyberattackers will continue focusing their attention on educational institutions as long as they are perceived to be an easy target. But information-sharing – along with following basic cyber security best practices – may prove critical to helping educational institutions strengthen their cyber security posture and maturity, as well as preventing others from succumbing to the same attacks.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.