The global pandemic, and in particular the resulting lockdowns, have brought into focus even more clearly, the need for effective IT systems and processes to combat the ever-increasing number of cyber threats.
Unfortunately, being an educational establishment delivering a public service does not mean that there is any less risk of being the subject to some form of phishing, smishing, ransomware attack or similar, and over the last 12 months we have become aware of all too many actual or attempted cyber-attacks on the sector. Where these have succeeded, the impact has been significant and lasting across the medium term. In the light of this, there are some key things that Trust’s should be thinking about to reduce their overall level of cyber risk.
Percentage of organisations that have identified breaches or attacks in the last 12 months
Based on: 1,419 UK businesses; 135 primary schools, 158 secondary schools, 57 further education colleges)
Education, Education, Education
One of your best forms of defence will always be awareness of staff to the mostly likely forms of cyber-attack, particularly in the form of phishing emails or smishing texts. Such awareness may prevent an employee from opening or responding to a suspicious email which could inadvertently open the door to a would-be hacker. Therefore, by keeping the level of cyber awareness high on everyone’s agenda via the provision of regular updates, warning messages or dedicated awareness sessions where required, can help to reduce the risk. As the nature of cyber threats continues to change, it is important that awareness of the different methods fraudsters utilise is frequently communicated to staff.
IT Infrastructure Resilience
Ensuring that your IT systems and processes are resilient and provide reasonable protection against cyber threats is fundamental to safeguarding the organisation. Some of the key processes around resilience are to ensure that:
- Patch management controls are effective
- Firewalls are in place
- Anti-virus software is up to date
- Devices and software are up to date
- Access to IT systems and process is secure.
As a minimum it is recommended that Trust’s should seek ‘Cyber Essentials’, if not ‘Cyber Essentials Plus’ certification as this helps to provide you with assurance that you have the essential IT security arrangements in place to support you in preventing a cyber-attack.
IT Strategy
Knowing what IT systems and structures you have in place, and, more importantly, how you are going to be developing these, is key to ensuring that your IT continues to support the growth and development of the Trust. We have seen a number of examples where there has been a lack of vision or co-ordination regarding IT services, with support services, in particular, being provided via a range of different organisations through contracts in place from legacy organisations. Such an approach has often led to a lack of consistency of systems, services and support throughout the organisation, where some parts of the Trust have not received an appropriate level of service. We would therefore recommend that as part of any review of your IT Strategy, that the levels and types of IT support provided is reviewed across the Trust and rationalised where possible to ensure consistency and quality of service across the organisation.
Governance and Reporting
To what extent is IT considered as one of your key risks and to what level is IT expertise represented on the Board and / or is present in risk and strategy discussions? Given the increasing dependence on IT for the delivery of services, it is important that there is an appropriate IT voice in major discussions on strategy, planning and investment to ensure that any decisions made are done so with appropriate knowledge of the IT risk environment within which the Trust operates.
Seeking Assurance
We would expect to see coverage of key IT processes, and, in particular, those around cyber risk management, to feature as part of any internal audit strategy for a Trust to enable the Board, via the Audit Committee, to be provided with independent assurance over the effectiveness of control arrangements. Even where such assurance is not provided via internal audit, the Audit Committee should play a central role in ensuring that such assurance is regularly sought and provided, and where weaknesses are identified, they are addressed in a timely manner.
Whilst the level of risk can never be completely eliminated, the implementation and maintenance of a strong IT control framework will help to significantly reduce both the likelihood and impact of any cyber-attack on the Trust.
Key Terms:
Phishing:
The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Smishing:
The fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.
Malware:
Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
Ransomware:
Malware planted illegally in a computer or mobile device that disables its operation or access to its data until the owner or operator pays to regain control or access.
Get in Touch
If you would like any guidance or further information on establishing a comprehensive internal audit strategy or advice on cyber-security matters, please get in touch with your regular advisor or local office.