Schools and kura send, receive and store a lot of private information such as students’ names, ages, contact details, academic records and history as well as private information about their staff. Some of this is more sensitive data, such as student health records and staff performance.
As a result, like any business, schools could be vulnerable to cyber attacks. Maintaining the safety and security of ākonga and kaiako is a top priority for school management and boards. Therefore, it is crucial that they remain vigilant in safeguarding personal information. This is why it’s important to understand how to mitigate security compromises such as a business email compromise (BEC).
What are business email compromises
Business email compromises (BEC) are as serious as they sound, especially as they may involve privacy breaches. A BEC happens when a cyber attacker gets access to your school email account to carry out malicious activity. This can happen via phishing (for example if a school teacher clicks on a phishing email and enters their credentials). As school emails often hold a lot of information and have large contact lists (such as parents of your students), private information can potentially be accessed by a sophisticated attacker and the acquired data could be published or offered for sale on the dark web.
The scale of the problem
Microsoft recently reported a jump in BEC activities and according to CERT NZ phishing and credential harvesting remains the most reported security incident category and it increased in 2022 by 16% compared to 2021. The Office of the Privacy Commissioner (OPC) reports that there has been a 41% increase in the number of serious privacy breaches reported by organisations in New Zealand over the past year.
The media regularly report on the impact of these cyber attacks. For example, in March 2023 an attacker was able to obtain employee login credentials from a financial institution which resulted in private details of 14 million customers stolen, including passport numbers, financial statements, and driver’s licence numbers of 7.9 million Australians and New Zealanders. This made it the biggest data breach ever recorded in New Zealand. Overseas, American school districts and colleges/universities have experienced 2,691 data breaches, affecting nearly 32 million records since 2005.
How schools can mitigate the risks
It’s important to ensure your school has technological solutions in place. These include implementation of two-factor authentication and N4L’s Email Protection solution. And N4L’s Security Services team is helping in the background as well. We proactively block many BEC scams, phishing attacks, ransomware and advanced malware before they reach schools’ inboxes. Indicators picked up at one school can be searched across other schools by our team to highlight where others could also be at risk and proactively reach out to them.
Technology can’t mitigate the risks entirely however, this is where security education of staff and students comes in. Similar to a firewall, a human firewall can help prevent cybersecurity breaches. It’s important to train everyone to effectively handle their data and ensure that your school does not suffer any data loss. Spotting an issue takes practice, and to help, we’ve previously published some tips on how to identify and prevent a phishing scam.
Why it’s important for schools to report breaches
According to CERT NZ “It’s critical that your people understand the security risks your organisation faces so they can play their part in the protection of your systems. You can empower them to do this by providing appropriate security awareness training, programmes, and tools.” Collectively we need to ensure this culture exists at all levels. Within schools, staff should feel able to report if they think they’ve been phished to their management.
In Aoteroa New Zealand there is a requirement to report notifiable privacy breaches to the Privacy Commissioner and affected individuals. Read more about when and how to do that and how N4L can support you throughout the process.
If you want to find out more about business email compromise check out CERT NZ resources.
If your school has a compromised email, please work with your IT provider first and inform N4L and/or the Ministry of Education next.
Please contact our Customer Support team on [email protected] if you wish to sign up for a fully funded Email Protection solution for your school.