Addressing The Growing Cyber Security Risk Within Education
Over the past twelve months, the UK Education sector has seen a significant, and worrying rise in the number of cyber attacks on their establishments. Unfortunately, this is not surprising; to cyber criminals, the Education sector presents an attractive target. Not only do they hold a significant amount of personal data on their students, but due to limited funding and overstretched IT resources, they are considered a more vulnerable target.
As recent as March this year the National Cyber Security Centre (NCSC) issued an alert to the UK Education sector that it had seen a significant surge in cyber-attacks targeting education. It recommended a ‘defence in depth’ strategy to counter this threat. This follows similar alerts from NCSC in August and September last year highlighting a significant increase in Ransomware attacks on the Education sector.
The Drive to Tighten Security
Schools, colleges and universities are all being encouraged to take action to protect themselves and their information from cyber-attacks and this is now not only a recommendation, but mandated action to protect funding.
Last year the Education & Skills Funding Agency announced that for the funding year 2020 to 2021, education would have to meet the requirements for Cyber Essentials with the progression to Cyber Essentials Plus for the 2021 to 2022 funding year.
This drive to tighten security will require education establishments to have in place the five core areas of Cyber Essentials:
• Boundary Firewalls & Internet Gateways
• Secure Configuration
• User Access Control
• Malware Protection
• Patch Management
What is significant is that the mandate of Cyber Essential Plus moves this requirement from a best endeavour to an audited and certified standard.
The Patching Challenge
Whereas there is work to be done across each of these five areas, the one that may pose the biggest challenge is patch management, but it is also the one that can have the greatest impact on mitigating risk.
We regularly quote the research by Security Boulevard that showed that almost two thirds (60%) of cyber-attacks and breaches are as a result of a vulnerability where a preventative patch is already available, it just had not been applied.
The recent Microsoft Exchange breach is a perfect example, where initially a very targeted attack found a vulnerability. As Microsoft released a patch to address this, it became a hacker’s paradise to exploit the gap before IT teams around the world got around to deploying the patch.
Given the importance of patching, why does it prove so challenging for organisations to keep up to date? In simple terms, it is time-consuming when resources are limited, it is complex to manage, especially in environments with many servers, and it normally requires to be performed out of hours where availability of resources is even more scarce.
Is Patching-as-a-Service the Answer?
At NAK, we definitely believe so. We have been providing this for many years and have a range of customers across the private, public and charity sectors. The reason this is so successful is that patching stops being just another task for the internal IT team and becomes a defined managed service along with a set of stringent SLAs.
For our customers, we manage the end-to-end process, we monitor the server estate and the patches that are made available in the regular update cycles. We understand the dependencies on each server and when patching is required to minimise disruption. We then have a meticulous process in place that schedules, implements, tests and releases each patch into the production environment in a time-critical manner.
This delivers a number of key benefits: first it relieves the pressure on overstretched internal IT teams, especially when asking them to work out of hours. Secondly, it ensures that a major security risk factor is addressed quickly and effectively, and third, it creates a documented and auditable log of the steps you have taken to manage patching, a key requirement of Cyber Essentials Plus.
If you would like to discuss your patching challenges and explore how our Patching-as-a-Service can help you, we would be more than happy to talk. Simply contact the team on 0300 456 0471 or email us email@example.com.