A

You're listening to ASBO International's School Business Insider. I'm your host, John Brucato. Each week on School Business Insider, I sit down with school business officials and industry experts from around the world to share their stories and explore the topics that matter most to you. Find out what it means to be a school business official and get your insider pass on all things school business. Hi, everyone, and welcome back to School Business Insider. Today we're tackling one of the most pressing and fast growing challenges facing school districts. Cybersecurity. Schools hold sensitive student staff and financial data, making them prime targets for cybercriminals. And when an attack happens, the impact can be devastating. Joining me today is Jonty Mongan, global head of Cyber Risk management at Gallagher Cyber Risk Management in London. Jonty has been on the front lines of some of the most challenging and complex cyber incidents worldwide. And today he'll share what really happens in the early hours of an attack, the long term impact on victims, and practical steps school business officials can take to safeguard their districts. For if you're ever wondering how cybercriminals operate, what makes schools vulnerable and which defenses really work, this conversation will give you both a sobering look at the risks and the tools to be prepared. Jonty, welcome to sbi. Happy to have you today.

B

Thank you for having me, John.

A

Absolutely. So why don't you kick it off, give our listeners a little bit of context of who you are and what Gallagher does and really, where is your place in the world of cyber risk management?

B

Okay, so an interesting one, as you said, based out of London, Gallagher. Most people will know them as a global insurance broker, which is, you know, that is exactly what they do. But they have a division within it led by myself, that is all about trying to stop the problem happening in the first place. So we have a team of 40 individuals, all highly skilled cyber experts and 25,000 clients in 38 different countries. And in know, talking about education today is a particular passion of mine because I do think it has components to it that no other sector has. So when we get into that, and again, for those that also have children, it's particularly personal when an attack happens in the education sector. So our team have been doing this for seven years now and we deal with all manner of cyber attacks, stuff that you see in the news, down to stuff that would never make the news. But yeah, really looking forward to talking to you today about all of it.

A

You mentioned trying to stop the problem before it actually becomes a problem. Do you focus on schools and in your clients on a stronger defense? Is there something you're doing in terms of being more on the offense? What does that mean to kind of help mitigate that problem before it becomes one?

B

Well, we have a theory in our team that we prevent the preventable incidents. And some of the stuff that I'm going to be talking to you and your listeners to today is about actually how to do that, how to practically prevent the preventable incidents, because there are some early warning signs that the education industry could be looking at to say, hey, actually we're seeing an uptick in things that look like strange behavior or could lead to an incident happening. And, you know, there's outliers where actually that could have never been predicted, but there's definite things that every business can do that would give them a kind of a head start.

A

When I was doing the introduction, I had given a couple of examples of why schools have become such large targets for cybercriminals. But could you kind of give us a little bit more insight on that, a little bit more detail why schools as of late have really become a larger target? And are you seeing increased targeting of schools? Are they becoming an easier place for cybercriminals to extract data from?

B

Yeah. So why would a group of cybercriminals go after the education industry? Well, if we take it back to its basics, John, if we were to set up our own cyber gang, the only way that we make money is if we get funds from the people that we're attacking. And one of the core drivers of receiving a payment of some kind from either the insurance company or the business itself is leverage. And one thing that the education has over any other industry is the ability for the cyber attack to become very personal. I know you have children. I have children. If you are the owner of a school or you run a, a, a college or a university, you're dealing with people where their parents or carers are incredibly passionate about the safety of those individuals. So naturally, if you're a cyber gang attacking a school and getting it right, you have immediate leverage because everybody involved in that attack doesn't want any harm to come to the individuals. Now, if you take a, you know, just as an example, a manufacturing business that doesn't really hold any intellectual property, but they make components on mass. One of the leverage points here, like the passion, it. I wouldn't necessarily say it's gone, but it's nowhere near the same as, Dear Mr. Mongan, we have your child's information and we're going to publish it, you know, it's all of your son's medical records, etc. That just takes a completely different tone to it. So again, if the odds are we are far more likely as a criminal gang to receive a payment from the education industry, that naturally then puts the education industry on a stage. And, and again, we've seen that with our clients. The types of attacks are largely extortion based leveraging. Exactly what I've just said. You know, dear business, please pay or all of this children's information will be put into the public. And that's going to annoy a lot of parents and you'll probably face a lot of class action suits. And again, you just don't get that with a manufacturing organization.

A

And when you talk about leverage, what are you typically seeing happen when a cyber attack is, is launched? Are they getting access to personal information, student personal information, and leveraging a threat against that to get money directly from the school district, or are they in turn taking that data and selling it on the dark web somewhere?

B

So it's a really good question if I talk you through the anatomy of a perfect attack. And this is something that we see almost every single time now. And when I first started in this industry, let's say 10, 10, 11 years ago, the attack style was different, but over the last year it's almost carbon copy the same. So an attacker will find their way onto the network and sit on that network for let's say, three months. And within that three months reconnaissance period, they will figure out, it's usually a group of people, they will figure out where in respect to the education industry, where the student data is kept, where the sensitive student data is kept, where the staff and then the staff medical records are kept, et cetera. They do a whole, okay, that belongs to there, that belongs there, et cetera, et cetera. And within that three months they go undetected and towards a week before the attack, they start to look at, okay, where are the backup files, where's the antivirus, what do I need to turn off and delete so that this attack leaves me at the maximum point of leverage? The attack is generally done on a weekend when the staff count would be lower or it's harder to get a hold of people. And by the point that they press go, within that three months, they would have pulled off, let's say six to seven terabytes of children's information. So even if the school can get back up and running, the criminal gang still has a huge amount of personal data that actually the leverage point is not pay me to give your network back. It's pay me to not use this data in the public. And it's called double extortion. And some of the largest attacks that you're seeing in the headlines now are largely that it's a double extortion attack, where the network being operational is almost becoming secondary to the fact that they have the data and they know that that can cause more damage long term to a business or particular sector, such as the education industry.

A

And these cyber criminals that are exercising double extortion, in your experience, are they standup citizens once they get their money and do they hold onto that data or give it back to the school district, or do they just take the money, turn around and release it to the dark web and get paid again?

B

Well, what is really dark about this whole thing is there is honor amongst thieves. So let's say, for example, again, it's me and you setting up our criminal gang business. We attack said school and they pay, we give them their files back. And then their colleagues in the neighboring district also get attacked by the same people. They say, did they give you their files last time? Yes, they did. So you start to build confidence with these criminals. And I think, again, this is. I've been really passionate to talk about this today. There is something to me that's become so twisted about cyber criminals and the fact that these type of attacks are kind of headline newsreels. The thing that kind of personifies cybercriminals, for me, it's the cowardice nature of it. You know, any of the crime. You see, it generally is universally understood that that's revolting behavior. But there is. It does feel like there's some kind of glamour or something slightly more shiny about cybercrime almost. You know, it's a bit of magic. And for me, it's the absolute opposite. These are faceless criminals who know they won't get caught and actually have no real barrier. I mean, attacking an education industry where they stand to do only good things. This isn't the narrative or this is a big corporate that makes a ton of profit. This kind of really hit me. There was a huge attack in England on the national health service almost 10 years ago. And I remember standing in one of the hospitals I was working with at the time, talking to the head of IT there, and I said, what's your biggest fear? And it wasn't that they couldn't get the network back. It was that if the criminal gang had changed the data records to every patient, they had that for Them would have been almost a compounding issue because you start to prescribe medicine to people that actually we don't know if this person has an allergic reaction to this, if this is even know who I'm actually talking to. And I do think there are similar situations in the education industry. You know, I've done a lot of work with lots of schools and you know, the amount a school would know about a student is it's quite a deep set of data, medical records, history, special education needs and again, if you're a manufacturing business, you don't get to know that kind of stuff. But anyway, coming back to the point and the style of the attack and you know, is there always this? You pay and you get your files back? I can honestly say in my eight years of dealing with this at Gallagher, every single time the attacker has provided what they said they would. And true to their word, you know, if you don't pay, generally the data is put onto dark web forums and then you know, a business is involved in a long tail claim of I can no longer get a credit card because of your incident or my child actually struggles with getting a Social Security number because it was taken in your breach and we're going to pursue damages, et cetera. So again, this is, it's a really important topic for me. And again, ever since I've had children myself, it definitely takes a different tone because I would be one of those parents that would be very passionate about. Your security systems have not been good enough to protect my children and now they are likely to have some issues going forward with anything online. I mean yourself, you have children, could you imagine you being manana over the event of leaking your child's information, potential medical records? You know, no father's going to say that's absolutely fine.

A

Yeah, I consider myself a pretty level headed individual, but you know, even that hypothetical gets me a little stirred up. So no, I don't think I would be pretty even keel about that scenario playing out. You mentioned that cybercriminals often sit on a user's network for three months and just really monitor activity. With more and more products going cloud based and being hosted by the individual company of which they're being offered. Are you seeing that as an advantage to protect data or does it really not matter it's hosted on premise or in the cloud?

B

The on premise cloud. There's a couple of issues. Let's say for example, we take 100 schools in the US and they all use the same platform. Now from an insurance and a cybercrime perspective, the attacker has to find a problem with that one product and he or she gets to impact 100 different schools. So, you know, this cloud consolidation definitely has a risk of systemic threat. That is attacker finds one issue and he or she is able to impact hundreds of businesses where the whole on prem piece, that wasn't possible. However, on the opposite side, because these large organizations that run these third party IT systems, they generally have a much larger budget to invest in cybersecurity and with that by, by default, you're generally accessing a more proven and secure product. I think where we still see a bit of a gap is let's say, for example, school has a third party IT company that the school doesn't overly monitor or overly insist that they operate with certain security controls and almost takes it at face value that whoever they have to work on their systems on their behalf will treat that network and the data within it with the same kind of severity that they do. So again, when we get towards the end of our conversation today, I do want to leave everybody with some top tips from when we've seen it go bad.

A

Right. So it's kind of mapped out a hypothetical scenario a few minutes ago, but can you walk us through what really happens in the early hours of a cyber attack? What are those first moments, like you mentioned, oftentimes happening on a weekend and maybe when there aren't as many eyes on systems, but tell us what in those early hours of a cyber attack, what's going on?

B

So I have left my phone on loud over the weekend for the last seven years and almost every call I get when it's a cyber attack is usually between 2 and 4am and it's usually the IT manager that is phoning me to say, jonty, we need some help. I've just been called in, something's not right. And at that point when it's the something's not right, it's generally a good indication of how bad the next four, six weeks, three months is going to be. Because if it's not great, the screens are off or you know, we've got things on screens that are saying actually we've been encrypted. Arguably that's better because we've got closer to actually we know what's going on. It's not uncommon for we don't know what's going on. We need some help, we need to mobilize a team. And all I can kind of say at this point, it really does depend on the business, but it can be organized, stressed Chaos, because so many questions are happening at the same time. And almost, you know, the brain server power cannot answer all of these questions. So I'll give you five straight off the bat. Who do we know or who do we have on standby that can come into this business, take out hard drives and start to image them to try and find an early indication of what's going on? So who do we know generally that creates blank faces? Are we insured and is this covered under our insurance policy? Who's the person that we call? Does it work on weekends? Am I going to lose my job? I don't know how this happened. Who do I call? Do I tell my CEO now? Do we tell the FD now? Who do I know on site that can actually. Who works for the school who can actually get to site and help me? Those are kind of the questions that come straight to me within the first sort of five minutes of this instant unfolding. And what we try to do is to guide the organization through the practical steps to speed up time on getting into what we hope to be a working network. And there's frameworks and there's things that businesses can do, but from someone that deals with this day in, day out, you can have an instant response plan and you can trial and tested it. And don't get me wrong, those are things that we recommend and they are good. But fundamentally what I see is really important is the leadership of that business. They can change the color of the response quite significantly. I've had many incidents where the CEO or the head of the school, you know, go straight into a blame kind of culture. Why is this happening? You know, shouldn't have you been looking at this? We've been saying this for years, you know, all that kind of stuff. Or those that accept their current fate and mobilize a supportive team and galvanize the resources that they can, because fundamentally, the IT team that are going through this, it's not uncommon for them to go off with stress because you're being attacked, your credibility is being questioned, and you need to kind of rationalize both of those things whilst getting this entire network back up and running, usually on no sleep. I have a story where the IT manager didn't go home for a week, just slept in the building. And you know, when we say slept, that's kind of tried to sleep. But again, depending on the size of the operation, you know, we could be talking millions per day, if not tens of millions. So, yeah, in answer to your question, the first couple of hours, usually early morning, of a weekend. And a part of my job is just to calm everybody down and kind of, you know, make note. This is really common and these are the steps we now need to go through and basically buckle up for the next couple of months.

A

You know, while we're on the topic of personnel and who's running IT and the IT department themselves, are you seeing a trend in who's being hired to lead IT departments and schools? Because I think traditionally directors of technology really have come from the curriculum side of the house and are able to integrate technology into the classroom and they don't necessarily have global data center experience in combating cyber threats. Are you seeing now with increased risks of cyber attacks, are school districts maybe rethinking who's leading this, the IT department, or are they, are they hiring more staff that are specialized in cybersecurity?

B

I think the advance in schools and those that. Exactly as you're kind of alluding to those that are waking up to the idea that actually schools are tech businesses. When you look at hybrid learning and how parents engage with staff and how students can be learners from home and in the classroom, is the education industry not becoming one of the biggest tech organizations out? Because again, we saw this with COVID You know, students go home and they're learning from home. And you know, just going back 10 years, for me, when I was a student at university, it was quite normal to submit papers through portals and all the rest of it. But schools, small, you know, kindergarten, primary school, secondary school here in the uk, that's always been a classroom based thing, but these days, not, not so much. So, yeah, I think all schools now have to have a look at do we have the right skill set. It's not that these things can't be learned, but actually, does it need more than just, you know, a couple of classrooms and course courses for IT managers? Does it need actually digital transformation expertise to make the school ready for the future? And again, once we start filtering in artificial intelligence and what that might be able to do for classrooms. Absolutely. I think schools are a really exciting industry in how they can leverage artificial intelligence to create a better learning experience for children.

A

So of all the incidents you've dealt with, is there one that stand out the most? And why is that?

B

Yeah, I mean, when you, for the listeners, when, when you think of global cyber attacks and things that have hit the headlines, our team has probably been involved with most of them. It's not to say that when a big corporate is involved in a cyber attack, it carries less emotion. That's not what where I'm going, but the impact. I saw a cyber attack hit a care home which again, you know, this is a, this is a business that operates to help elderly people maintain some dignity in their later stages of life. And I remember getting a call from the IT manager similar situation, 2am, you know, genuinely probably under skilled and doing his best to keep that network up and running. Prior to the incident, it was a ransomware attack in this case, not double extortion. But the business had no backup. The attacker had found the backups and deleted them to a point where this business considered going insolvent. Now, for them, going insolvent is not the same as a corporate entity just spinning up their same business in a different legal structure. Them going insolvent is the inability to pay nurses to get people to bring medication. You know, all of their systems to provide care were contingent on that network running. So for me, when I think about that and you know, what industry do I work in? We really are working with faceless cowards that actually have no regard for what they're doing. And in this situation, you know, this business didn't pay because it didn't have any money, didn't have any money to pay a ransom demand and it wasn't insured. So it really was a case of, you know, let's try and lump some IT back together to get this network back up and running. And they were out for six months. Everything had to go back to paper and you know, provision of care went back to nurses bedside writing notes. And again, that sounds noble, but again, when you're running a care facility, quality care commission, etc. You have to have evidence of what you've done. It's not just as straightforward as we'll all just muck in for a better expression. For me, again, that's one where I always go back to, where it helps me understand who I'm dealing with on the other side of my job. It's got nothing to do with headlines. It's just, can we make quick money? And anybody can be a target.

A

Are you looking for ways to save your district time and money on purchases? While ensuring full compliance with state and federal procurement laws? The association of Educational Purchasing Agencies, or aepa, connects schools with competitively bid contracts across the nation. From technology and facilities to classroom essentials and services, AEPA helps you stretch your budget further and simplify the buying process. Trusted by schools across the country, AEPA brings the power of cooperative purchasing to your district. Find your local state agency and learn more@aepacoop.org you mentioned that Gallagher has probably been involved in most responses to cyber attacks. Do you get attacked yourself? Do you worry about getting attacked? Are these cybercriminals noticing that your name's popping up all the time as a defense to these, some of their victims? Like, what is your position and what keeps you up at night with all of this?

B

It's a really good question, actually, because it's something I've been going through over the last six to 12 months where, you know, I've come off all social media. I mean, I wasn't a big user of it before, but, you know, let's say, for example, we've been to the zoo and the kids loved it. We've got lots of relatives that like to keep up to date with what my children are doing. You know, it was always a mechanism, I suppose, to keep in touch with people that we don't talk to, you know, on a weekly basis. But for me, all of that's had to stop. My children are in a school where they can't be on any photos or social media. And again, it's not. I've had no direct experience currently of, you know, being leveraged, but, you know, is it possible? Absolutely. And can I do something to try and protect the people, people that I work with by not giving them a reason? Yes. So it does concern me. Again, physical security in a house, all the rest of it. When you're dealing with cybercriminals, no one's ever going to come to the front of my door. But, yeah, do I have to double check that our wi fi is okay? That our kids passwords on their iPads or whatever they're called? Absolutely. And it does worry me. It absolutely does worry me. I've got. My children are 7 and 5 and, you know, some of the applications that we use to read their school reports or put lunch money on the fingerprint of all things, you know, the kids pay by their fingerprint. They go to the checkout, they put that in, and that's biometric data. I think something that really concerns me, and it's a little on the dark side, is cybercriminals aren't the only one that want access to children's information. And so I think, you know, there's lots of questionable characters that would be interested in schools. And, you know, that too, is probably unique to the education industry, where they have a completely new set of responsibilities to ensure. So, yeah, it's definitely one of the reasons why I jumped at this podcast, because I just Want listeners to be maybe less cozy than they might have been. And you know, it's not to scare people into okay, now I need to do something. But more just understand the breadth of the challenge because it isn't like you're a logistics company where if you get hacked, you know, it's bad for people waiting for their parcels. It can generally have a long term impact and I suppose there is a bit of responsibility to make sure that, you know, all school leaders are prioritizing the spend on it. It's often one of those things where you know, as long as the programs work and the machines are on. But you know, cybersecurity these days is just a cost of trade. You have to invest in it. It's not an option anymore.

A

So somewhat related, but maybe not totally. I have to ask, what is your take on the Internet of things? Do you jonty at your house have everything with a smart thermostat, something that waters your garden and turns your lights on, or are you kind of old school and not connected to everything to your phone in your house?

B

You know what, I am so I'm 37 years old and I, when I was growing up the first phone that I had was a Nokia 3210 around about 14 years old and I'm heading back there. I, I want less and less it, I don't have an Alexa, I don't have a Google smart play, anything like that. In our home we have bog standard WI fi. And yeah, again I could, I could probably talk for another hour on my thoughts on social media and all the rest of it and the algorithms that go behind that. But yeah, I am definitely now a man of less is more. And I don't know whether staring at computer screens with criminal messages on it all day kind of, you know, makes me, well, I don't know, I imagine like a chef for example, do they go home and cook themselves a, you know, a really good meal or do they just get a pot noodle or whatever the equivalent is in the U.S. but no, definitely, definitely not into the Internet of things. You know, the grocery store doesn't know that I'm low on milk. I, you know, I'll walk next door to the local shop. Yeah, no thanks.

A

I'm 37 as well and the no gear was my first phone. I missed those days of just playing Snake. Things are a lot of, lot simpler back then, you know.

B

Do you remember when Snake went from you couldn't go through the walls to you could.

A

Yeah, that was life changing.

B

Yeah, I mean If I tried to talk to my son Sebastian, if I tried to talk to him about that was a big deal. I used to sit on the school bus and for 45 minutes that was my sole focus. You know, could I get to like, you know, level nine, level 10, because, you know, it'd been unlocked, you know, and again, my, I don't know. How old are your children again? One's very new.

A

Three and six days.

B

Three and six days. So I mean a three year old. Again, nurseries here in the UK we learn what Seb was doing through an app. You know, Seb had played in the sand today and all the rest of it. You know, I always remember thinking, why can't they just tell me at the door? But again, there are lots of people that just prefer communication via applications because they haven't got the time to stand and talk. So again, just going back to this education piece, I do think it's rapidly changing how much it and digital is in that whole world. I mean, arguably, is it accelerating faster than other industries? Probably from where it was to where it needs to be? Probably, yeah.

A

My son's daycare, I get updates every single day of pictures of what they're doing and it's really nice to see. But to your point, in the back of my mind I'm like, I hope this platform is secure because mine and his classmates photos are. I don't know where they are, if they're stored, where they're stored. But I really hope that platform is secured and it gives me pause sometimes, especially when I talk to experts like you. I'm like, you know, is this platform really okay to have adolescent photos and updates? Who knows who has access to it?

B

Exactly, exactly. And again, I'm appreciating all the sensitivities of the topic. It does take a different tone when you really start to think about all of it. It's just totally unique to not even education. It's from like you said, three, two years old all the way up to early 20s.

A

Yeah. And to your less is more point, I wish I could go back in time to when the Motorola RAZR was out. That was my favorite phone ever. It was a simple flip phone. It was the coolest thing going. And I am at the point in my life where I just want to throw my iPhone into the garbage. It's just overstimulation of notifications. It's too easy to open Safari and look something. You know, it was simpler when you had T9 text and that was it.

B

Yeah, yeah. I think it should have stopped at BlackBerry, you know, like, you know, BlackBerry Messenger. Yeah, but I, I agree. I mean, honest. Absolute side note, John, I've just started fishing and it's amazing how much you don't need a phone and how useless a phone is when it comes to fishing. Other kind of, you know, manual tasks. And again, in the. I watch quite a lot of documentaries about schools, you know, almost like these. A Day in the Life of a teacher, etc. And they're having to combat what do they do with phones, with students. And, you know, obviously every school has their own approach to that, but again, that's a brand new issue. From a cybersecurity perspective, any one of those phones could be on inside a classroom. Should they do RF scanning, should they be checking for bandwidth, you know, all of that kind of stuff. You want a camera inside a school, you've got X amount of students that could all make that possible. Live streaming, all these different cybersecurity things that were never a thing for me in school.

A

Right. So I would love to go down memory lane even further with you, but I'm sure our listeners are getting tired of it already. So I wanted to ask you, with a cyber attack, when do attacks typically go from bad to worse? I mean, we talked about there could be double extortion, there could be just leverage with encrypting data and holding that for ransom. But I have to imagine if a victim isn't complying in the timeline that the cyber criminals are hoping for, there must be a turning point. And what is that?

B

Yeah, no, you've actually hit the nail on the head, the timing piece. So some key milestones. Does the backup work? That is always a key point. Yes, the backup works and we can restore our network to where it was one hour before the attacker got on the network. That's a good day. A bad day is the backup is compromised, it won't work. So therefore we have two options. One is to pay the criminal to give us back the backup or we try and rebuild from what is left. And rebuilding from what is Left could be 6 to 12 months. Or paying the attacker could be a simple transaction. Financially, where it also starts to go bad is. Okay. Do we know how much data has been taken? Yes, we know it's four terabytes. Okay. Do we know what it is? No. Arguably, when you know what it is, it's easier because you then have the ability to notify people, whereas if you don't know what it is, it's then you have to notify everybody. With a. You may potentially have been involved in a data breach, but we don't know yet because again, different state laws over in Europe and the uk there's very stringent laws on all of this. And then, you know, let's say for example, the bad is the backup doesn't work, so we need to talk to the attackers about the fee. That's the other bad email that comes in, which is, Dear John, to have your network back, it will be 5 million or 10 million or a number that is outside of the insurance or if they don't have insurance, just a, a number that, you know, it's just way too high. Another bad moment is where the IT leadership suffer a personal injury and stress and the only team that know that network are off and they can't come to work to try and help you get back up and running. Another bad point is somebody inside the business talks to a group of individuals or a media outlet and then you start have having to handle PR issues that are not true. You know, there's, there's many. But for me, I think the backup not working, I. E. You have no point to recover from now is probably the, the biggest point. And it would be one of my five takeaways that if you are to do anything a bit like skydiving, you know, you check that parachute, the parachute is your safety net, which is a backup, you know. And again, I don't know what the stats are and how many times they get checks before you go up in a plane, but it's still very normal for me to deal with the incident where the backup has been compromised because there was never an offline immutable backup. This is something that is completely air gapped. It's in a vault basically that even if an attacker gets onto the network, they can't see it, they can't touch it, nobody can. Once it's written, it cannot be changed. And I think if you have that, arguably if you get attacked, you've always got a safety net. It's going to be business interruption every single day if this happens every single day. But you can always go back to a point.

A

Yeah, it's not like you're going to have the most recent data because if you have an air gapped backup, it's not going to be real time data. So you may lose a few days of business, but that's much better than losing everything in its entirety.

B

Yeah, I mean, just to bring this to life, you know, the care home that I spoke about, six months without a working network. So could you imagine most modern businesses trying to catch back up with six months worth of lost information? Especially when it comes to a hair health facility. What did you treat John with on the 5th of May? I've got no idea. Well, let me go back through all of these notes, you know, so that, that, that for me, is every school or business listening. Just when you go to the office tomorrow, whenever, just ask the question, is our backup immutable, I. E. You cannot break it. And if there is a pause, it's well worth just putting a workshop around that one piece.

A

Right, right. So let's talk what schools can do proactively. Just kind of stay ahead of these cyber threats. You know, what are some of those safeguards that schools can implement to become a harder target to penetrate from cybercriminals?

B

So if we start from the outside in and let's imagine this is a house for all the non technical listeners, if the house is the firewall, the most important thing we all do with our physical house generally is we lock it. And you are the only person that has a key to get into that house or your partner or your mother or whoever it might be. There's a set of trusted individuals. When Covid happened, there was this massive push to get everybody working from home and being at home. And we all relied on a username and password until we realized that a username and password alone can be copied. So we implemented multi factor authentication. This is where you get a text to your phone or a special code that says, is that you, John? Using that username and password. I would hope every school listening has multi factor authentication for its main staff and even more for its IT teams. Because those keys that the IT staff hold are, you know, the master keys per se. I think once you're into the network, there's a whole thing, you know, a whole host of things schools can do. But the most important for me, and when I look at how breaches happen, is patch management. So if an attacker is successful in getting onto the network, they will do what's called an NMAP scan. And it's basically a process of looking for is there anything that's almost already broken inside this house? Because I'm just going to attack that because that's my shortest time for maximum gain. Why do I have to create brand new code for this brand new piece of machinery that this school has now? Let me just find something that's already on its knees. So patch management is a business's way of keeping everything up to date, clean and healthy and you know, I would urge every school to have a piece of technology that is telling them this piece of kit that you have over in this classroom is actually weak and could offer a vantage point for a cybercriminal. And there's no end of technologies that will do this, but it's a very simple process. It's a bit like a digital blood test every single night. Is there anything that is currently weak that could actually be used against us? And then finally, what's quite scary is when you set technology aside. When we look at our claims data on cyber attacks, 80% roughly are because of a human. That's not to say that they were the whole reason, but they were the start of it. Statistically speaking, the best thing that schools could do is to invest in a very good training and awareness campaign for all of their staff. Because the more we're working at home and you know, all working on multiple devices, the human is almost becoming the firewall now, which is that just looks strange or that's not something I would do or that's not the way John speaks to me. John doesn't work on Tuesdays, you know, et cetera, et cetera. All these kind of things that an algorithm or a piece of technology couldn't do. Almost like you know, going backwards in our Nokia conversation. What are the things that actually humans are very good at? And we're good at spotting patterns or abnormalities. So yeah, there's a whole host there, but fundamentally multifactor authentication on the way in, network vulnerability scanning or patch management, same thing for me. And then the backup, always, always, always. And then finally the human piece. Good set of regular phishing campaigns, regular training, but multi tenant training, not just here's an email. Because attackers will try different things these days. They will phone you or use a deep fake teams call because they know that the old email doesn't work anymore. I think if you have those kind of five basics covered, you're just statistically way less likely and the attacker hopefully will move on to a more vulnerable target. Although that sounds a little harsh. I do think a lot of, you know, not being a victim of cybercrime is to not be the slowest, but equally you don't have to be the fastest. Just don't be at the back of the pack.

A

So as we wind down here, what parting thoughts or tips can you leave our listeners with when it relates to cybersecurity and being prepared and maybe where to go if they have been attacked and what those first steps could be?

B

I think if a business in an education team is struggling to galvanize the importance of cyber security in the education sector. I think similar to what me and you did. Have a think about it with your own children or nieces, nephews, loved ones that are going through the education system. How, how would it make you feel if that image or that file was being used for financial gain? Because I think sometimes, you know, like, like you said, is it getting the seat at the table? Probably not as much as it should. And then, you know, for continuous support help, you know, there's no end of organizations like ours, but obviously would be remiss of me to not signpost Gallagher, you know, and our whole kind of support here with the ASPO partnership, that's what, that's what we're hoping to do, is to bring some practical, real world advice for people looking to do the right thing.

A

Great. Well, Jonty, thank you so much for joining me today in School of Business Insider and sharing some tips and tricks and what school business officials and schools in general can do to better protect themselves and most importantly, protect those data of their students. So thanks again.

B

All right, no problem.

A

Thank you for tuning in to School Business Insider. Make sure to check back each week for your favorite topics on school business.