Schools need a lesson in cyber

Alarm bells are ringing at private schools around the country as warnings are issued that cyber criminals are hijacking private school fee payments this December. The reasons for this targeting? The belief that schools generally have poor cyber security; parents are expecting fee payment emails in the £thousands as it is; and schools are closed over the festive period so any queries or alerts will be delayed giving the criminals time to disappear the money.

Duncan Sutcliffe, director, Sutcliffe & Co, advised: “Being able to get into a school’s email system can not only give opportunity to send ‘dummy’ invoices, but potentially give the cyber criminals access to more sensitive parent and pupil information such as addresses, bank details, medical records and the like, opening up a whole new can of worms in addition to misplaced funds. Knowing you are criminal’s target is only helpful if you do something to mitigate the reasons for the targeting – and do what you can to deter the hacking.”

The cyber security firm, Cyber Decider’s CEO Neil Hare-Brown commented: “In 2017 we saw schools generally become a big target for cyber criminals. Their security is often poor, and their fees administration largely undertaken out of their electronic mailbox, which is often hosted online, making it easy to hijack.”

Duncan continued: “Steps can be taken to make systems more secure, such as more complex password protections, using secure payment gateways and attaining Cyber Essentials accreditation. It is not all system processes and passwords, however, as a key to stopping this sort of attack is the human element: educating staff, pupils and parents to identify phishing emails and the risks of fraudulent payment requests can have a massively positive effect on reducing the impact and spread of cyber attacks.

Of course having cyber insurance in place with specialist forensic technical and legal support can help speed up recovery from a cyber-attack should these steps not be sufficiently effective.”

If parents do not query an email they believe has come from their child’s school and pay the fraudulent invoice, there comes another issue: who is responsible for the refund of stolen school fees.

Duncan continued: “We urge all schools to read their insurance policy small print and speak with their insurance broker. If they do have a cyber insurance policy in place that may not be enough: some cyber policies will not cover theft of money, only theft of data; or there may be limits or exclusions on the policy. Additionally many cyber policies offer cover for the forensic, legal and PR costs necessary to manage a cyber breach but not for the parents’ huge financial losses. This is very much a case of ‘the devil’s in the detail’ and check you have sufficient cover before you need it.”