The year 2020 was undoubtedly the only year where the entire world has depended so much on technology, to provide an alternative to the physical world. One such need of dependency or requirement of technology arose in the education sector, where every classroom of a school or a college was shifted online. This massive surge in usage of internet and technology and the increase in the numbers of users also provided the criminals with a new set of vulnerable group which didn’t exist before. In a recent report published by barracuda networks, over 1000 schools, colleges and universities were attacked as a part of spear-phishing campaigns by the Cyber-criminals, between the months of June and September. Even before the Global Pandemic there have been countless instances where the educational institutions have fallen prey to the attacks of cyber-criminals, like a school in Long Island, New York had to pay the cyber-criminal about $100,000 in bitcoin to recover the data of their school after being hijacked by a Ransomware. However, to protect the institution and Student data and prevent any such malicious activity there are certain measures and techniques which schools can employ.
- Create an Information Security infrastructure which is compliant with modern Standards
The fundamental security measure which an institution should employ is the implementation of Reasonable Security measures as prescribed under IT act, 2000 and its subsequent rules. The debate of whether an Educational Institutions are statutorily required to follow the said law and procedures is probably not important here, as one can’t forget that these Institutions hold Personal and Sensitive personal data of all their students and Employees such as their Marksheets, Government issued Identification documents, Biometric information, Transcripts etc, which shouldn’t be compromised in any way. One such method of implementing reasonable Information security practice could be to implement the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”. The same is recognized internationally as standard for managing an organization’s information security by addressing people and processes as well as technology and mentioned in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 as well.
- Dedicated Team for Handling Information Security and Cyber Safety
The work of this dedicated team would be different from the regular IT admins employed by the Institutions, generally for handling schools IT infrastructure. The main job of this team would be to manage the Network Security, User devices and Security of the Data Storage Infrastructure of the Institution. A lot of times , even after having the best practises in place, these incidents occur through the devices of individuals who are part of the institution, therefore it will be the job of this team to handle all the end user peripherals and devices and make sure it doesn’t affect the network and institutions data and infrastructure.
- Investing in good Data Storage and Backup Solutions
As mentioned before, the data held by the institutions should never be in a position to be compromised because of its nature. Therefore, it only makes sense to get the employ the services of a good Data Storage Solution where they can provide n+1 or even n+n storage solution and minimum downtimes. While they would seem very expensive at the beginning, the consequential costs of a possible attack could costs way more than these expenses.
- Getting Cyber Insurance
The above mentioned incident of that school in New York, was only resolved, as the school was able to shell out $88,000, because the school had invested in an insurance which covered Cyber attacks. As mentioned before, with this increased use of technology, which is resulting in more and more collection of personal and sensitive personal data, and subsequently in more and more of these cyberattacks despite the implementation of best security practices. It only makes sense to also look at the various options of Insurance policies which cover these Cyber incidents such as covering the expenses incurred due to an ransomware attack, litigation expenses, statutary expenses etc.
- Improving Cyber and Digital Literacy
Besides the implementation of Infrastructural changes and measures, the institutions should also look inwards and provide knowledge and resources to the people who are associated with them. One such measure was adopted by the CBSE last year, which in association with Cyber Peace Foundation, created a handbook for Students aiming to provide them with various tenets of digital literacy and Cyber safety and help them to navigate through technology and Internet.
Author – Mr. Hrishikesh Bedi, Consultant, CyberPeace Foundation