Schools, Hospitals and Public Service Breaches Show No Business Is Immune to Cyber Attacks

Schools, Hospitals and Public Service Breaches Show No Business Is Immune to Cyber Attacks. 

Recently, we have seen the devastating impact cyber attacks can have on some of our most important public sector services, with schools closed and operations cancelled. 

As these publicly funded organisations may not be able to pay extortionate ransoms to malicious actors, it goes that these attacks are opportunistic, as opposed to financially motivated. Any business could be next.

Good security practices are crucial in the fight against cyber attacks. While you’ll never be able to stop attacks completely, there are several steps every organisation can take to protect themselves, their staff, their customers, and their data. 

What’s the extent of recent attacks?

On Monday, 3rd June, The Billericay School in Essex was forced to close following a cyber attack that left the school’s entire IT system inaccessible. The names, addresses and personal information of pupils may have been stolen. 

The same day, King's College Hospital, Guy's and St Thomas', including the Royal Brompton and the Evelina London Children's Hospital, were involved in a ransomware attack on lab services provider Synnovis. 

The attack immediately affected patients, with hospitals declaring it a “critical incident.” Procedures and tests were cancelled, and blood transfusions were particularly affected. 

These aren’t isolated incidents. 

At the start of the school year in September, The National Cyber Security Centre warned schools must be prepared for a rise in cyber attacks, saying “appropriate security measures” must be in place to prevent disruptions. 

The National Cyber Security Centre estimates one in five schools have been left without access to information due to malware and ransomware. Between 2022 and 2023, a staggering 85% of high education institutions, 82% of colleges, 63% of secondary schools and 41% of primary schools reported a cyber attack. Just 31% of all organisations reported a cyber incident over the same period. 

The cost of incidents like these can be astronomical. IBM estimates UK businesses pay an average of £3.4m for data breach incidents.

What makes these organisations attractive targets?

There are several things that make schools, hospitals and other public services attractive targets to malicious actors.

The first is the sheer amount of valuable data they store. Hospitals and schools contain troves of sensitive data, from medical records to contact information of parents and young pupils. 

Some of these organisations, particularly independent schools and private hospitals, may be willing to pay to retrieve data that is often essential to operations. But the attackers also know that holding this data for ransom is guaranteed to generate media coverage and garner notoriety.  

The second is the inability of these organisations to protect themselves. The truth is that schools and hospitals present easy targets because many lack basic security measures. A report by the charity SWGfL finds that 62% of schools receive no cyber security training, and 31% don’t have an IT security policy in place. This is despite the fact that 76% of schools say the internet is a core educational tool. 

Unfortunately, what is true of schools and hospitals may be true of other organisations, too. Plenty of small and medium-sized businesses hold swathes of valuable data they may be willing to pay to retrieve in the event of an attack. Many more lack the basic protections to keep them safe. 

What can organisations do to protect themselves?

No organisation, whether it’s a small primary school or a multinational FTSE100 company, will ever be able to stop cyber attacks completely. But you can make yourself much less of a target by implementing foundational cyber security principles. 

We recommend the following:

Cyber Essentials certification

Achieving Cyber Essentials or Cyber Essentials Plus certification is the fastest and most straightforward way to protect your organisation from the majority of cyber attacks. These are Government-backed security schemes designed to help organisations of any kind or size improve their security posture. 

Depending on which certification you choose, you’ll either undergo a self-assessment process or be certified by a third-party expert. In any case, you’ll only pass if your security posture aligns with a set of five security measures that should protect your business from around 80% of the most common attacks. 

Cyber Essentials won’t make your organisation impervious, but it’s arguably the single biggest step you can take to reduce the likelihood of an attack. 

Provide cyber security training to staff

Phishing attacks are one of the most common entry points for cyber breaches in schools. According to research by SWGfL, a staggering 92% of primary schools and 89% of secondary schools identified phishing attempts in 2023. 

Unfortunately, it’s all too easy for a staff member to inadvertently click on a link in an email or download a file, especially given the advanced nature of modern phishing emails. 

Firewalls and email filters can stop many of these emails from getting through. But the only way to ensure phishing attacks are never successful is to train staff to identify them and meet all random emails with suspicion. 

Regular training will also improve password security, ensuring your organisation continues to abide by the principles set out in Cyber Essentials. Weak passwords are another common entry point, but one that is easily mitigated with the help of a password manager.  

Implement a cyber recovery plan

A cyber recovery plan is a proactive approach to cyber security that acknowledges the inevitability of successful attacks. While every effort should be made to prevent attacks in the first place—such as training staff and establishing basic cyber security best practices—a cyber recovery plan outlines how organisations should respond in the event of a breach. 

This will include data backup and restoration, theft prevention and communication strategies that help organisations respond to staff, customers and stakeholders. 

Partner with a cyber security expert

It’s a lot to ask staff and faculty, many of whom are already overworked, to handle additional cyber security measures. Even IT staff at these organisations are juggling dozens of different priorities and projects—and may not have the expertise necessary to successfully thwart attacks to begin with. 

That’s why partnering with a cyber security expert can be so valuable. A knowledgeable third party can help you put policies and plans in place, improve your security posture, apply for Cyber Essentials and provide training to staff. 

When it comes to cyber security experts in the South East, few are better than Method IT. As an official Cyber Essentials Certification Body, we can oversee and audit your Cyber Essentials certification, ensuring you pass successfully. We can also provide training to staff and ensure you have all the IT security policies in place to put yourself in the best position possible to thwart attackers. 

For more information, speak to a member of our team today on 0345 521 6111 or get in touch using our contact form.