Data Protection Compliance and Cyber Attacks in Schools

Email info@compliancedirectsolutions.com
Phone- 0330 1245 760

-CREST Registered Penetration Testers-

Article 32 of the GDPR sets out the technical measures that organisations should implement to protect personal data. This means regularly testing your networks and systems to ensure you correctly store and protect personal data.

  •  Qualified Experts with Government Level Clearance
  • Free Self-Assessment Questionnaire-
  • Providing Comprehensive Reporting & Feedback
  • Implementing Post Test Care & Effective Risk Remediation

Although the following information is factually correct, please don’t use it to make a formal decision without prior consultation with our team of experts. It must be said that the role of the ethical hacker & outsourced data protection officer and how best to maintain data protection compliance in schools has been a recurring question within our network. Many education providers are now turning to the information commissioner’s office for formal guidance and pen testing companies to help secure their networks.    

  • We recommend that you annually test your networks (Ethical Hacking) in conjunction with annual data protection audits and privacy impact assessments wherever necessary.

 With two schools having recently been issued with legal warnings from the ICO for wrongly disclosing personal data of children the issue is more relevant than ever.  This is a significant action given the fact the pandemic has disrupted many schools and education providers operations over the last 12 months & gives a clear stance on where the ICO stands on the responsibility schools have to protect and report their significant data breaches.  

The risk that these incidents pose to safeguarding concerns is a very distressing reality for the staff involved as well as for the families of the children in question. It’s worth mentioning that most breaches occur by accident but non the less the severity of said breach must be individually assessed and a decision taken to appropriately remediate against the breach. Therefore, the following blog will outline the key area that pose a risk to your school and its network.

What is a personal data breach?

Our data protection consultants define a personal data breach as any event within the school that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Below we have listed several examples of data breaches in schools:

  • Any unauthorised person accessing the data: this will be the case when a pupil, unauthorised staff member or criminal hacker views, steals or possesses sensitive information without consent. We recommend internal, external and we application Penetration testing is conducted at the school annually.
  • Lack of due diligence by the school or one of the processors: an example would be sending old, school records, exam results, pupil health records, PCs, laptops or filing cabinets to be destroyed without assessing the risk in advance and first removing the data.
  • Accidental or otherwise sending personal data to the wrong person or persons: this includes any message sent by email, text post or fax. It’s most likely to occur when sending out bulk emails or correspondence to staff members who are CC’d into an email chain, which is ether being forwarded or otherwise shared. This is a high-risk area where many breaches occur.
  • Editing or changing personal data without the subject’s permission: for example, someone accessing the school’s payroll, medical systems, report cards, exam result systems and changing staff pay grades through pay roll. These are all significant breaches and must be reported after the level of risk is assessed.
  • Unplanned events and cyber-attacks: This is a growing concern for schools with the number of hacking cases on the rise. This might happen when networks or systems are forced offline, either due to a technical error in house or in a cyber-attack from hackers who are trying to expose the network and the data it holds.

There are many schools that currently don’t have the resourced to adequately prevent, report and remediate against future, present and past breaches.  Our ethical hacking services implement strategies to allow ease and flow to demonstrably show your school is measuring and monitoring any breaches.  We have CREST accredited penetration testers to assist with identifying risks and fixing them before the school gets compromised. This in conjunction with our outsourced data protection officer as a service is a robust method to deliver compliance and maintain GDPR and DPA 18 implementation with minimal disruption to the academic term with schools starting up again.  

As a start-up company we really value our customers and their needs. So for us being agile, flexible and able to pivot to accommodate our customers wherever possible is paramount. As a response we now offer CREST registered penetration testing from qualified experts who help you stay ahead of the hackers and protect your business-critical data.

Below are examples of the types of testing we conduct.

Internal – An internal network pen test is performed to help gauge what an attacker could achieve with initial access to a network. An internal network pen test can mirror insider threats, such as employees intentionally or unintentionally performing malicious actions.

External – External penetration testing is a security assessment of an organisation’s perimeter systems. External penetration testing usually tests from the perspective of an attacker with no prior access to your systems or networks.

Web Application – A penetration test, also known as a pen test, is a simulated cyber-attack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF).

For more information on Grey, White & Black hat testing contact us for a free scoping call and self-assessment questionnaire.