RPA Cyber Security Insurance

Free RPA Cyber Insurance – Are You Eligible?

Many of our schools are enrolled with the DfE’s Risk Protection Arrangement (RPA) for insurance cover. This cover has recently been extended to provide cyber insurance, but only should schools meet certain prerequisites. Irrespective of being compliant for the RPA, these prerequisites are beneficial to look into and consider implementing at your school. Below we look into each of these prerequisites and how to meet them (in order of complexity/cost).

Prerequisites for RPA Cyber Insurance Eligibility

Register with Police Cyber Alarm

The base requirement for this control is just to register with the police “Cyber Alarm” service. It should be noted that this does not require the full installation of their data collection tool on your network unless you are fully comfortable with the security and data protection implications of that additional step.

Have a Cyber Response Plan in Place

Pending any existing compliance with this control, the RPA provides a template response plan on the members portal which you can utilise and tailor to your own purposes. Schools signed up to Partnership Education’s Silver or Gold level Cyber Support packages will have access to a personally tailored response plan and procedure, along with a range of other templated, best practice security policies.

Have Completed NCSC Training for all Employees and Governors

This requirement presents a logistical challenge as much as anything. The NCSC provides a pre-built slide deck with matching YouTube video of its latest education specific cyber training. To meet this requirement, you must ensure all staff (and governors) have been shown this training. Additionally, you will need to keep a documented, auditable record of all of this training

Have Offline Backups

Unless you have already focused on backup and implemented a “3-2-1” based system, this is likely to represent the most work/cost to implement. Having compliant, offline backups involves having some form of backup which is kept separate from your live environment and only connected while backups are being run. The most common solution for this is to implement a cloud-based backup solution, although there are some more manual, but cost effective ways of dealing with this. If you are unsure if you have offline backups, please speak with your Partnership Education Account Manager or local Technician.

Subject to getting all of the above items in place we would recommend liaising with the RPA to confirm your eligibility, enrolment and in particular the dates from which you will be covered. Speak with your PEL account manager if you are unsure about meeting any of these requirements.

Cyber Security – Next Steps

Following on from our last series of tips for quick, free and easy wins, we will now look at a few even more effective security controls which can be implemented with some time and effort.

1 – Educate the Educators!
In the previous series we looked at one-off resources to provide awareness and guidance to your staff. When taking the next step in your security journey, think about how you can provide regular awareness, updates on latest threats and interactive exercises. This could include Phishing simulations and regular “byte sized” security content.

2 – Two is Better Than One:
Multifactor Authentication (MFA) is one of the best protections you can put in place to secure your cloud-based systems and data. It can be logistically challenging to setup in a school environment but there are a range of different approaches which can be (and should be) considered.

3 – What’s Your Policy?
Having a defined cyber security policy shows clear intention to understand and manage cyber security threats. It’s not just the end product but the process of developing your policy which will be valuable in improving you security posture.

4 – Back it Up, Back it Up!
In the event that attackers do gain access to your systems or files, it is imperative that you have backups in place to avoid widespread data loss. This backup should follow the 3-2-1 principle, with 3 copies of your data, on 2 different mediums, with one “offline” copy kept separate from your live environment.

5 – Stop the Sticks:
USB sticks and external drives are in common use across schools but these devices can inadvertently harbour viruses and piggy back them into the school’s network and past the external defences. There should be sufficient file storage and transfer solutions in place such that USB storage can be disabled without causing too many issues to staff.

6 – Keep an Eye Out:
Part of cyber security management is considering scenarios whereby attackers have already accessed your systems. While often needing to make a trade off between system costs and management overheads, you should consider what monitoring and logging you have on your network to detect unusual and malicious activity. There are generally features and modules to deliver this across email, backup and network monitoring systems. There are also dedicated tools which focus on this task specifically.

Hopefully you found this blog and series of posts useful and informative.

Cyber Security – Quick & Cheap Wins!

With cyber security and ransomware on the rise and budgets as tight as ever, we are looking at a series of “quick wins” which can help your school harden your security without breaking the bank.

1 – Educate the Educators:
The number one starting point for ransomware attacks is from staff unwittingly giving up their credentials or opening malicious attachments. There are a number of free training resources available as a starting point. Have a look at https://www.ncsc.gov.uk/information/cyber-security-training-schools where you can get a pre-built slide deck and training video

2 – Protect Your Email:
Your email platform has in-built controls to protect against fraudulent emails. Make sure you’ve configured all of those controls effectively! Also have a look at the NCSC’s Mail Check service which can help set up you platform securely

3 – Batten Down the Hatches:
If an attacker does manage to get access to your systems, don’t give them more access than you need to. Manage the access on all your systems according to the principle of least privelege and avoid giving staff local admin access on their school devices

4 – Three Strikes and You’re Out:
Some attackers may rely on brute force to access your systems. Clamp down on this by ensuring where possible, brute force controls are enabled on your cloud systems, locking accounts after a number of failed login attempts

5 – You Shall Not Pass:
Many devices will have an auto-run feature which can automatically run executable files when they are downloaded onto the device. Disabling this function can avoid nasty files opening and running without the user’s knowledge

6 – What’s the Magic Word?
Effective passwords are the first line of defence against cyber attacks. A good password policy should provide guidelines and advice around password complexity, changes and variation across different systems

Hopefully you found this blog and series of posts useful and informative. In the next series we’ll be looking at some even more effective controls which can be implemented with a little more investment.