ParentPay

The road to a successful school cyber strategy

On-demand webinar

Protect your school from cyber threats with expert insight into the scale of the threat facing the education sector, the steps required to strengthen your school’s defences, and how suppliers can help.

Watch the recording now

Meet our speakers

Elliott Lewis

Chief Information Security Officer at ParentPay Group

David Griffiths

CEO and Co-Founder of Red Maple Technologies

What’s covered

The education cyber security landscape

Learn about the risks the education sector is facing.

The most important actions you need to take

Discover the most effective measures to enhance your school’s cyber strategy.

What to expect from your EdTech supplier

How the right third-party can make all the difference to your cyber defence.

Access the recording now

Wherever possible/reasonable to do so, MFA should be enabled. At the very least, privileged users (those with admin rights, or access to sensitive information) should be protected.

Another means of improving MFA for those users where traditional MFA is problematic could be to require MFA only under certain circumstances (for example, when outside of school networks), or to allow less secure MFA channels, which although not ideal, are still an improvement.

At the very least, AI is being leveraged by attackers during the process of deploying stealer malware and other malicious content (i.e. AI generated phishing). We fully expect such attacks and other social engineering to get much more advanced, and very quickly – we train our workforce on current threats, and our next-level awareness training/phishing simulation solution will adopt dynamically to new threats such as AI and deep-fakes.

Our cyber offerings can complement, or in some cases replace, those of existing IT service providers.

Does your IT provider properly monitor your full attack surface (usually not)?

Our attack surface monitoring will give you independent oversight – either providing confidence that existing suppliers are doing their job (on an ongoing basis) and/or providing crucial data to enable them to do so.

Does your IT provider conduct effective penetration testing?

IT providers will often avoid costs – either not conducting assessments regularly enough, completing them ‘in house’, using low quality providers, or not at all. Our independent specialist testing ensures high quality, non-biased testing, at least validating your IT security – or, more commonly, help to find weakness and fix them before hackers exploit those vulnerabilities.

Is your IT provider running a full information security programme?

Information security and cyber security is not limited to school computers and networks; A holistic approach is needed – covering organisational policy, processes and people. An IT provider in isolation is unlikely to be providing complete coverage. We can help schools build safe and practical programmes, working with and alongside existing providers.

Does your IT provider operate awareness training and phishing simulations?

How does your IT provider remain aware of new and emerging threats, and tailor training based upon your users’ behaviours? How effective is any current training – what is training uptake? how much time does it take from your people? We believe that our partnership is unique to the industry – with compelling pricing, ultra effective and dynamic frictionless training. Clear reporting – with the quickest and easiest onboarding process that we’ve seen from any vendor to date.

Does your IT provider ensure Cyber Essentials certification? At what cost?

If your school isn’t Cyber Essentials certified, we can help support schools through that journey – with specialist guidance, and best-in-class technical platform, we provide comfort and assistance through the certification process. If your IT provider does provide certification – what is the cost?

Does your IT provider provide cyber insurance (for the school – not just themselves)?

Only 1 in 4 cyber insurance policies pay out in full – often because agreed controls were found to be missing or inadequate, or the scope of coverage wasn’t fully understood. Our unique offering requires a subset of basic cyber-hygiene controls, and once established, will ensure a rapid re-imbursement ‘warranty’ to cover all aspects of cyber breach costs.

Our incident response provider operates in accordance with the NCSC Cyber Incident Response Technical Standard (L2), but is not listed NCSC Assured Service Provider.

Note: Our supplier, and incumbent contingent are both globally recognised as the leaders in the space. We also have existing relationships with 5 NCSC assured service providers.

Yes – at least two fold: The GDPRiS platform itself spots a comprehensive set of supplier records, including DPIA assessment and various security assurance materials, and helps schools select secure and compliant suppliers. In addition, via our partnership with FractalScan, customers can ‘scan’ any of their suppliers or prospective suppliers to gain insight into cyber hygiene.

The State of Ransomware 2023 – Sophos News

“The education sector reported the highest level of ransomware attacks, with 79% of higher education organizations surveyed and 80% of lower education organizations surveyed saying that they were victims of ransomware.”

“Data for the State of Ransomware 2023 report comes from a vendor-agnostic survey of 3,000 cybersecurity/IT leaders conducted between January and March 2023. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific.”

MFA indeed provides a significant layer of protection. Coupled with our advanced Account Takeover Protection mechanisms (which considers several factors – including geography, non-human agents, breached credentials, IP reputation, frequency of logon etc), customers are already better protected.

Nevertheless, we recommend a defence in depth approach – including but not limited to:

  • Enable MFA for all user accounts.
  • Ensure a robust joiners-leavers-movers (JML) process.
  • Don’t allow the use of ‘shared’ user accounts.
  • Conduct regular access reviews.
  • Ensure security awareness training is well established (to include good password practices).
  • Enable Single-Sign-On (SSO) features as soon as they are available – which could then, under customer control, apply IP/managed device based restrictions.