CYBER SECURITY FOR STAFF

Dear all,

We are making some changes to improve the school’s cyber security. These will affect the way that you access school services when working from home or outside the school building and we strengthen the password access when in school.

 

Why we are making these changes

The number of organisations across the UK that have been the victim of cyber attacks has increased dramatically over the past 18-months. This trend has been driven by the increase in remote working due to the pandemic, as well as the increasing availability of ransomware and other attack-methods to criminal organisations. It is important to note that education establishments, and schools in particular, are a prime target for cyber criminals, as they do not typically have the budget, workforce or skills to actively monitor for, and react to, attacks. IT systems are also crucial to every aspect of what we do, so ransomware and other forms of attack are particularly problematic.

Little Lever School is no exception to the trends seen across the UK. Our systems see constant attempts to gain unauthorised access, from all over the world, as shown in these logs from just 2 hours in one day:

 

In the past months there have been a number of instances where these attempts to gain unauthorised access to our systems have succeeded.

Last week, a senior budget holder in the school emailed our finance, through the school email system, with a standard request to authorise pay for one of our regular suppliers, who is currently working at the school. This was a typical request that finance receives every day from school budget holders and pay. The budget holder was correct, the email was correct and had the correct format, the supplier was correct  and the work was known; there was no reason not to approve and pay. However, it was fraudulent, and it was found only by the super vigilance of our finance staff. If this was not found so fast, it would have resulted not just on financial loss but likely the school would have closed for weeks and all or large amount of staff personal and shared files, including student grades could have been erased.

 

In each case the breach has been detected early and the risk has been mitigated, but we must not remain complacent about the potential for worse consequences following a breach.

In all of the cases of unauthorised access to date, the breach has been traced back to a stolen or poor password.

So that we can keep the school’s staff, students and data safe, we need to prevent these unauthorised logins by updating our best practices to follow the guidance published by the UK Government, including the National Cyber Security Centre (NCSC). We are constantly making updates and changes behind the scenes to keep everyone safe, but all users must play a role in keeping the school secure, which is why we are making changes that impact staff passwords and how everyone works remotely.

 

The changes we are making

 

Passwords and Multifactor Authentication

We are supporting all staff with a change to strong password when logging in the school. From Monday 16th all staff will have to change their password next time they log in the school or remotely.

Following the NCSC guidelines we are adopting the THREE-RANDOM-WORDS password system. Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily. There are several reasons why the NCSC and the school chose the three random words strategy. Do not use words that can be guessed (like your pet’s name). You can include numbers and symbols if you need to. For example, “RedPantsTree4!

The school has set the following rules for passwords:

 

  • Minimum character 12 (supports three 4-letter words)

  • At least 1 capital case letter

  • At least 1 lower case letter

  • At least 1 number

  • Do not include: brand, persons, celebrity, family, pet or football/sport team names

  • Do not use letter substitution (eg. T34ch3r)

We will no longer be asking you to update your password on a regular basis, so you can set a stronger password that you will be able to use for the long term. The NCSC scheme recommens a password change only when a compromise is known or suspected. The school will review leaked and compromised emails at least annualy and take appropriate actions. Once you have configured MFA, you will also be able to reset your own password if you ever forget it.

We will be enabling multifactor authentication (MFA) for all staff logins to Microsoft services, including all Office 365 services (such as email), and all logins to the school’s remote desktop system. This means you will need to use your mobile phone to provide additional information when logging in to Microsoft services when you are outside the school building. The process is straightforward, and there are guides below.

PLEASE DO NOT CHANGE PASSWORD UNTIL AFTER MONDAY 16th  6AM

AS YOU WILL HAVE TO DO IT AGAIN.

Access to the remote server has already changed so you must follow the guide below.

 

  • Change Password and set MFA in School

    Login as normal with your existing password.

    You will get a message to change thepassword

    Type you old and new password following the THREE-RANDOM-WORD rules above.

    After logging on the PC, please open a browser and go to Office.com

    Click Sign In and use you email address and password to log into Microsoft prompts.

    You will get a message More Information Required – click next

    You will be asked for your mobile number (and the country code from a drop down list)

    Follow the instructions to set and verify your mobile number as MFA device.

    On Step 3 you do not need to set up anything else, just click Finished.

    This is now complete. Thank you for setting MFA.

     

  • Change Password and set MFA remotely

    Restart your PC/laptop. Open a web browser and go to Office.com.

    Click Sign In and use you email address and password to log into Microsoft prompts.

    You will get a message More Information Required – click next

    You will be asked for your mobile number (and the country code from a drop down list)

    Follow the instructions to set and verify your mobile number for MFA.

    On Step 3 you do not need to set up anything else, just click Finished.

    After clicking Finished you will be asked to Update Your Password

    Type you old and new password following the THREE-RANDOM-WORD rules above.

    This is now complete. Thank you for setting MFA.

     

  • Remote Access

    Following Microsoft and NCSC guidelines, we are changing the way that you log in to the remote desktop system. From now on, you will only be able to use the web-based version of the system. This offers better security for the school’s systems and is also simpler for users as everything is done within your normal browser window. To access the remote server please:

     

    Open a browser window and type desktop.little-lever.bolton.sch.uk/ at the address bar. There should be nothing after the .uk/. If there is, please delete it before loading the page.

    You should now see the screen below. If you do not see this screen then press Ctrl and F5 at the same time to refresh the page. If that does not work, please press Shift+F5 or Ctrl+Shift+R. Chrome  (Macs: Shift+Command+R or Command+Option+E)

    Follow the screen instructions to log in, including your MFA code (you must have your mobile phone handy)

    You will now see teh familair icons below. Click Desktop to log in on the server.

    Click on Desktop to login to the server. On the screen below, use your email address and password to log in.

    You will now be asked if you want to share Clipboard and Printers. We suggest you leave options as they are by default and press OK.

    Following that, you should now be able to see and use the remote server.

     

Password Managers

Following Government and NCSC guidelines, we are starting the introduction of password managers from September. A password manager is an app on your phone, tablet or computer that stores your passwords securely, so you don’t need to remember them all. Some password managers can synchronise your passwords across your different devices, making it easier to log on, wherever you are. Some can also create random, unique passwords for you, when you need to create a new password (or change an existing one).

You may be already using a password manager without knowing it. Many are built into your internet browser (such as Google Chrome, Microsoft Edge or Safari), or are part of the operating system on your smartphone or tablet. You may have noticed when you sign into an account, a box appears asking you if you want the browser (or device) to remember your password. If you are not sharing the device with anyone else, then it is safe to tick the box. If it doesn’t offer to save your password, you may need to turn this option on in your device settings

Standalone password manager apps are also available to download, many of which can be installed on different types of device, and with extra features like the ability to create good passwords for you. The school has selected 1Password as its enterprise choice.

The NCSC strongly recommend that you set up two factor authentication on the password manager account. If you have the option, set up more than one type of second factor so you have a backup plan to get into your password manager account. Install updates for your password manager app as soon as you’re prompted to update. If you’re using your browser, always make sure you are using the latest version and you keep this up to date. Choose a strong password for the password manager account (for example using three random words). You can’t store this in the password manager itself, so you may want to write this one down and store it somewhere safe – away from your device – so you don’t forget it.

We have identified the 10 most high risk posts in the school and we will be providing a centrally managed Password Manager based on 1Password. We will be providing workshops in September for any staff who wish to learn more about these changes or would like more information on staying safe online.

 

Temporary Disabled Potentially Compromised Accounts

Following the recent incidents we extended our cyber security investigation across all staff accounts. We are aware that some school email address were involved in one or more cyber security breaches on a third-party website or service. Information obtained in these breaches may include further information, such as individuals’ name and password as well as other personal information. As a security precaution we have temporarily disabled your school account until your password can be updated to be strong and unique.

We will contact affected staff directly to arrange that their school password is changed to follow current government guidance on passwords. We’ll also apply multifactor authentication in line with the school’s best practices.

In line with national guidance, we also recommend that staff use unique, strong passwords for all online services which use the same email address. This applies equally to school and personal email addresses. The use of a password manager to generate and store these passwords is the simplest and most effective method for achieving a secure online presence and we are happy to provide more guidance on this if required.

Additionally, we would recommend you review your personal email address(es) for breaches by using the search feature at https://haveibeenpwned.com

If you have any difficulty with changing password, activating MFA or accessing the remote server, please get in touch with Simon (work hours: 07462 548487) or John (any time: 07919 596843) for further guidance.