Dear all,
We are making some changes to improve the school’s cyber security. These will affect the way that you access school services when working from home or outside the school building and we strengthen the password access when in school.
Why we are making these changes
The number of organisations across the UK that have been the victim of cyber attacks has increased dramatically over the past 18-months. This trend has been driven by the increase in remote working due to the pandemic, as well as the increasing availability of ransomware and other attack-methods to criminal organisations. It is important to note that education establishments, and schools in particular, are a prime target for cyber criminals, as they do not typically have the budget, workforce or skills to actively monitor for, and react to, attacks. IT systems are also crucial to every aspect of what we do, so ransomware and other forms of attack are particularly problematic.
Little Lever School is no exception to the trends seen across the UK. Our systems see constant attempts to gain unauthorised access, from all over the world, as shown in these logs from just 2 hours in one day:
In the past months there have been a number of instances where these attempts to gain unauthorised access to our systems have succeeded.
Last week, a senior budget holder in the school emailed our finance, through the school email system, with a standard request to authorise pay for one of our regular suppliers, who is currently working at the school. This was a typical request that finance receives every day from school budget holders and pay. The budget holder was correct, the email was correct and had the correct format, the supplier was correct and the work was known; there was no reason not to approve and pay. However, it was fraudulent, and it was found only by the super vigilance of our finance staff. If this was not found so fast, it would have resulted not just on financial loss but likely the school would have closed for weeks and all or large amount of staff personal and shared files, including student grades could have been erased.
In each case the breach has been detected early and the risk has been mitigated, but we must not remain complacent about the potential for worse consequences following a breach.
In all of the cases of unauthorised access to date, the breach has been traced back to a stolen or poor password.
So that we can keep the school’s staff, students and data safe, we need to prevent these unauthorised logins by updating our best practices to follow the guidance published by the UK Government, including the National Cyber Security Centre (NCSC). We are constantly making updates and changes behind the scenes to keep everyone safe, but all users must play a role in keeping the school secure, which is why we are making changes that impact staff passwords and how everyone works remotely.
The changes we are making
Passwords and Multifactor Authentication
We are supporting all staff with a change to strong password when logging in the school. From Monday 16th all staff will have to change their password next time they log in the school or remotely.
Following the NCSC guidelines we are adopting the THREE-RANDOM-WORDS password system. Passwords generated from three random words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily. There are several reasons why the NCSC and the school chose the three random words strategy. Do not use words that can be guessed (like your pet’s name). You can include numbers and symbols if you need to. For example, “RedPantsTree4!”
The school has set the following rules for passwords:
-
Minimum character 12 (supports three 4-letter words)
-
At least 1 capital case letter
-
At least 1 lower case letter
-
At least 1 number
-
Do not include: brand, persons, celebrity, family, pet or football/sport team names
-
Do not use letter substitution (eg. T34ch3r)
We will no longer be asking you to update your password on a regular basis, so you can set a stronger password that you will be able to use for the long term. The NCSC scheme recommens a password change only when a compromise is known or suspected. The school will review leaked and compromised emails at least annualy and take appropriate actions. Once you have configured MFA, you will also be able to reset your own password if you ever forget it.
We will be enabling multifactor authentication (MFA) for all staff logins to Microsoft services, including all Office 365 services (such as email), and all logins to the school’s remote desktop system. This means you will need to use your mobile phone to provide additional information when logging in to Microsoft services when you are outside the school building. The process is straightforward, and there are guides below.
PLEASE DO NOT CHANGE PASSWORD UNTIL AFTER MONDAY 16th 6AM
AS YOU WILL HAVE TO DO IT AGAIN.
Access to the remote server has already changed so you must follow the guide below.