Nursery World - Special Report: Cyber crime

What do early years settings need to know about cyber security, and how can they avoid being the victim of digital crime? Annette Rawstrone reports

You’re only nipping out for ten minutes so it's fine to leave your door wide open… isn’t it?

Sadly, few of us would feel safe doing that these days. We are overtly aware of criminals physically gaining access to our homes or business premises to steal property and cause damage. But can the same be said for how we safeguard the technology that we increasingly rely on for functioning in our personal and professional lives? Not being alert to, and guarding against, online attack means that you are putting yourself and your childcare setting in danger of being targeted by cyber criminals.

‘Cyber incidents, which include but are not limited to cyber crime, IT failures, outages and data breaches are currently the most significant threat facing businesses, as highlighted in a survey from risk management specialist Allianz, and early years settings are far from immune to this,’ warns Paul Donaldson, director of people and technology at Early Years Alliance.

‘For example, the report noted that previously hackers usually targeted specific industries that dealt with personal data, such as healthcare and retail. However, now ransomware attacks are “indiscriminate” and organisations big or small, across both the public and private sectors, are at risk. As such, it is vital that early years settings put key processes in place to alleviate any risks.’

Greg Reed, head of infrastructure and security at Connect Childcare, adds, ‘Nurseries are at just as much risk as any other business, perhaps more so given the labour-intensive nature of a setting, meaning there can be a considerable number of employees all accessing online systems from tablets and phones as well as laptops and desktop computers.’

As he highlights, online technology is now an essential tool for childcare businesses to communicate with parents and potential customers, conduct online banking, gain access to management software and store information and photographs. These devices and systems are also potential gateways for cyber criminals and need to be adequately protected – just think of the sensitive digital records that you hold, from child safeguarding concerns to staff payroll information and private correspondence.

Mark Unsworth, group marketing controller at Blossom, highlights the importance of three areas – data, picture and financial integrity. It would be incredibly disruptive to the day-to-day running of your setting if you were unable to access any of this data, and losing sensitive information is a huge safeguarding issue.

‘The potential impact on settings [from cyber crime] can range from website disruption to stolen data,’ says Donaldson. ‘In some instances, cyber criminals could even prevent settings from accessing personal information or bank details which could, in turn, have a considerable impact on the setting's reputation and finances as rectifying any breaches can be costly.’

HUMAN ERROR

While cyber security is not infallible – just as locking doors and setting a burglar alarm doesn’t guarantee that your premises won’t be broken into – it does mean that you are actively protecting your digital records and reducing the risk of becoming a victim of cyber attack. Essentially, it also means that you are safeguarding against other more ‘mundane’ occurrences, such as losing important data by misplacing your mobile phone or dropping and breaking your laptop.

The onus is on nursery owners and managers to ensure that data is stored securely – from using passwords to protect sensitive information to regularly backing up digital records and ensuring your staff are also aware of procedures (see box below). Be aware that, as well as the potential disruption of a cyber attack, your setting could be investigated and fined by the Information Commissioner's Office (ICO) if you have a breach of personal data.

Talk of hackers and ransomware attacks may make you want to revert to more ‘old school’ paper measures, but as Matt Arnerich, director of brand and communications at Famly, warns, ‘Data breaches can just as easily be a result of unlocked filing cabinets, paper with sensitive information left on the table, Post-it notes, forgotten books, and so often software is a far more well-protected setup.’

Reassuringly, he also says that standalone settings and small nursery groups are less likely to be the target of ransomware attacks, which are much more likely to be targeted at larger organisations such as nursery groups. While it is important to stay vigilant, their primary concern should be focused on phishing and malware attacks along with the potential of computer viruses.

Reed adds, ‘An ICO security report [see Further information] recently named the education and childcare sector as the second worst offender for workplace data breaches in the UK – accounting for almost one in seven cases since 2019.

‘While it's important to keep security measures strong and updated, it is often human error that leads to a cyber attack – a busy staff member opening an attachment or clicking a link without stopping and thinking about its authenticity first.’

Unsworth says, ‘Threat for a smaller setting really comes from within, from a rogue employee who wants to do some harm. Not from a cyber attack but from devices not being locked down and security passwords not being revoked from a disgruntled employee.

‘A small nursery is not going to be targeted by a hacker because they do not see value in the data or the transactional side. Where it could potentially happen is one of the big groups that's got hundreds of nurseries because they’re turning over millions and have got transactional data on file. It's immensely lucrative.’

SECURITY PROTOCOLS

Big nursery groups have the capacity to employ IT specialists to guard against online vulnerabilities, but it can be daunting for those operating smaller settings. ‘In a recent detailed and anonymous cyber security survey conducted by Connect Childcare and dot2dot, 137 nursery managers and owners across the UK – using various data handling systems online and off – revealed their worries about keeping children and families’ sensitive data safe,’ reveals Reed.

‘Cyber security is clearly a significant worry for many nursery owners and managers. Several reported the threat of ransomware attacks, falling prey to scam emails and theft of data kept them awake at night. Unwittingly breaching data regulations, staff knowing what to do if that were to happen, and the stress of handling such matters in-house, are also major concerns. The potential for human error – or even a “mole” inside a workplace – were among the possibilities highlighted.’

A recognition that robust online security is needed is often a driver for nurseries to buy in the services of a nursery management software company that will remove much of the worry. These companies have rigorous systems in place to reduce the risk of cyber attack, from employee background checks to strict policies and procedures around the security of customer data. You should be able to find their security procedures on their website.

Arnerich splits Famly's security protocols into three categories: testing and strict processes, including regular penetration tests by third-party independent testers; immutable back-up to secure against ransomware attacks; and a highly certified server provider and accreditation from Cyber Essential Plus, which is a government scheme.

The company's networks are segregated into ‘production’, ‘staging’, ‘development’ and ‘office’ networks. Essentially, the ‘live’ production environment where people's data is held is separate from the environments that Famly employees work on to develop the product. Access to the ‘live’ databases is restricted only to engineers who absolutely need it.

At Famly, there is anti-malware and anti-virus software on all employee computers. It also has strong password policies and two-factor authentication on all systems with customer data, and gives regular security training for all employees. The company also has a business continuity recovery plan where scenarios are planned and practised yearly.

These are all practices that early years settings can also implement (see the ‘What should we do?’ box overleaf).

Choosing not to buy in nursery management software doesn’t mean that you need to become an IT expert and understand exactly how cyber attacks work. But you should get up to speed on the different terms (see the ‘What does it mean?’ box) and put in place certain precautions to feel more confident that you are doing what you can to address cyber security and keep your setting secure.

What does it mean?

Dark web

Encrypted online content that is not listed by conventional search engines and can only be accessed through specific browsers. There is greater anonymity, which often, but not always, makes it a place for illegal activity.

Hacker

A person who remotely breaks into computer systems without consent.

Malware

An abbreviation for ‘malicious software’. It is a file or code that is designed to disrupt, damage or gain unauthorised access to a computer system.

Phishing

The fraudulent practice of sending messages – such as emails, text or social media messages – pretending to be from a reputable company or person with the aim of acquiring sensitive data, such as bank account details and other information that makes it easy to commit identity theft, or trick you into sending money or expensive items.

Ransomware

A type of malware which has been designed to block access to files on a computer until a sum of money – ransom – has been paid. This is often activated by inadvertently clicking a link or opening an attachment. Victims will typically receive a pop-up message explaining what has happened and how they want the ransom paying.

What should we do?

Do not run old, unsupported and out-of-date software and regularly ensure all of your setting's computers and devices are running the most updated software and operating systems. This is important because updates patch against vulnerabilities, including ransomware, and use the latest security features.
Use virus protection software that includes protection for ransomware. Keep this updated too.
Use unique, strong passwords for each account. Instead of common words that are easy to guess, a strong password includes a mix of special characters, numbers and uppercase and lowercase letters.
For highly sensitive or valuable data, consider using two-factor identification.
Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that are impersonating services you trust. Often, phishing emails contain spelling errors, grammar mistakes or logos that don’t look quite right.
Get into the habit of checking with senders before providing sensitive data or sending money – it may be time-consuming but could save you a lot of money and wasted hours in the long run.
Regularly back up the data you keep online.
Train all staff who have access to your nursery IT networks in the basics of cyber security and cover it in inductions for new starters – this is crucial because the most common attacks rely on mistakes by employees. Simply avoiding these mistakes prevents the attacks.
Updating training annually will refresh staff knowledge and inform you of the latest cyber threats.
If you decide to use a training provider to deliver training, make sure it covers areas such as data as well as phishing and ransomware.
When staff members leave, immediately remove their online access privileges and change any passwords they know.
Act swiftly if you think you’ve been the victim of an online scam or have inadvertently shared sensitive information. These include contacting your IT manager or nursery software provider, if you have them. Alert your bank or other involved organisation and change passwords. Also, report it as a crime to Action Fraud for England, Wales and Northern Ireland, or Police Scotland.
If the worst-case scenario happens and you do receive a ransomware demand, the advice is to not pay it. You are giving money to criminals and there are no guarantees you will get your files back. Instead, ask an IT expert whether there are decryption tools available, or recreate the files you have lost and chalk it up to experience.