In January 2020, the La Salle Primary School in Kowloon City became the ninth school in Hong Kong to fall victim to cyber attacks, with four of the affected schools reporting serious data breaches. It appears that the point of entry was the WebSAMS, (web-based school administrative and management system), a Government-developed system which allows electronic communication between institutions and the authorities. Currently, the WebSAMS system is employed by 988 schools in Hong Kong, each of which are individually responsible for maintaining their security protections.
Unfortunately, this is a growing problem – not just in Hong Kong but across the globe. Schools store a large amount of personal data about their students, and historically have limited budgets for cybersecurity. This makes them an ideal target – in 2019, Ars Technica reported that schools were the second most common targets of ransomware attacks in the US, just after local government. Hackers can demand large sums, usually in Bitcoin, to prevent the release the students’ data, making this an extremely lucrative form of fraud - in 2017, the Los Angeles Valley College paid hackers $28,000 in ransom to prevent the release of sensitive data, and in 2019, the Rockville Centre School District in New York paid out $88,000. In 2019, over 500 schools were targeted in the US alone.
A 2018 digital security report listed Hong Kong in the top five targets for cyber attacks, and estimated that as much as 10% of the region’s GDP could be lost as a result. So how do you prevent your system falling prey to hackers?
Firstly, maintain your software with the latest security systems and install a firewall. Make sure virus software and browsers are regularly updated, consider restricting access to certain high-risk sites and removing users’ permissions to install software.
Understand what data might make your site a target –payment details, addresses, demographic information, both for private individuals and other businesses, whether in Hong Kong or globally. Make sure that data is encrypted and not stored for longer than is needed. It can be tempting to allow data bases to build up “just in case” but protect your clients and yourself by securely deleting unneeded records.
Be vigilant with hardware – not just work phones and laptops, but also external drives, USB sticks, etc. It can be frustrating to staff, but a blanket policy against connecting any device – even something as innocuous as a Kindle – to any workplace device is a clear way to maintain a safety buffer around your workplace systems. If you are upgrading your hardware, make sure that all devices are wiped before being disposed of, even if you are not planning to resell them.
Train any staff – whether they are in Hong Kong or working remotely – in online safety precautions. The jury is out on whether forcing staff to change passwords frequently is an overall gain to security – frequent password changes often mean that users are less likely to choose a strong password (opting for memorability over complexity) and are more likely to write the new password down. Instead of relying on frequent password changes, consider installing a multi-factor authentication system to protect sensitive data.