Posted by Ben Thorne on May 22, 2017
Following the high-profile cyber attack on the NHS, many organisations will be questioning the integrity of their cyber defence systems and vulnerability to cyber attacks.
With the electronic storage of confidential data continuously on the rise, efficient cyber security is becoming increasingly more vital. Without sufficient defences, there can be severe disruption to business continuity; but, with the right controls and systems in place, disruption caused by cyber attacks can be limited and minimal.
Section 2.3 of the Academies Financial Handbook (AFH) outlines the requirements of internal controls that must be in place within a trust. This highlights the need for risk management, and in particular, business continuity.
Ransomware works by attacking networks and computers through locking systems and/or encrypting files. For a user to regain access, a ransom payment is required; usually demanded in Bitcoin. If the issue is not remedied and control is not regained, this can result in mass fraud. It goes without saying that if you are subject to ransomware it can cause a large number of operational and financial issues and you will be required to report the fraud to the ESFA.
There is a wide selection of information and tools available to limit the likelihood and spread of further cyber attacks. The National Cyber Security Centre (NCSC) provides up-to-date guidance on protecting against ransomware, as well as further information on what ransomware is, how it infects systems and what to do if you are a victim of such an attack:
Academies must also be prepared for unforeseen circumstances. Section 2.3.8 of the AFH states that the trusts management of risks must include contingency and business continuity planning.
Through the implementation of internal controls, there is a risk that business continuity planning may be jeopardised. For example, it may be that access rights for certain information (i.e. employer portals, payroll information, ESFA website) is only accessible by one person (i.e. the School Business Manager). Problems arise where this person is unexpectedly unavailable, meaning that the trust cannot gain access to certain information. It is important that the trust is prepared for such situations by ensuring that more than one employee has access rights to such information and plans are in place.
Not only are back-ups a good defence against cyber attacks, but they are also invaluable when considering disaster recovery. Computer or network damage will cause huge setbacks if back-ups are not taken frequently. The NCSC recommends that back-ups are not stored on the same network/computer in order to avoid complete loss of data.
Fraud is another risk that academies face and must be proactive about. As with cyber attacks, with the right controls and systems in place, the risk and effects can be limited. Section 2.3.3 of the AFH states that the risk of fraud must be addressed through internal controls, so it is important that these are developed with this is mind.
Section 4.8 of the AFH outlines the ‘musts’ relating to fraud, theft and/or irregularity. Trusts must notify the ESFA of any instances of fraud, theft and/or irregularity exceeding £5,000 individually, or £5,000 cumulatively in any academy financial year. The AFH makes it clear that the ESFA will not tolerate fraud, and it reserves the right to conduct or commission its own investigation into actual or potential fraud, theft or irregularity.
If you have any questions please contact your usual Bishop Fleming representative.