WannaCry Ransomware and Schools

With the NHS still reeling from arguably the biggest ever ransomware attack, it is perhaps a good time for schools to consider their cybers-security arrangements. Back in January, I wrote a blog post about a particular way in which some schools had been targetted. You can see the original post here.  The virus involved in the January examples may or may not have been the same WannaCry virus that is currently plaguing the NHS. The mechanism for introducing the virus into the NHS computer system may well have been different from that described in the January article. But the does not matter! What does matter is that ransomware viruses are preventable and that at your school you start taking appropriate measures to protect your systems and data.

There are two strands to preventing ransomware attacks on your data: technical and human.

The technical strand involves keeping your windows software up to date.You don't have to move to the latest Windows version as soon as it is released but continuing to run a version that is no longer supported is dangerous.  It's dangerous because Microsoft stops providing patches and updates for its older operating systems. Microsoft stopped supporting WinXP and Vista three and two years ago respectively. So if you are still running either of these operating systems you should be very worried and be looking at upgrading your OS!

If your OS is still being supported (Win 7, Win8, Win 10) your machine should be receiving regular automated updates. These automated updates are your best line of defence against ransomware. Ransomware is designed to exploit vulnerabilities in your operating system. Windows updates remove these vulnerabilities by applying 'patches' or fixes to the software. But it is possible to turn updates off. Sometimes people do this because updates take up disc space and are often believed to slow the machine down. If your machine's spec is high enough for the OS there shouldn't be a problem wit the updates. And remember, a slightly slower machine that you can access your data on is better than a fast machine that has trashed all your files! Make sure that your machine is receiving automated updates!

If your PC or laptop's OS doesn't have the latest fixes it is vulnerable to all sorts of viruses and malware attacks but it has to get infected. The WannaCry ransomware virus will have reached individual machines on the NHS network via one of a number of possible routes: transferred from an external drive (memory stick, external hard drive), downloaded from a website or activated by some unsuspecting person clicking the infected link in an email. 

Now if you never connect to the internet (not even for email or the iPlayer), if your machine is not part of a network,  and you never plug in any form of external media (memory sticks, external drives etc) you can stop worrying! A truly isolated machine is absolutely safe from viruses. But these days we are rarely offline let alone unconnected. We send and receive files via email, we open emails and follow links, we download free apps, music and videos all of the time.

So all the cybercriminal needs to do is to send us an email with a link to a virus or disguise the virus in a seemingly harmless file or software download. As described in the January article, sometimes they'll go the extra mile to ensure that we accept their download or open the email.

Ransomware attacks rely heavily on human behaviour. Someone needs to click a malicious link or open a malicious attachment to trigger the attack. So first and foremost, be vigilant. Learn to spot phising emails and potential ransomware attacks.

  • Is the email from a known sender?
  • Are you expecting the email/attachment?
  • Is the email address suspicious? i.e. from: Kathy Smith<KS3456864927t.com>
  • If you are asked to click a link again does the URL look suspicious? i.e. URL www.lloydsbank/45678tyr.com
  • Are there grammar or punctuation errors that you wouldn't expect?
  • Test the link at https://global.sitesafety.trendmicro.com/ 

And make sure that everyone who uses you machines knows this stuff! Raise it at your next staff meeting, talk to admin and other non-teaching staff, check that your OS is supported and regularly updated. Make sure that pupils are aware too - it will help protect your system and help to keep them safe from potential ransomware attacks at home.

 National Cyber Security Centre website has general advice on protecting your organisation from ransomware and the latest guidance on the WannaCry ransomware 


Governing Bodies - Who's Responsible for Online Safety?

Five years ago online safety was viewed as being all about computers and therefore was tacked on to the ICT/Computing lead’s role. In 2012 Ofsted included e-safety in its section 5 criteria. In September 2016 DfE’s statutory guidance ‘Keeping Children Safe in Education’ and Ofsted subsequence update to its guidance for inspectors ‘Inspecting Safeguarding in Early Years, Education and Skills’ firmly positioned online safety within Safeguarding. 

This repositioning of online safety has had a profound impact on how online safety needs to be managed in schools. The Designated Safeguarding Lead (DSL), the senior leadership team and Governors are now integral to the implementation of online safety and carry ultimate responsibility for its delivery. Governing bodies are now required to approve and review the effectiveness of online safety policies and practise. Together with the SLT and DSL, they have shared responsibility for how online safety is managed and implemented, for the creation of a positive safeguarding culture and ethos and for ensuring that all staff are adequately trained in all aspects of safeguarding including online safety.
Online Safety responsibilities for Governors:

• Manage, review, promote and evaluate adherence to online safety policies
• Ensure that there are mechanisms to support pupils, staff and parents facing online safety issues
• Ensure that the DSL is trained to support staff and pupils and to work with other agencies
• Ensure that all staff receive relevant training that is regularly refreshed
• Educate parents and the wider school community

The UKCCIS Education Group has developed guidance for school governors to help governing boards support their school leaders to keep children safe online. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/562876/Guidance_for_School_Governors_-_Question_list.pdf
This document is non-statutory and should be read in conjunction with DfE’s statutory guidance ‘Keeping Children Safe in Education’
How E2BN help
E2BN has a long history of providing online safety training and advice to schools. In addition to sessions for school staff and parents, E2BN also offers Online Safety sessions for Governors.

Safeguarding – Hoaxes and Fake News

You may well have seen news and social media posts about ‘Blue Whale’, the posts urge you to share to protect young people from a viral suicide game. https://www.thesun.co.uk/tech/3003805/blue-whale-suicide-game-online-russia-victims/. The ‘Blue Whale’ story is a hoax, or fake news, something which is permeating almost every news area recently. http://www.netfamilynews.org/blue-whale-game-fake-news-teens-spread-internationally

Alerts are often shared over social media, even when initially shared through more conventional routes, such as letters home to parents. The danger with a social media share of a hoax or fake story is that it will also reach young people. There are significant pressures caused by FOMO – fear of missing out; this affects body image, feelings of belonging and for a young person with poor mental health it may encourage them to consider or copy a dangerous behaviour.

The other issue with sharing specific alerts is that adults will, with the right intentions, focus on the specifics of the story and so may be less open to the signs and symptoms of harm and abuse. The child must be at the centre of our concerns, and if it took a news story to make us take a child self-harming, such as is in the ‘Blue Whale’ hoax, as a serious concern then we really have to question our own commitment to and understanding of safeguarding.

This hoax/fake issue has happened before, for example:

  • Many ‘white van kidnapping/abduction’ stories fall into this area. There are frequent social media stories about attempted kidnappings, they spread fast and can result in thousands of shares over a 24-hour period. Often they have no specific location, they are not timed or dated, there is no detail, just fear.
  • There was a case involving ‘Talking Angela’, an app where children can hold a text conversation with an animated cat. Stories went round that the app was developed by paedophiles to gain access to children, this was a hoax http://www.thatsnonsense.com/is-the-talking-angela-app-safe-for-kids-we-take-a-look/.
  • In August 2013 fourteen year old Hannah Smith committed suicide; the news stories told us Hannah had been bullied on Ask.fm https://www.theguardian.com/society/2013/aug/06/hannah-smith-online-bullying. Calls were made to close the site, it was said that the site promoted bullying and suicide; even David Cameron joined in calling for the site to be closed. The Ask.fm site owners stayed quiet – they stayed quiet because they were working with Police, providing facts behind the case. Sometime later, it emerged that the bullying messages Hannah had received were sent from her own computer, she had sent the messages to herself https://www.theguardian.com/uk-news/2014/may/06/hannah-smith-suicide-teenager-cyber-bullying-inquests. This case was not about an evil website, but about the poor mental health of a teenager.

There will always be risk, and stories such as http://www.mirror.co.uk/news/world-news/horrified-parents-warn-paedophiles-using-8363035 ‘Horrified parents warn paedophiles are using hugely popular musical.ly mobile phone app to groom underage children’ – are based in truth, but need to be put into context – every online app with any communication aspect is open to this risk, some are moderated, some have software monitoring, but the risk will always be there. The danger here is that musical.ly is seen as dangerous, but another similar app is seen as safe. The danger in focusing on a particular app is that some parents will ban the app, instead of understanding paedophiles will be there on all apps. Just as if you take children out to a park or a shopping centre, they will be there too. The most important messages are about keeping safe online:

  • Follow the age restrictions
  • Put privacy settings on
  • Don’t participate in anonymous chat
  • Block, delete and report users or posts that worry you.

Encourage parents to keep the conversation going at home, to talk to their child about what they are doing online. Schools and family at home should celebrate the exciting things and provide sensible advice, caution and support if children are taking risks and report if concerned.

Where there is an alert about a ‘real world’ situation, such as an attempt to abduct a child, make sure information is specific, timed, dated and located. Offer sensible and ongoing advice to parents and children - children must be aware of their personal safety, tell a trusted adult if they are worried or concerned. Let them know that 999 calls are free from mobile phones and phone boxes.

The risk will always be there, but learning about risk and learning how to manage and mitigate risk is key learning for children and young people. We have to help them with this, and raise concerns where a child is at risk of harm and abuse.

Useful sites

That’s nonsense http://www.thatsnonsense.com/

Hoax slayer http://www.hoax-slayer.net/

Snopes http://www.snopes.com/

Support sites

UK safer internet centre https://www.saferinternet.org.uk/

LGfL Online Safety http://os.lgfl.net

Childnet http://www.childnet.com/

NSPCC https://www.nspcc.org.uk/

Parentzone https://parentzone.org.uk/

Guest Post by: Penny Patterson
Havering Education Services
April 2017


Fantastic way to get parents interested in online safety

Thinking of holding an online safety session for parents and carers? Worried that you'll have a poor turn out? 

Lots of schools are keen to hold online safety sessions for parents and carers.  The problem is that whilst the school thinks online safety is important, parents often do not. I think parents don't attend because they genuinely can not see what all of the fuss is about. Either they don't use social media and so they 'don't know what they don't know' about it or they use social media and have never had a problem. So maybe what we need to do is to demonstrate just how far and how fast a picture posted on a social network can travel!

Now this is (sadly) not my idea but... how about if a teacher takes a picture of the school mascot, class pet, a teddy bear (you choose) and shares it via  Facebook or Twitter accompanied with a brief explanation that you are trying to demonstrate to your class how widely an image can be shared and how it can reach people that you don't even know? I've been the recipient of this sort of request a couple of times and have been happy to accommodate. I've not known the teacher; the request had been shared many times before it reached me and, hopefully, many of my FB 'friends' have shared it further. How many likes/ comments and shares do you think you might get? How far do you think that your image might travel in say a week or two weeks? 

 A teacher in Hereford posted this image of 'John' on Facebook on a Tuesday. By Friday it had had over 1,000 shares and reached almost every continent! 


skeleton john

 What a fantastic way to demonstrate the power of social media. And what a great thing to do a month or so before you hold your online safety session for

parents! What if every day after you post the image, you update 'a how many shares counter' displayed prominently in school? Try it a month or so before you hold your online safety session for parents. Every day after you post the image, update 'a how many shares counter' displayed prominently in school. Even if t doesn't persuade parents to attend your online safety session, it will deliver a powerful message to your pupils about social media.




Sex and Relationship Education compulsory in all Schools

Today, Education Secretary, Justing Greening, announced that from September 2019 all schools, including academies and free schools, will be required to teach SRE  and that PSHE will become a statutory subject.

  • All primary schools will be required to teach age appropriate relationship education
  • All secondary schools will be required to teach age appropriate relationship and sex education

Greening said that statutory guidance on SRE was introduced in 2000 and is becoming increasingly outdated. In particular, it fails to address cyberbullying, sexting and staying safe online.

See the Greening's full statement 


Latest from the Blog