29 Jan 2025
Amongst the most significant threats to the integrity and security of the examination system is that posed by organisations and individuals who want to obtain confidential examination materials for personal and/or financial gain via a cyber-attack.
As the owners and distributers of this information, awarding organisations are required to maintain the highest levels of cyber security, and therefore, as the recipients of confidential examination materials, it is understandable why centres, and exams office staff within centres, are also required to adhere to the highest possible standards of cyber security.
In this article, we consider the main areas which centres – and staff managing and administering examinations and assessments within centres – should consider to ensure that they are adhering to the highest possible standards – including JCQ requirements – in relation to cyber security.
Centre responsibilities
Alan Easton of ATP Cyber details the following seven areas which centres should consider to ensure protection against a cyber-attack.
- Multi-Factor Authentication (MFA)
As centres can create multi-factor authentication for all user accounts at no cost (by using the settings within your chosen cloud service provider such as Microsoft 365, Google Workspace, or others) this is a measure which all centres are encouraged to adopt.
Although users can be frustrated by over elaborate MFA systems, they are cost effective, easy to implement and very effective in improving the security posture within a centre.
- Using a Password Manager
If a system is not supported by MFA, this will leave individual accounts unsecured. Therefore, a Password Manager (a programme which stores and manages passwords) should be used to generate, store, and when required, retrieve passwords.
- Patch management
Centres should incorporate a patch management system which identifies, acquires, tests, deploys, and monitors software updates (patches) across a system to address security vulnerabilities, improve functionality, and maintain overall system health.
Organisations which do not utilise a patch management system are ‘easier pickings’ for a cyber-attack.
- Security assessments
Centres should conduct a regular security assessment which includes simulations such as a ‘dummy’ phishing attack.
An assessment should evaluate an organisation's security controls, including its systems, applications, and policies, to identify potential vulnerabilities and risks that could compromise its data and infrastructure.
Such assessments provide a check to ensure the effectiveness of security measures which are in place to protect against threats, pinpoint weaknesses and provide recommendations for improvement.
- Cyber security awareness training
The human element is the weakest link in the majority of cyber security chains. Therefore, centres should consider delivering regular training programmes for staff to protect against threats such as phishing attacks – which are usually the initial step for gaining access to an organisation’s internal network.
- An IT backup system
All centres should have an effective IT backup system which creates and stores copies of critical data from a computer network or system. This will provide partial protection against ransomware and allows for the restoration of lost or corrupted data due to hardware failure, cyber-attacks, accidental deletion, or other disruptions.
- Cyber insurance
If centre budgets allow, as organisations that collect, process and store personally identifiable information (PII), schools/colleges should consider cyber insurance. Not only will this insurance cover the costs of a data breach or another type of cyber-attack, but many insurance companies will also perform an assessment of the centre's security posture and provide guidance on improving security measures. The level of insurance premium will be based upon the amount of data held by the centre, existing preventative/detective controls against cyber-attacks, existing internal policies and procedures, etc.
The Exams Office and the National Association of Examinations Officers (NAEO) are working in partnership with ATP Cyber to support centres in developing cyber security systems and protocols. This support programme includes information and resources to help schools/colleges to comply with JCQ requirements as set out in the General Regulations for Approved Centres (section 3.21) incuding best practice through videos, factsheets, FAQs, posters, checklists, etc and includes a centre Website Security Test.
Staff responsibilities
As stated above, the human element is very often the weakest link in the majority of cyber security chains. Therefore, individual staff members should be required to follow the steps detailed below:
- Create strong unique passwords
Staff should be required to use a password creation approach such as three random words to generate suitably secure passwords. Easily guessable information such as birthdays, singular names or common words for a password should not be used.
A strong unique password should be used for every account used and the same password should not be used across any other account.
- Keep all account details secret
Login/password details or additional factor/authentication codes should never be shared with anyone else.
Each person who needs access to a system should request their own user account and never share an account assigned for their use with anyone else.
- Update any passwords that may have been exposed
If it is believed passwords may have been exposed/become known to others, they should be changed as soon as possible. The new passwords should not be shared with anyone.
When changing passwords, strong unique passwords (e.g. three random words) should always be used. Old passwords should not be reused nor should cycling through a small set of passwords across multiple accounts be used. When passwords are reused, or follow a discernible pattern, attackers have tools that will help them to identify such password reuse/cycling patterns.
- Review and manage connected applications
Access for third-party applications, or services that no longer require access to accounts, should be regularly reviewed and removed if necessary. Access should only be provided to trusted services.
Centre staff should avoid – or be particularly cautious if they cannot avoid - interacting with content and services (e.g. quizzes, prize draws, surveys etc.) on social media platforms.
Passwords should not be saved to local web browsers, unless a secure password manager extension is used in a browser that requires unlocking (e.g. with another password) before the saved account details can be retrieved, however care should be taken to ensure that this is locked/signed out of after use.
Account details (usernames/passwords) should not be saved on local web browsers.
When using a shared browser, browser history and caches should be cleared out after use. The use of private browsing functions to reduce the usage trail left on any such browser should also be considered.
- Stay alert for all types of social engineering/phishing attempts
Care should be taken if unsolicited or unexpected emails, instant messages, or phone calls are received asking for account credentials or personal or confidential information. Passwords and 2FA/MFA authentication codes should not be given out to anyone.
Centre staff should develop a healthy wariness of anyone or anything that seems to want to gain their trust, rush them into doing something or that just seems off. If in doubt, hang up/don’t reply and don’t click on links or take any action and check with a trusted party via a secure channel (i.e. call awarding body customer services via a known support number).
Staff should not approve or authenticate a login request that they did not initiate or click on suspicious links, download attachments or scan QR codes from unknown sources.
The authenticity of any communication should be verified by contacting the organisation directly through official known channels. Staff should be encouraged to be wary of unsolicited inbound phone calls even where the caller’s number appears genuine.
Any phishing attempts which reference awarding bodies/their systems should be reported to the awarding body concerned immediately. JCQ and awarding bodies can send out communications to centres where notable attacks are observed but rely on centres and centre staff to flag notable attacks to them. Any such attempts should be reported to awarding bodies.