Spotlight on CCTV in schools

A recent story in the Daily Mail exposed the ease with which hackers in the US broke into CCTV systems in some UK schools and streamed live images of teachers and children for viewing by anyone accessing the hackers’ web-site.

Incredibly, the schools concerned had failed to change the default password so the CCTV images were not adequately protected. Maybe they thought no one would be interested in the images they record to keep the school safe.

We have long been aware of “stranger danger” when it lurks at the school gates. Head teachers and their technical officers need to recognise that keeping their children safe includes protecting their images too. Apparently, more than 200 schools in the UK use cameras in toilets – let’s hope these aren’t the same ones as those who didn’t think to change the default password!

Other password weaknesses

Password sharing

Has a colleague ever asked you for your password so that they can access a file or system in your place? Or have you volunteered your own password to a colleague so that they can access a site, perhaps because you are not in the office and need some information? The acceptability of this type of activity depends on the security culture of your organisation; in most organisations, such sharing is prohibited and employees would not to expect to share. In other settings, in particular, where the working environment relies on team work, such as in a school, sharing may be more commonplace.

Individuals should be aware that they are compromising their own reputations when they decide to share their passwords. While using systems and visiting web-sites, organisations take the view that all IT activities identified for a particular user id in the audit trail have actually been carried out by that user. And it is not just the organisation’s business data which sharing puts at risk but, if the password is one which has been re-used across multiple sites, the risk is extended to the user’s own personal data in accounts elsewhere across the web. It is difficult to say no to colleagues at work looking for help, so organisations needs to ensure that their culture reinforces a responsible approach to password guarding. If sharing is required to keep things running smoothly, this suggests a review of IT access is rules required and strict guidelines of when it is deemed appropriate should be provided.

Children knowing adult passwords

Even the most angelic of children have curious and investigative minds. In a school environment where the teaching staff access systems in the classroom, it has important that passwords are kept secret and sufficiently complex to prevent pupils finding them out. While many regard systems which force users to change passwords regularly as burdensome and excessive, this is clearly an environment where it is justifiable, as obviously it reduces the likelihood of a pupil discovering their teachers’ password and limits their use of it should this happen.

Most used passwords

Recent analysis by the UK’s National Cyber Security Centre (NCSC) found that 123456 was the most widely-used password on breached accounts, appearing in more than 23 million passwords. The second-most popular string, 123456789, was not much harder to crack, while others in the top five included “qwerty”, “password” and 1111111.

The most common name to be used in passwords was Ashley, followed by Michael, Daniel, Jessica and Charlie.

When it comes to Premier League football teams in guessable passwords, Liverpool are champions and Chelsea are second. I imagine Manchester City is on the way up too.

The lesson here is not to protect sensitive data with something that can be guessed; that includes your name, pet’s name, your childrens’ names, local football team or favourite band.

Joy Higham, Data Protection Practitioner