Cyber attacks against schools have been hitting the headlines throughout 2020 and 2021 (and it’s only July). Educational establishments are currently more likely to suffer a security breach than businesses – Cyber Security Breaches Survey 2021. The illustration below shows the percentage of institutions which have identified a breach or attack in the last 12 months.
(Survey data gathered between Oct 2020-Jan 21)
Secondary schools and further education colleges in particular, are being heavily hit. These attacks can come in many forms, from typical phishing emails, to malware via downloads, ransomware and denial of service attacks. You can find out more about the Six Most Common Types of Cyber Attacks here.
Schools minister Nick Gibb has recorded over 70 ransomware cases in the sector during the pandemic. This is in addition to attacks in higher and further education. The latest attacks, incidentally local to M-Tech HQ, were on the Skinners’ Kent Academy and Skinners’ Kent Primary School. Both of these schools were forced to close for several days. A report of the incident is available at BBC News.
The Department for Education, alongside the National Cyber Security Centre (NCSC) have written to schools twice in the past year. Both alerts highlighted the increased attack levels and the urgency of securing systems.
Bringing cyber security to the forefront
It’s long been essential for schools to prioritise safeguarding and to seek to protect sensitive student data. The cyber security element, as a whole, is only really coming to attention now. Creating a culture of security is a known goal in the business world, yet it should also be the same in an education setting. Our article, Creating a Positive Cyber Security Culture, touches on some basic steps to achieve this.
Even if a school suffers no financial or data losses, losses from an attempted breach are noticeable elsewhere:
- schools may need to invest in new security measures
- staff time will be taken up with dealing with the breach (senior management, communications and IT)
- the wider staffing body may be unable to carry out their activities
- students may be unable to receive their full, rich curriculum program.
There’s near universal recognition in educational establishments (over 9 in 10), that cyber security is a high priority. This has likely come about following months of remote teaching and learning.
Awareness of cyber security guidance and initiatives
There are many forms of guidance and initiatives out there to support the drive for improved cyber security in education. These include:
- The government’s Cyber Aware campaign
- The Cyber Essentials accreditation scheme
- The 10 Steps to Cyber Security guidance
- The NCSC’s Board Toolkit (aimed at senior managers and not widely promoted to education)
- The NCSC’s 2020 guidance on homeworking and video conferencing.
Of those responding to the Cyber Security Breaches Survey 2021, awareness of the above collectively was at its lowest in primary schools. This increased at the secondary level and was at its highest in further education. One of the most startling figures was a 7% awareness of Cyber Essentials amongst primary schools, rising only to 30% in secondary.
Many different tools can be used in securing a school. Having a framework to follow is a hugely helpful method to ensuring nothing gets missed. Cyber Essentials is a simple yet effective government backed scheme. It helps protect an organisation against some of the most common cyber threats.
Secure your school against cyber attacks with Cyber Essentials
Many cyber attacks are, in reality, untargeted. They point their tools at large amounts of devices, services, users at once, aiming to get lucky with a hit. From here, they may either attack in one go, or build up lots of little attacks exploiting weaknesses. These could be anything from legacy devices with out of date operating systems to poorly configured firewalls.
Estimates suggest simple security controls prevent around 80% of cyber attacks. There are two possible levels of certification: Cyber Essentials and Cyber Essentials Plus. Both are valid for one year.
Cyber Essentials is a verified self-assessment. Cyber Essentials Plus is externally tested by a qualified assessor. For both, there are five technical controls that organisations should have in place:
- access control
- boundary firewalls and Internet gateways
- malware protection
- patch management
- secure configuration.
The process of getting certified to Cyber Essentials gives a clear picture of an organisation’s cyber security. It shows what is good and where to improve. Cyber Essentials testing is applied to all devices in a school, both fixed on-site and those taken remotely off site. For example, all devices that connect to the internet at any point are to be protected with a firewall. The scheme also addresses who has access to what data and services. The intent is to minimise the potential damage that could be done if an account is misused or stolen. Accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role.
As an added perk, certification also includes automatic cyber liability insurance. This applies to UK based institutions who have funding arrangements of under £20m and include the whole school in the scope of the assessment. The total liability limit is £25,000.
Find out more about the scheme on our dedicated Cyber Essentials page. You’re welcome to download and share the informational posters with your colleagues.
Don’t become the next news story – get secure and stay secure
M-Tech have worked in the education sector for decades. We are one of the professional organisations trained and licensed to deliver the Cyber Essentials scheme. We can provide you with support in getting ready to meet the requirements and work with you to form a complete security strategy if required. Don’t leave it ‘til it’s too late, take your cyber security seriously. Drop us a message or give us a ring on 01323 404040.