Protecting schools from online attacks

With cyber attacks an increasing worry for schools, John Jackson, CEO at London Grid for Learning – a not-for-profit community of over 3,000 UK schools – discusses what senior leaders can do to ensure they stay cyber safe now and in the future

In just 30 years the internet has transformed the world in more ways than anyone could ever have predicted. This includes within our schools in the way children learn, interact and discover information.
    
The downside to this incredible tool comes when it is abused by individuals with malicious intentions. Grooming, cyberbullying and extremist recruitment are well documented examples of the darker ways individuals or groups have used the internet to their advantage. In more recent months, headlines have covered the rise of cyber attacks in the education and public sectors with the Distributed Denial of Service (DDoS) attacks on the NHS and more recently hoax bomb phishing emails demanding money from schools.
    
In order to protect themselves from these threats, schools are finding it necessary to step-up their online protection. However, with increasingly tight budgets and numerous demands on funding, knowing the right tools and software to invest in is no easy task, particularly for schools without extensive knowledge of the cybersecurity world.
    
To help schools protect themselves, we at LGfL have increased our offering with added software, training and resources provided to our schools at no additional cost. For those still looking for advice, take a look at the following tips for an overview of some of the policies you can quickly put in place to help your school remain cybersafe.

Assign responsibility

Attributing responsibility for cybersecurity to one lead member of staff is the first step to becoming cyber-savvy. This person can then be charged with evaluating the school’s current solutions, keeping systems up to date with the latest upgrades and determining if additional protection is required. Putting one colleague in the driving seat of this initiative is more likely to lead to you achieving your outcomes than sharing responsibility jointly across your senior leadership team who, aside from not being experts, are far too time-pressured to manage security to the standard required.

Challenge your provider

An absolute essential is to make sure your external IT supplier has the skills and capacity to support you effectively. Your cybersecurity lead should be at the forefront of challenging your current provider to make sure they’re providing you with the most up-to-date protection available. Topics they should address include what level of fire-walling companies have in place and the anti-virus and anti-malware software they provide. All internet providers should also have proactive monitoring in place so they’re able to alert you to any attacks on the school rather than the other way around. Not only should they be providing these precautions as part of your package, providers should also be delivering effective training and full-time support to ensure that you’re utilising the technology fully.  

Patching policy

With security vulnerabilities discovered daily you must have a patching policy in place as part of your school IT network management. Patch management involves ensuring that your network is constantly updated with the latest patches, updates and security fixes. Whilst somewhat tedious, if done effectively a patching policy will ensure attackers aren’t able to exploit security holes in your IT system. An effective policy to manage patches should cover the time period they must be installed (i.e. within 30 days), who is responsible for installing them and monitoring exceptions (such as devices which rely on precise software versions). Having these processes in place will help to make what can be an overwhelming task manageable.

Unsolicited emails

Reporting unsolicited emails is another must. As senior leaders this is something all staff must be encouraged to do. Your email provider should allow you to report email as spam and commercial organisations have an obligation to allow you to unsubscribe to marketing or promotional material. If you are receiving a large amount of unsolicited messaging, contact your provider and ensure that they stop this from happening. There are numerous examples of viruses which have spread through email and of hoaxes committed by individuals attempting to extort money from unwitting recipients so this is an obvious but important point to stay on top of.

Invest in your staff

You should also ensure you’re making the most of your number one asset – your staff! This means ensuring that all staff with any responsibility for cybersecurity have access to high-quality training and CPD. At LGfL we’re aware that technology can often fail to deliver the intended benefits at the speed envisaged, generally due to an absence of support for the necessary changes needed in leadership, skills and pedagogy.
    
To help counter this we’ve teamed up with world leaders in education pedagogy Microsoft and Google to partner with us in delivering training and developing professional networks where teachers can effectively support each other. We’re also identifying champion schools to stand as leaders and examples of best practise for other schools who wish to improve.  
    
Of course external CPD needs to be underpinned by robust support in school so that the benefits of off-site training can continue to be felt on returning to the classroom. To support our new CPD initiatives we’ve created our ‘LGfL TV’ portal which we designed specifically to support senior leaders in the necessary change management processes needed to bring about change in schools.

Pupil awareness

As well as educating teachers, it’s crucial we don’t neglect to train our students about the importance of cybersecurity. One great way to start conversations with pupils is with the LGfL TRUSTnet ‘Cyber Security’ resource. The ‘Data to Go’ video from module one makes a striking point about how human behaviour constitutes the biggest weakness in any system and demonstrates to pupils how easy we sometimes make it for criminals to get hold of our personal information.
    
As cyber attacks become more common and increasingly sophisticated, the UK government has stressed the importance of getting children interested in subjects such as Computer Science in order to train more professionals for the cybersecurity industry. With the National Crime Agency reporting a rise in the number of teenagers becoming involved in cyber crime, it’s essential that we not only equip young people to be capable users of technology but to undertand the consequences of their online activity – both for themselves and others.  

Collaboration

Working together with other schools is an essential way of promoting best practice. At LGfL we have developed Cyber Protect, our groundbreaking initiative to create an online Centre of Excellence for cybersecurity for schools. The new centre, which will sit within LGfL’s existing site, will provide the best possible protection from increasingly complex and sophisticated cyber threats though collaboration, threat management and partnerships with schools, industry and government leaders.
    
Finally, keep in mind that cybersecurity isn’t something you should be losing sleep over. There are numerous policies in place as well as software available to help protect you from differing levels of threat. The most important thing is to make sure that your IT provider is ready to work with you to mitigate the risks and that you have internal policies in place to help manage your IT security.

 

Further Information: