Boosting your cyber resilience

With an increase in the number of cyber attacks on educational settings, we examine the range of free tools and resources available for schools to improve their resilience

Hardenhuish School in Chippenham, Wiltshire, is the latest school to have been hit by a cyber incident, where hackers gained access to IT systems and demanded a ransom in return for restored access.
    
In January, a number of schools and universities were hit in separate attacks, with highly confidential documents from 14 schools leaked online by hackers.
    
The schools were targeted by a hacking group called Vice Society, who makes demands for money before leaking the documents if payment is not made.
    
The documents leaked are reported to have included children’s SEN information, child passport scans, staff pay scales and contract details, stolen in 2022.
    
One of schools affected was Pates Grammar School in Gloucestershire. Leaked information included one folder marked “passports” contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked “contract” contains contractual offers made to staff alongside teaching documents.
    
Another folder marked “confidential” contained documents on the headmaster’s pay, and student bursary fund recipients.

The Cyber Security Schools Audit
These examples show that schools are a desirable target for online criminals.
    
To give a snapshot of schools’ current systems, protections, training needs and preparedness for a cyber incident, the 2022 Cyber Security Schools Audit was published by the National Cyber Security Centre (NCSC) and LGfL-The National Grid for Learning.
    
It showed that just over half of schools – 53 per cent – said they felt prepared for a cyber incident. This compares to 49 per cent in 2019. And staff training of non-IT staff in cyber security has increased from 35 per cent in 2019 to 55 per cent in 2022.
    
The awareness of phishing in schools increased from 69 per cent to 73 per cent, and 90 per cent of schools have at least one of the following in place: a cyber security policy, a risk register or a business continuity plan. A third of schools now have all three.

Worryingly, the report shows that a substantial number of schools (78 per cent) had experienced at least one type of cyber incident with seven per cent experiencing significant disruption as a result. For example, 21 per cent of schools had experienced a malware and/or ransomware attack and 18 per cent had experienced periods with no access to important information.
    
Encouragingly, all schools surveyed now have Firewall and 99 per cent have antivirus protection.
    
Schools continue to need to focus on improvements to security with four per cent having no back-up facilities, 26 per cent not implementing multi-factor authentication and 25 per cent not limiting staff access to USB devices.
 
In 2019, no school recorded a parent losing money due to a cyber incident, but in 2022 six schools reported they had.

Sarah Lyons, deputy director for economy & society, NCSC, said in the foreword to the report: “Our schools rely so much on the myriad of data required to run efficiently, including sensitive data on students, parents, governors and staff and yet more work is still to be done to support the cyber security around these essential services. The National Cyber Security Centre has been working with schools and the education sector to provide free tools and guidance to help schools manage their cyber risks effectively and supporting them to keep this valuable information safe.”

Free tools and advice
The National Cyber Security Centre (NCSC) has developed two services that help organisations identify potential cyber security issues and fix them promptly: Mail Check and Web Check.
    
The Web Check service scans websites to check for common, significant vulnerabilities and sends a report to organisations flagging any issues according to severity alongside advice on how to fix the problems.
     
Mail Check meanwhile is designed to help technical teams assess and improve two areas of email security: anti-spoofing controls to prevent attackers sending emails pretending to be from your organisation, and email privacy measures to prevent data being altered or read in transit.
    
NCSC’s Sarah Lyons said: “Technology plays a central role to the way schools operate, so it’s vital they have the right controls in place to identify security issues and fix them promptly.  
    
“By signing up to our pioneering Mail Check and Web Check services, schools can help to defend their email servers and websites from common cyber threats with a few actionable steps.
     
“We strongly encourage schools to use these free tools to help make the most of modern technology in as safe a way as possible.”

Cyber security toolkit
Charity LGfL-The National Grid for Learning has launched a new, free resource called the Elevate Cybersecurity Toolkit for Schools. It comprises a collection of key documents that schools can use to improve their cybersecurity and also use as a foundation for attaining Cyber Essentials Certification – a foundation level certification designed to provide a statement of the basic controls they should have in place to mitigate the risk from common cyber threats.
     
The documents include a CyberSecurity Policy Template, which outlines the school’s guidelines and security provisions that are there to protect its systems, services, and data in the event of a cyberattack.
     
The Incident Response Plan can be used as a starting point for planning recovery from a ransomware attack, or any other kind of unforeseen outage.
     
There is also an Example Risk Register that can be used to assess, evaluate, prioritise and manage cybersecurity risks. This can be used by the school’s senior leadership team to report to governors on how they are proactively managing risks and improving cybersecurity.
     
An Example Asset Register is available that can be used as a starting point to inventory the equipment used in the school. It sounds obvious, but it’s impossible to be secure if you don’t know what you have.
     
There is also an Example Software Register, which can be used to record which software/systems a school has and whether they hold confidential information. This can be used to complement the Incident Response Plan for prioritising the recovery of services.
     
Commenting on the new resource, Dinesh Seegobin, head of ICT at STEP Academy Trust, said: “We all know that being aware of cybersecurity is critical but how many of us can claim to be experts? In addition, there is so much information out there to digest, where do you begin? This is where, yet again, LGfL has come to our rescue. The Elevate Cybersecurity Toolkit is an absolute game changer. A one-stop shop to help get you on track backed up with all the weight of industry experts.”