Incidents of cyber attack in the education sector are on the rise. So what should schools do? Gareth Jelley, product security manager at edtech charity LGfL-The National Grid for Learning, shares some advice.
Incidents of cyber attack in the education sector are on the rise. So what should schools do? Gareth Jelley, product security manager at edtech charity LGfL-The National Grid for Learning, shares some advice.
According to the BBC, figures released by the Information Commissioner’s Office (ICO) show 347 cyber incidents were reported in the education and childcare sector in 2023 – an increase of 55 per cent on 2022, and government data suggests most schools and colleges have identified a cyber-security breach in the past year. So what should schools do? Here Gareth Jelley, product security manager at edtech charity LGfL-The National Grid for Learning, highlights some key points that schools need to address in the near future and some more general advice on how to protect themselves. But first, let’s review some emerging trends.
Attacks through remotely accessible systems
Over the past year, we have witnessed an increase in the number of schools experiencing attacks through their remotely accessible systems. Schools commonly use remote desktop services to allow staff access to internal resources. As the majority of these do not require multifactor authentication, attackers can easily gain access to school networks by using simple techniques. They can use brute force password attacks, password spraying or successful phishing attacks to log onto the server from the internet, and then launch their attack from inside the network. Multi-factor authentication remains one of the best defences for schools and is becoming more widely used, but is still not in use everywhere.
Aging software
Did you know that Microsoft will end support for Windows 10 on 14th October 2025? Extended support will be available, but schools will need to pay for this. Software updates provide more than new and improved features and speed enhancements to make the end-user experience better, they also contain critical security updates to protect against known vulnerabilities.
Security vendors are also likely to increase their costs to support Windows 10 after this date, so schools will need to plan to replace aging equipment, or to budget for increased licence costs.
Ineffective cyber response plans
According to the 2022 National Cyber Security Centre (NCSC) Audit, 50 per cent of schools don’t have an effective Cyber Response Plan.
Where schools do have a plan, it can frequently miss key information such as how to access admin passwords/encryption keys in the event of an attack, clear guidelines on how to restore systems, and who to notify in the event of an attack, e.g. your cyber insurance provider. Where schools do have plans, they may not have completed a table top exercise to review them. The NCSC has free exercises for this called Exercise in a Box, which is an online resource which helps organisations test and practise their response to a cyber-attack. It is completely free and you don’t have to be an expert to use it.
A disconnect between the senior leadership and technical support
And lastly, we frequently see a disconnect between the senior leadership team and technical support in schools. Planning for cyber threats and risk management activities should be a collaborative effort.
So where is the best place to start?
If you are keen to reduce the risk of a cyber-attack, a great place to start is the Department for Education’s guidance for schools – Cyber security standards for schools and colleges – which outlines the standards that your school or college should meet on cyber security and user
accounts.
The guidance highlights that cyber incidents and attacks have significant operational and financial impacts on schools and colleges. These incidents or attacks will often be an intentional and unauthorised attempt to access, change or damage data and digital technology. They could be made by a person, group, or organisation outside or inside the school or college and can lead to safeguarding issues due to sensitive personal data being compromised, as well as have significant and lasting disruption, including the risk of repeated future cyber incidents and attacks, including school or college closure. It also risks financial loss, reputational damage, and can have an impact on student outcomes.
What action should schools take?
Here is a quick outline of the latest guidance from the Department for Education.
Firstly, conduct a cyber risk assessment annually and review it every term. It’s really important to understand the risks associated with your hardware, software and data if you are to keep students, staff and the wider school or college community safe. Start by identifying weaknesses and put processes in place to help reduce risk. Secure systems to make them more resilient to attacks and prepare a cyber response plan to be implemented quickly in the event of a serious incident to minimise any impact to the school or college.
Create a risk management process and cyber response plan
Start by creating a risk register – collectively identify, analyse, and solve risks before they become problems and place into a regularly tested business continuity plan.
Keep cloud-based and hard copies of your plan/documentation.
Prepare a Cybersecurity Incident Response Plan including instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information.
Finally, put in place a risk protection arrangement (RPA) cover.
Secure digital technology and data with anti-malware and a firewall
Protect your digital technology and data with anti-malware – a type of software program created to protect information technology (IT) systems and individual computers from malicious software, or malware; and also a firewall – a cybersecurity solution that protects your computer or network from unwanted traffic coming in or going out.
Control and secure user accounts and access privileges
Implement Role-Based Access Control (RBAC) where the level of access to the network is determined by each person’s role within the school, and employees are only allowed to access the information necessary to effectively perform their duties. Access can be based on several factors, such as authority, responsibility, and job competency. In addition, access to computer resources can be limited to specific tasks such as the ability to view, create, or modify a file.
License digital technology and keep it up to date
Replace software and systems that no longer receive regular security updates from their vendors, as this could impact the level of security afforded. And download security patches – software and operating system (OS) updates that address security vulnerabilities within a program or product – as soon as possible to help resolve hardware, operating systems and application vulnerabilities that could be exploited by hackers.
Develop a plan to back-up your data and review this every year
Keep your data in different physical locations (including the cloud) so that you can reinstall current data should a cyber-attack take place. The National Cyber Security Centre (NCSC) advises schools to make three copies of their data, two of which are on separate devices and one of which is offsite which could include a cloud backup service.
Report cyber attacks
If you have been asked for a ransom, or are a victim of cybercrime, contact Action Fraud, the UK’s national reporting centre for fraud and cybercrime and a central point of contact for information about fraud and financially motivated internet crime.
Further Information:A new report by the Institute for Fiscal Studies has found that the number of school pupils with EHCPs has risen by 180,000 or 71% between 2018 and 2024.
A new report highlights the systemic inequities that hinder the success and wellbeing of black pupils, parents, and teachers in the UK.
This figure was found by comparing GP registrations with school registrations and data on pupils in registered home education for the first time.
Bright Start Breakfasts will help more primary school children get a healthy start to the day and provide families with more morning childcare.
The Let's Go Zero campaign has delivered top tips on how to have more eco-friendly celebrations.