How to protect your digital estate

Like the physical aspects in a school – fences, gates and buildings – a school’s digital estate needs to be properly secured to protect students, staff and the school from cyber threats. Sarah Lyons from the National Cyber Security Centre shares some advice

Every day, schools and colleges reap the benefits of using technology, from helping teaching in the classroom to facilitating admin tasks that keep education running smoothly.
Reliance on online tools may have increased gradually, especially during the pandemic when many schools turned to remote learning, but now more schools than ever depend on internet-connected services and are growing their ‘digital estates’.
Like the physical aspects in a school – fences, gates and buildings – a school’s digital estate needs to be properly secured to protect students, staff and the school from cyber threats and risks.
At the National Cyber Security Centre (NCSC), a part of GCHQ, we work closely with the schools sector to understand what the online risks are and offer advice on how to effectively manage them.
We have produced a raft of guidance and tools to help schools – from leaders to teachers to IT support staff – improve their cyber security. And by following a few practical steps, schools can significantly reduce their risk of falling victim to a harmful incident and stay safe online.

Fostering a positive culture

Cyber risks can come in many different forms so it’s important school staff know what to stay vigilant for. And at a senior level, leaders should understand what their digital estate looks like, so they can identify potential vulnerabilities and dependencies.
Some cyber-related incidents are accidental. For example, a pupil or staff member might accidentally click on a dodgy link hidden in a phishing email leading to malware being downloaded. Or a fire or flood that causes damage physically could also have long-term, serious digital ramifications if the school’s data has not been backed up.
However, as with all incidents, schools can help to mitigate them by promoting good staff awareness and a positive cyber hygiene culture. Staff and students should be encouraged to report to their IT support team anything that looks suspicious or when they might have negatively impacted the school’s cyber security.
The NCSC’s free cyber security training for school staff package offers some practical advice to help with this, including identifying common signs in phishing messages. We have also published  guidance for governors, offering questions they should be asking to gain effective oversight of cyber security.

Threat from ransomware

Unfortunately, schools can also experience malicious incidents and the most common come from cyber criminals, with ransomware posing an ongoing threat to the sector.
Successful ransomware attacks, where a victim is locked out from their computer systems until a ransom is paid, can have severe impacts on an organisation, affecting finances, reputation and ability to deliver key services.
Since 2020, the NCSC has issued three ransomware alerts to the education sector warning schools, colleges and universities of an increase in attacks, and in one spate of attacks more than 80 schools were affected.
While the evidence does not suggest schools are being specifically targeted over other sectors, we know criminals scan the internet looking for organisations with weak security defences.
That’s why it’s essential schools take action to harden their defences; by raising their level of resilience, they can make themselves less of a target.
Backing up your data is paramount. As a cyber incident could happen at any time, having a recent back-up available offline can be the difference between a quick recovery and extended periods of disruption or data being permanently lost.

It’s worth also being alert to the possibility of incidents coming from within the school. For example, the NCSC is aware of an incident where a pupil used a teacher’s password left on a post-it note to access records and change their grades, and in another case a member of IT staff accessed school systems from home while they were suspended.

These kinds of incident are thankfully rare but raise serious safeguarding concerns so it’s important to be aware and ensure staff and pupils only have access to systems they need to use.

Why are schools at risk?

As many cyber criminals are motivated by financial gain, schools can seem like an attractive target because they hold lots of sensitive data about pupils, parents and staff, which criminals can find valuable for setting up fake bank accounts and reselling details online.
Criminals also know that schools carry out lots of financial transactions, often with just a few individual staff signing off on them. This means they might only need to target one or two individuals in charge of finances in order to con money from the school.
Cyber security training is therefore relevant to all staff members, so everyone can play a part in boosting overall resilience.

Fixing weaknesses

It’s also important to identify and address vulnerabilities that could put school systems at risk.
Earlier this year, we rolled out two cyber defence tools for schools, our free Mail Check and Web Check services, which help organisations identify potential cyber security issues affecting their email servers and websites so technical support staff can fix them promptly.
Available for sign up via the NCSC website, these tools are designed to help schools stay on top of potential weaknesses, and they’ve already been benefiting further education colleges and universities.
In one case, Mail Check helped a university significantly reduce email spoofing, where attackers exploit an organisation’s email server and send out malicious emails pretending to be from them. Spoofing went down by 99 per cent in just two weeks thanks to the service.
And a recent Web Check scan of 10,800 college and university web domains showed the service had alerted users to more than 2,700 urgent findings. After being prompted with NCSC advice, users managed to fix more than 92 per cent of these.

Taking a proactive attitude to fixing vulnerabilities should be applied to all technology. As schools grow their digital estates, it is essential software updates are being applied to prevent vulnerabilities being exploited, especially on older equipment that may run software that is more vulnerable to attacks.

Collective approach

With technology central to how schools run, cyber security simply cannot be overlooked and everyone in the school community can play a part in defending against cyber threats.

It should be a collective effort to boost resilience, with school leaders setting the agenda, IT support staff helping to put technical protective measures in place, and staff fostering a positive environment for identifying and reporting suspicious activity.
Parents can play a role in reinforcing this at home too. A good place to start is with the NCSC’s Cyber Aware campaign, which offers top tips on how individuals and families can protect themselves online, including advice on how to create a strong password and turn on 2-step verification on important accounts.
There are also educational resources for children available on the NCSC website. Our Cyber Sprinters online game and activities are aimed at 7 to 11-year-olds and designed to give them a head start by demonstrating what good security looks like.
And if pupils are interested in pursuing their interests further, we strongly encourage teachers to explore what’s on offer through our CyberFirst programme, which gives young people a chance to explore cyber security through free online courses and our flagship CyberFirst Girls Competition.