Insight into the Cyber Security Schools Audit

In September, edtech charity LGfL published its audit into school cyber security. Mark Bentley, LGfL safeguarding and cybersecurity manager, shares the report findings

In September, edtech charity LGfL published the results of the 2019 Cyber Security Schools Audit. Working in partnership with the National Cyber Security Centre (NCSC), part of GCHQ, 432 schools across the UK were surveyed to gain a better understanding of future technology and training needs by examining current systems, protections and preparedness within the education sector. Mark Bentley, LGfL Safeguarding and Cybersecurity Manager, speaks to Education Business about the findings of the report.
At LGfL our mission is to keep children safe and save schools money. Effective provision of cyber protection and training is essential to achieve these aims, which is why we were keen to work with the NCSC to better understand the current state of cyber security within schools.

With ever-rising accountability, squeezed budgets and a demanding curriculum, cyber security preparedness can fall to the bottom of schools’ agendas. However, the Verizon 2019 Data Breach Investigations Report notes that “Education continues to be plagued by errors, social engineering and inadequately secured email credentials.” This vulnerability means schools require support to meet the challenge of a growing and sophisticated threat landscape.

Cyber security incidents

It was no surprise to find that almost all schools (97%) said that losing access to network-connected IT services would cause considerable disruption. 83% of schools experienced at least one cyber security incident – so it’s important that schools are well-prepared for all eventualities.

However, it was encouraging that only 8% of those questioned stated that school life had been extremely disrupted by a cyber-incident, suggesting that the negative ramifications of such occurrences are well managed.

Breakdown of cyber security incidents

The audit found that 69 per cent of schools had suffered a phishing attack (a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication). 35 per cent had experienced periods with no access to important information; while 30 per cent had suffered malware infection, including virus or ransomware. 20 per cent reported spoofing attacks (impersonation of school staff emails); and 11 per cent had suffered attempted attacks to take down a website or online services

Education has a higher click rate for phishing emails than any other sector, so the high proportion of schools who suffered from phishing and spoofing attacks was an issue we expected. This vulnerability is usually due to a lack of technicians onsite to monitor systems. Schools should take measures (and most do) to create a layered defence to ensure most harmful emails are blocked from staff inboxes.

There was only one incident of which no schools were aware: parents losing money due to a cyber-incident involving the school. The proliferation of parent payment systems, as well as increasing numbers of schools going cashless, means the education sector needs to prepare for this possible future threat.

Independent schools are at higher risk of a targeted attack – school fee collections mean a higher perceived monetary reward for criminals. Private schools should ensure they are vigilant in terms of payment system setup and that parents are aware of the potential danger – especially in light of warnings from the Charity Commission that parents are being targeted with false school-fee demands.

Preparation and defence

The audit found that 99 per cent of schools had firewalls in place and 98 per cent had antivirus protections. 85 per cent of schools had a cyber security policy or plan, but only 45 per cent included core IT services in their risk register. Every school had at least one form of technology in place as defence against breaches and the majority of schools had firewalls and antivirus protections. Firewalls – a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules – are essential to any organisation’s security. Without a firewall, school networks become exposed to potentially catastrophic attacks.

Antivirus, backups and patching (keeping software up to date) followed firewalls as the next three most popular attack-prevention measures that were standard in over 95% of all schools. Schools should ensure that their backups are kept in a different physical location to protect information from vandals, accidents including fires and malware attacks which target connected drives. Even the smallest village school should seriously consider moving to off-site, cloud-based backups.

There were key omissions in school’s defence systems, with a low use of mobile-device management systems and two-factor authentication. Additionally, less than half of schools included core IT services in their risk register. Having policies in place without a risk audit process may give schools a false sense of security and shows a lack of contingency planning. This is a key action point for schools to work on – the risk register could be considered alongside general emergency planning procedure.

Training
We found that a mere 49% of schools were confident that they were adequately prepared in the event of a cyber-attack or incident. This is clearly something that must be remedied.

Currently only 35% of schools train non-IT staff in cybersecurity, so this should be a top priority for edtech providers such as LGfL – particularly since any school unable to access key data needed to fulfil its safeguarding duties might fail an inspection and end up in ‘Special Measures’.  Over 90% of schools would welcome more cybersecurity awareness training for staff – this is something which we must provide.

Humans are often described as the greatest weakness of an organisation. Social engineering (for example tricking people into revealing passwords) is a common cause of many cyber-attacks. It will never be possible to entirely avoid fake emails arriving in inboxes, so it’s vital that schools take action to train all their staff, particularly non-IT professionals, in how to identify and avoid suspicious emails.

Nonetheless, training must not be limited to behavioural awareness. The Egress Insider Data Breach survey 2019 revealed that 36% of insider data breaches resulted from a lack of training on the security tools available. Training must be part of any technology implementation project.

Data protection

Since GDPR came into force in May 2018, schools have been very aware of their duties regarding data access and protection. It is surprising therefore to see that levels of non-authorised IT system use are relatively high, especially by pupils (21%). The level of data breaches, at 3%, could potentially be much higher dependent on activity of which education settings are unaware. Auditing tools such as GDPRiS, 360data and Wonde can help schools to centrally manage and audit their data.

Beyond GDPR compliance, auditing and reporting processes, it is important that where possible, schools avoid unauthorised access in the first place. Following solid password guidance is always good practice – the NCSC has published strategies on sensible password selection.

Conclusion: next steps for schools and edtech providers

This report demonstrates that many schools take cyber security seriously. Despite this, it is clear that there is more work to do to keep up with this important area, especially regarding training for non-IT staff. It’s crucial to ensure edtech services focus on the personal nature of technology and for government agencies to offer guidance and strategies to help schools improve human and technological resilience.

Awareness of the tools available to schools is also vital, especially for the majority of schools which do not feel equipped for a cyber incident. Schools may want to evaluate the measures listed in the survey which they did not have in place and consider implementing these protections. Senior leadership teams, ICT and safeguarding leads must ensure they understand the current and emerging threat landscape – what are the risks, what protections are in place and what do staff need to do to be ready to face them?