A focus on cyber security

We began the Autumn term with the first in our series of ‘Focus on’ events. As a starting point, we chose to discuss cyber resilience, which is so vitally important for leaders at schools and Trusts to understand.

Victoria Bott, Computing and Online Safety Teacher Consultant at Entrust, led our webinar on Wednesday 28^th September and explained how leaders can improve their cyber resilience – the ability to prepare, respond and recover from cyber-attacks and security breaches.

The top three reported cyber-attacks on schools, colleges and universities are:

• Phishing
• Others impersonating the organisation in emails or online
• Virus, spyware or malware

Why are schools targeted?

Schools are targeted by cyber criminals because they are data rich and tend to have weak systems in place compared to commercial organisations. The impact can be devastating, causing financial damage and mass disruption to recover from. If your school is targeted you could be forced to close because your safeguarding systems and data are inaccessible, which will require IT professionals to rebuild. Consider all the systems and data that could be affected; all of your IT infrastructure such as laptops, servers, whiteboards, online registers, payment systems and safeguarding records are at risk. 

Your school has a statutory duty to ensure you have the appropriate level of security protection procedures in place to safeguard your systems, staff and learners. You also need to review the effectiveness of these procedures periodically to keep up with evolving cyber-crime technologies and to remain compliant with the UK GDPR and Data Protection Act 2018 around the security of personal data.

Schools are also seeing an increase from insider threats with young people targeting the school they attend. According to Cyber Security Schools Audit (2019) 20% of schools have reported that a pupil has been able to access parts of their network. This behaviour contravenes the Computer Misuse Act and is a safeguarding risk involving young people.  Statistics from the National Crime Agency show that average age of arrest of a cyber-criminal has decreased from 17 in 2019 to 15 in 2022, and that’s just the age of arrest; young people can become involved with cyber incidents when they are much younger. If you spot any individuals who show a ‘talent’ in the area of cyber dependant crime you should refer them to the Cyber Choices programme as stated in Keeping Children Safe in Education 2022.

Back-ups are your greatest friend

Recovering from a cyber attack takes time, as technicians need to scan every device for the malware, remove the malware from each device, rebuild the image and restore the data from a back-up. This is why back-ups are your greatest friend in the event of a cyber incident, as long as they are up to date and a copy is stored safely offline, they will aid recovery time. However, just think how many laptops, computers and servers your school has and the length of time it would take to scan them all. Your school may have to close, and the scale of the attack may also prevent you from reverting to online learning, which will affect the learning outcomes for your students.

Victoria talked through what needs to be considered in a school security strategy, such as training, risk assessment, patch management and vulnerabilities, and the importance of using specialist providers, such as Entrust, to manage your IT infrastructure.

Victoria also explained the importance of having cyber insurance (and making sure you understand its terms and conditions), as well as signing up to free schemes such as the Cyber Information Sharing Partnership and Early Warning Service from the National Cyber Security Centre and the Police Cyber Alarm.

Sign-up to our full cyber training course

We received great feedback from those on the session and will ensure we schedule another one soon. However, there is only so much we can cover in hour. Our full-day cyber courses are designed to give you and your governors more time to explore cyber risks and preventive measures you can take.

Our next Cyber Safety course for governing bodies is on 10^th November.

Our next Cyber Security course is on 30^th November.

To find out more about the other events we have planned in our ‘Focus on’ series, click here.