Best Practice

Cyber-security: Key points for schools to address

Cyber-incidents targeting schools are on the rise. Expert Gareth Jelley outlines some key points for schools to address, along with broader recommendations for improving online security to safeguard against attacks
Secure? In the past year, government figures show that the majority of schools and colleges experienced a cyber-security breach - Adobe Stock

Figures from the Information Commissioner’s Office (ICO, 2024) reveal a worrying rise in cyber-incidents within the education and childcare sector, with 354 cases reported in 2023 – up from 224 the previous year.

Government data also indicates that, in the past year, the majority of schools and colleges experienced a cyber-security breach (DSIT, 2024). Given this landscape, what steps should schools take to protect themselves?

First, let’s examine some emerging trends in cyber-security for schools.

 

Cyber-attackers exploiting remote access systems

Over the past year we have witnessed an increase in the number of schools experiencing attacks through their remotely accessible systems.

Schools commonly use remote desktop services to allow staff access to internal resources. As the majority of these do not require multi-factor authentication, attackers can easily gain access to school networks by using simple techniques.

They can use brute force password attacks, password spraying or successful phishing attacks to log on to the server from the internet, and then launch their attack from inside the network.

Multi-factor authentication remains one of the best defences for schools and is becoming more widely used – but is still not in use everywhere.

 

The hidden costs of ageing software

Microsoft will end support for Windows 10 on October 14, 2025. Extended support will be available, but schools will need to pay for this.

Software updates provide more than new and improved features and speed enhancements to make the end-user experience better, they also contain critical security updates to protect against known vulnerabilities.

Security vendors are also likely to increase their costs to support Windows 10 after this date, so schools will need to plan to replace ageing equipment, or budget for increased licence costs.

 

Ineffective cyber-response plans

The National Cyber Security Centre Audit (NCSC, 2023) – which among other things revealed the most common types of cyber-attack experienced by schools – found that 50% of schools don't have an effective Cyber Response Plan. Where schools do have a plan, it can frequently miss key information such as how to access admin passwords/encryption keys in the event of an attack, clear guidelines on how to restore systems, and who to notify in the event of an attack (e.g. your cyber insurance provider).

Where schools do have plans, they may not have completed a table top exercise to review them. The NCSC has free exercises for this called Exercise in a Box (see further information), an online resource which helps organisations test and practise their response to a cyber-attack. It is free and you don’t have to be an expert to use it.

 

Strong partnerships between leadership teams and IT support

Planning for cyber-threats and risk-management activities needs to be a collaborative effort between the senior leadership team and IT support. This partnership is essential for several reasons:

  • Comprehensive understanding of risks: Senior leaders possess valuable insights into the school’s strategic goals, operations, and resources, while IT support brings technical expertise and knowledge of potential vulnerabilities. By working together, you can identify and assess the unique cyber-risks faced by the school, ensuring that all aspects – both operational and technological – are considered in the planning process.
  • Shared responsibility: Cyber-security should not be viewed as solely the responsibility of the IT department. When senior leadership is actively involved, it fosters a culture of shared responsibility across the school, encouraging staff to also prioritise cyber-security.
  • Effective communication and training: Senior leaders can advocate for necessary training and awareness programmes, ensuring that all staff understand their role in preventing and responding to cyber-incidents, leading to more effective implementation of security measures and quicker response times during an incident.
  • Development of robust response plans: Senior leaders can help define the scope of these plans based on the school’s unique context, while IT professionals can provide the technical details necessary for execution.
  • Resource allocation: By understanding the risks and the importance of cyber-security, leadership can ensure investment in tools, training, and infrastructure for effective risk management.
  • Continuous improvement: Cyber-threats are constantly evolving, making it vital to regularly review and update cyber-security strategies. A collaborative approach allows for continuous feedback and improvement, as both leadership and IT share insights from incidents, emerging threats, and advancements in technology.

 

The cyber-security standards

To reduce the risk of a cyber-attack, a good place to start is the Department for Education guidance Cyber-security standards for schools and colleges (DfE, 2022) which outlines the standards that your school should meet on cyber-security and user accounts.

The guidance highlights that cyber-incidents and attacks have significant operational and financial impacts on schools. These incidents or attacks will often be an intentional and unauthorised attempt to access, change or damage data and digital technology. They could be made by a person, group, or organisation outside or inside the school and can lead to:

  • Safeguarding issues due to sensitive personal data being compromised.
  • Impact on student outcomes.
  • A significant data breach.
  • Significant and lasting disruption, including the risk of repeated future cyber-incidents and attacks, including school closure.
  • Financial loss.
  • Reputational damage.

So what action should a school take? Here is an outline of the guidance from the Department for Education.

Conduct an annual cyber risk assessment and termly review: It is crucial to understand the risks associated with your hardware, software and data if you are to keep students, staff and the wider school community safe. Start by identifying weaknesses and put processes in place to help reduce risk, secure systems to make them more resilient to attacks, and prepare a cyber response plan to be implemented quickly in the event of a serious incident to minimise any impact.

Create a risk management process and cyber response plan:

  • Start by creating a risk register – collectively identify, analyse, and solve risks before they become problems and place into a regularly tested business continuity plan.
  • Keep cloud-based and hard copies of your plan/documentation.
  • Prepare a cyber-security incident response plan including instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information.
  • If possible, buy into the risk protection arrangement (RPA) cover.

Secure digital technology and data with anti-malware and a firewall: Protect your digital technology and data with anti-malware - a type of software program created to protect information technology systems and individual computers from malicious software, or malware; and also a firewall – a cyber-security solution that protects your computer or network from unwanted traffic coming in or going out.

Control and secure user accounts and access privileges: Implement role-based access control (RBAC) where the level of access to the network is determined by each person’s role within the school, and employees are only allowed to access the information necessary to effectively perform their duties. Access can be based on several factors, such as authority, responsibility, and job competency. In addition, access to computer resources can be limited to specific tasks such as the ability to view, create, or modify a file.

License digital technology and keep it up-to-date: Replace software and systems that no longer receive regular security updates from their vendors, as this could impact the level of security afforded. And download security patches – software and operating system (OS) updates that address security vulnerabilities within a program or product – as soon as possible to help resolve hardware, operating systems and application vulnerabilities that could be exploited by hackers.

Develop and implement a plan to back-up your data and review this every year: Keep your back-ups in different physical locations (as well as the cloud) so that you can reinstall current data should a cyber-attack take place. The NCSC advises schools to make three copies of their data, two of which are on separate devices and one of which is offsite (this could include a cloud back-up service).

Report cyber-attacks: If you have been asked for a ransom, or are a victim of cyber-crime, contact Action Fraud, the UK's national reporting centre for fraud and cyber-crime and a central point of contact for information about fraud and financially motivated internet crime (see further information).

 

Final thoughts

As cyber-threats continue to evolve, it is crucial for schools to adopt proactive security measures. Conducting routine risk assessments, managing access privileges, and fortifying systems with up-to-date anti-malware and firewalls are essential steps. Keeping all technology licensed and current, alongside well-defined back-up and incident response plans, strengthens your school’s defences against potential attack.

By aligning with the DfE’s guidance and fostering a strong cyber-security culture, schools can more effectively safeguard the personal data and digital wellbeing of students, staff, and the wider school community.

  • Gareth Jelley is the product security manager with edtech charity LGfL – The National Grid for Learning. Visit https://lgfl.net/  

 

Further information & resources