Focus on Cyber Essentials for the Education Sector

That the Education sector faces major challenges is not news to most. Issues such as a lack of staffing and a lack of funding and resources are well known and persistent. But now UK Schools and Further Education are facing another challenge — cyber-attacks.

In this article, we’ll be focussing on one way to mitigate against cyber-attacks for Schools and other educational organisations, the Cyber Essentials Standard.

A Brief History of the Cyber Essentials Standard

In 2014, the British government recognised the enormous risk posed by cyber-attacks to organisations working with their departments as suppliers and partners. They also recognised that most of these risks could be avoided by following a set of basic security measures. In response, they launched the Cyber Essentials scheme.

This scheme ensures a standard level of cybersecurity, and it has proven to be an extremely effective framework for organisations that need to protect the data of their users and employees (that’s everyone!). A study by Lancaster University demonstrated that by following the guidelines of Cyber Essentials, organisations could protect against 99% of cyber-attacks.

That’s why the government has begun to include Cyber Essentials certification as a requirement for funding in education. With more teachers and students online and smarter, tech-focused teaching methods, the attack surface for educational organisations is larger than ever. Scarce resources and a large bring-your-own-device culture mean educational organisations are vulnerable to targeting by cybercriminals.

What is the Cyber Essentials Standard?

Cyber ‘Essentials’ are exactly that, the essential actions every organisation should take to provide protection from cyber threats. There are 5 primary areas that Cyber Essentials focuses on — though this is expanding as the Standard is reviewed annually.

• Boundary firewalls and internet gateways — that you have a secure internet connection.
• Secure configuration — that you have the most secure settings turned on for all your company devices.
• User access control — that you have full control over who is accessing your data and services.
• Malware protection — that you have protection in place against viruses and malware.
• Patch management — that your devices and software are updated with the latest versions.

Once you understand these basic controls and have them in place, you must fill out a questionnaire confirming your devices meet these criteria. This is a self-assessment which you then sign and submit for review by a certification body.

Why is Cyber Essentials the ‘Standard’ for Cyber Security in the Education Sector?

There are plenty of other reasons you should consider investing in your cybersecurity as an educational institution.

In May 2020, Microsoft Security Intelligence found that 61 percent of nearly 7.7 million enterprise malware encounters came from those in the education sector, making it the most affected industry for cyber-attack.

More recent statistics, coming from the UK’s own National Cyber Security Council (NCSC) and Gov.UK have shown that cyber-attacks against Schools and Further Education have increased drastically over the past 18-months — with a School now even more likely to be targeted by cyber-criminals than a private business.

For more information on this take a look at our last article “Why Cyber Security must be a Priority for Schools In 2021”.

Studies also show the education sector is one of the least protected. Perhaps because the shift online has been so swift, and organisations don’t always have IT teams, in place to safeguard them. Last year, a hacker simulation test proved 100% successful in breaching 50 universities across the country to access student and staff personal data, financial systems, and valuable research networks.

The education sector represents a huge pool of sensitive data, and so it’s not surprising the UK government has already made Cyber Essentials a requirement for Education and Skills Funding.

In January 2020, the UK government included Cyber Essentials in their updated data security requirements for funding awards through the Education and Skills Funding Agreements.

For the 2020 to 2021 funding year, all recipients must meet the requirements for the UK’s Cyber Essentials scheme. Next year, the requirement will include achieving Cyber Essentials Plus certification.

How Can Supreme Systems Help?

Supreme Systems Cyber Essentials Certification service for Schools & Education (one of our CyberSercure.School services) handles every aspect of the Cyber Essentials certification process for you.

We begin by performing a Cyber-Security Audit, with a particular focus on the 5 primary areas that Cyber Essentials requires.

We’ll then work with you to make any changes required for compliance and implement these in a way that does not disrupt the activities of your organisation.

Lastly, we will collate all the necessary information and complete the submission forms.

We guarantee a successful application the first time, usually within just 2 weeks!

Your organisation will then receive a Certificate and digital logos that can be incorporated into your website, email signatures, and so on, demonstrating to your stakeholders that you are Cyber Essentials compliant, and take your cyber-security responsibilities seriously.

Want more advice? If you would like advice on IT for your school, get in touch.