Schools, like all organisations, are reliant on computers and connectivity in 2021 and cyber-security is vital to protect against financial loss and to prevent disruption, but even more critically, to protect students from harm.
In recent times, the already sizeable task of managing data security has increased considerably for schools and when teachers and other school staff work from home, and pupils take part in online learning, the risk of sensitive data leaving the school’s network increases further.
Compounding this, recent UK Government statistics show that the frequency of cyber-attacks against Schools & Further Education has increased significantly over the past few years, with statistics for the 2020/2021 school year showing that 36% of Primary Schools and 58% of Secondary Schools had suffered at the hands of cyber-criminals.
Compare this to statistics showing that 39% of UK Businesses fell victim during the same period, and it is clear to see that “hackers” consider educational organisations as prime targets.
The UK’s Information Commissioner has previously advised schools to be particularly vigilant around information security. It has warned that unauthorised access to personal information would be particularly harmful to pupils; parents and staff; people with a right to seek compensation if the loss of their personal data caused them damage.
The risk of disruption due to cyber-attack is also a very serious consideration: If school resources were to be made inaccessible by a ransomware attack, learning could grind to a halt.
While the risks of malware and data theft are relevant to any organisation with personal data and computers, schools though are particularly exposed to risks relating to online safety, including:
· Exposure to inappropriate content, especially content that is sexually explicit, racist, violent, or extremist in nature.
· Contact from persons who may wish to abuse, exploit, or bully them.
· Students themselves engaging in harmful online behaviour.
Prioritising the physical and online safety of children continues to be a focus for schools’ leadership teams and it’s important that those responsible for the organisation’s IT systems review and implement changes to ensure their online safety.
What are the requirements?
Guidance published by the Department for Education requires that school governors and managers establish “an effective approach to online safety” to “protect and educate the whole school or college community in their use of technology”. What an “effective approach” looks like can differ from organisation to organisation.
Experience tells us that the most secure organisations use technology where it is appropriate and support this with clear policies and user education.
Sensible steps to better cybersecurity for schools
Schools should consider the following advice when developing cyber-security and online safety approaches…
1. Take ownership at senior level — The Government’s statutory guidance requires that a member of the senior leadership team is made responsible for safeguarding in schools. Cybersecurity and online safety should be taken just as seriously. They should be discussed regularly with school governors and at leadership team meetings. Appropriate policies should be implemented and enforced by the senior leadership team itself.
2. Establish a strong online perimeter — Schools should establish strong boundary firewalls and internet gateways to protect school networks from cyber-attacks, unauthorised access, and malicious content. Cyber security controls should be monitored constantly and tested on a regular basis.
3. Update content filters, continually — People are usually the weakest link in organisations. In schools there are many young internet users with curious minds that need extra protection. Content filtering systems need to be updated constantly as tech-savvy students can find new ways to circumnavigate filters with incredible speed.
4. Establish solid access control policies — Schools should establish effective processes for managing user privileges to their systems to minimise the risk of deliberate and accidental attacks. Users should only be provided with the minimum level of access they need to do their job. When staff members leave the school, their access should be revoked promptly, and records should be kept up to date to prevent exploitation of old accounts.
5. Check third party providers thoroughly — Schools should ensure they vet thoroughly all third-party platform providers to ensure their approaches to security and safety are at least as stringent as their own. Access to students, parents and guardians should be granted by teachers themselves using email addresses provided in person.
6. Ensure secure configuration and patch management — Schools should know precisely what hardware and software is being used on their networks and ensure configuration changes are authorised, documented, and implemented appropriately. Devices should be set up so that only approved users can make changes. Software updates and security patches should be implemented quickly when released by manufacturers.
7. Monitoring and incident management — Schools must monitor all their systems continuously and analyse them for unusual activity that could indicate an attack. Criminal incidents should be reported to the police and other relevant authorities.
8. Invest in cybersecurity and online safety education — The Department for Education requires that students are taught about online safety as part of safeguarding for schools. They should ensure that members of staff understand the risks and policies covering acceptable and secure use of school systems. There should also be an established mechanism for ensuring that staff and students are made aware of new phishing or spoof email attacks.
9. Don’t forget about physical security — Schools should maintain cyber-security defences that are appropriate to the importance and sensitivity of the data requiring protection. Planning for these should include the physical security of hard drives, internet routers, servers and other devices on which data can be stored. School equipment is targeted by thieves, especially in the school holidays, so any device holding sensitive data should be encrypted.
10. Consider personal devices — Schools should have clear policies around mobile technology and how it is used on their premises. Students should be taught about acceptable use of their personal devices, how they interact with each other on social media and where to turn for help. When staff are working from home, they should be provided with IT equipment that’s for work use only and is not to be shared with other household members.
11. Use of VPN — When staff are working from home, VPNs should be used to ensure that data being sent back and forth to the school’s network is encrypted, meaning that even if it were to be intercepted it would be indecipherable.
12. Staying in touch — Pupil safeguarding issues need to be dealt with sensitively, which often means that a voice conversation is more suitable than speaking via email. However, staff calling pupils and their family members from their personal phones creates another safeguarding issue. Putting in place a cloud hosted telephone system can mitigate this problem as phone calls can be made from diverse locations and devices whilst presenting the school’s telephone number. Call recording can also be a useful feature here, but call recordings must be treated with the same sensitivity as other personal data.
If you would like more advice on how Supreme Systems can help your School, College or University to become Cyber Secure, get in touch.