Best Practice

Cyber-security alert: How can schools protect themselves?

Handheld devices School management Infrastructure E-safety Whole-school issues Edtech
The Cybersecurity Schools Audit has urged on-going vigilance in schools against cyber-attacks, especially those using malware, phishing or spoofing techniques. Expert Mike Wills considers how schools must protect themselves


Last week’s Cybersecurity Schools Audit suggests that almost four in five schools fell victim to at least one type of cyber-incident in 2022 and one in five were left without access to important and sensitive information about pupils or staff.

Published by the National Cyber Security Centre (NCSC), it warns that schools remain at a high risk from cyber-criminal attacks and vigilance is “essential”.

The risks are clear. Highly confidential documents – including SEN information, child passport scans, staff pay scales and contract details – from 14 schools were recently leaked onto the dark web by hackers – a group known as the Vice Society. It is just the latest in a string of attacks in education in the last three years.

With teachers under increasing pressure due to significant workload, outdated IT equipment, a lack of adequate funding, and an absence of cyber-security training or effective policies, schools are – frankly – sitting ducks for cyber-attacks and breaches.

And they are increasing in prevalence year-on-year. A second piece of research – the government’s Cyber Security Breaches Survey 2022 (DCMS, 2022) – revealed that 70% of secondary schools reported suffering a cyber-attack in 2021, a significant increase on 2020 (58%).

The most common breaches or attacks in secondary schools according to the survey were caused by:

  • Phishing: Fraudulent emails from attackers used to deceive staff into revealing sensitive information (87%).
  • Others impersonating the organisation in emails or online, sometimes known as spoofing or spear-phishing (46%).
  • Viruses, malware, or spyware (15%).
  • Denial of service attacks (15%).

Technology has become a vital component in education – especially since the pandemic and the reliance on remote education – so it is not surprising that cyber-crime is on the rise, and the threat posed by hackers is a clear and present danger.

Secondary schools handle highly sensitive data, such as pupil records, parents’ financial information and CCTV footage – providing hackers with fertile hunting ground. This type of information can be extremely valuable to cyber-criminals as they can sell it to a third party or use it as a bargaining tool for extortion purposes.


Common weaknesses

As mentioned, the most common type of attack identified by 87% secondary schools was phishing, which is the process of tricking recipients into giving away their password or account details.

Unfortunately, many individuals still use the same email and password combination across multiple online accounts. The compromise of this information through a phishing attack can then be used as a gateway to elicit or access the victim’s personal data across other online accounts. In addition, the Cybersecurity Schools Audit warns that 90% of ransomware attacks are delivered via phishing emails.

The next most common was impersonation attacks – suffered by 46% of secondary schools – where emails are sent out imitating senior management or board members, often used to create panic for financial gain.

Technical attacks – including viruses, spyware, malware – came in third place, alongside denial of service attacks, which, in this context, would overload digital learning environments to prevent access and cause disruption. These can be relatively easy to undertake, even by amateurs, with 15% of secondary schools experiencing these types of attacks; 5% of secondary schools also reported ransomware attacks.

Concerningly, the survey also highlights that less than 40% of schools had trained staff on cyber-security, meaning human error caused by a lack of understanding and knowing how to identify gaps in their protection poses another risk. The Cybersecurity Schools Audit also flags that only 55% of schools are implementing staff training around cyber-security (although this is up from 35% in 2019).

In the case of one school targeted by the Vice Society, the documents were stolen by hackers using generic search terms. For example, a folder marked “passports” contained passport scans for pupils and parents on school trips going back to 2011, whereas another marked “contract” contained contractual offers made to staff.

Bring your own device (BYOD) culture is also a major vulnerability in secondary schools. These devices are not centrally managed by IT specialists and rely on individual owners to update critical software and applications in a timely manner to mitigate risks.

Furthermore, people tend to be more disciplined when using a work laptop than a personal one, and may also allow others – such as children and partners – to use the device when away from school.

Other common weaknesses include: an absence of policies for using the school’s network or a cultural understanding of what they mean and how they should be adhered to; and increasingly stretched budgets, meaning there is a lack of finances to invest in cyber-security software or staff.


Spotting vulnerabilities

From phishing and malware to social engineering and spyware, there are lots of ways cyber-criminals can conduct a digital attack and these methods are constantly evolving.

In order to ensure secondary schools are protecting themselves and meeting their legal obligations, they should conduct a cyber and data security assessment. This involves an analysis of all information assets and cyber-controls, making it an essential first step to understanding cyber-resilience and uncovering any weaknesses and risks that could leave you vulnerable to an attack.

Typically, an assessment will consider every security component to find any possible blind-spots, highlight where systems are vulnerable to breach, and identify whether a breach may have already occurred that could put a school at risk of regulatory action and damage to reputation.

Once an assessment has been completed, the outcome will be a full picture of what is working well, what requires improvement, and what is high risk. Most importantly, it will provide a roadmap of what needs to be done to increase a school’s resilience, make it hard to hack, and limit the risk of a cyber-attack.


Protecting systems

We live in a world where cyber risk is omnipresent. The most effective cyber-attack is the one you do not know has happened (unless it is designed as a ransomware attack, of course).

Schools need to ensure they are hard to hack. Cyber-criminals do not want to get caught – if it is too difficult, they will find easier and weaker prey.

The most obvious and, arguably, least expensive way a school can protect itself is password management. Currently, there are millions of email and password combinations for sale on the dark web for miniscule amounts.

Cyber-criminals can use this information to gain access to web portals containing emails, documents, pictures, saved bank account details, and addresses, and fuse this with other pieces of information to enable greater social engineering targeting.

Using the same password across multiple accounts or both personally and professionally is a major weak link in a security system. If one site is breached and credentials are exposed, the risk is amplified exponentially if the same password is used elsewhere. However, if your staff change their passwords frequently – at minimum at least quarterly – the chain will be broken.

While a school’s staff are its best asset, if they do not understand the risks and are not properly trained, they can be a cyber-security liability too. It is very easy to compartmentalise our personal and professional lives.

However, they are intertwined digitally. Cyber-criminals recognise that because we are not personally mandated, legislated and regulated like businesses are, we tend to let our guard down when at home and be less disciplined.

Providing regular awareness training can ensure that staff understand why certain protocols should be undertaken when it comes to data protection and know how to spot potential breaches or weaknesses.

This can be something as simple as sharing a handbook with staff that includes information on what to look out for and tips for practising good cyber-security hygiene.


Managing data breaches

While becoming hard to hack will make schools more resilient to a cyber attack, no security programme is infallible. If a cyber-criminal is committed to their goal, they will find a way, and given that even the wealthiest, most highly secure and well-resourced organisations are often still vulnerable to attacks, it is not surprising schools are being exploited so easily.

With this in mind, schools should make the assumption that it will happen and have a comprehensive incident response and disaster recovery plan in place.

If an attack is successful and an incident occurs, halting it as quickly as possible should be a school’s primary concern to ensure they can minimise its scope and scale. This can be done by having an incident response plan in place. Both plans need to be regularly reviewed and rehearsed so reactions can be made swiftly to minimise the associated impact.

Should a cyber-attack cripple a school, they could be facing some hefty costs – including system repair, learning delivery interruption, delays to schedule, knock-on impact to pupils and parents, adverse media coverage, and financial damages claims and regulatory fines, for example.

This can be mitigated by good cyber-insurance, but make sure you have the right insurance with realistic cover and service levels and be sure that you meet the minimum cyber-security standards for the policy to be valid.


Final thought

While even the most secure organisation is not guaranteed immunity, having the appropriate measures in place and being prepared should the worst happen will ensure confident, compliant and resilient staff, which, in turn, create a well-protected school.

  • Mike Wills is director of strategy and policy at cyber and data security firm CSS Assure.


Further information & resources