Best Practice

Rising threat of cyber-attack: Common methods and what schools can do about it

Infrastructure Whole-school issues Legislation and guidance
Cyber-attacks are a constant threat for schools with the Information Commissioner’s Office reporting increasing incidents. Helen Osgood looks at the common methods being employed by criminals and how schools might begin to protect themselves
Image: Adobe Stock

Cyber-attacks on schools are no longer uncommon, with notable attacks making the news in just the last few weeks.

The Information Commissioner’s Office has also recently revealed that it received reports of more than 3,000 cyber-breaches in 2023, with the education sector making up 11% of those – a notable increase on 2022 (ICO, 2024).

Schools have a crucial role to play in keeping data safe and secure and there are preventative actions that we can take to safeguard our systems, our children, and ourselves.

To begin with, schools should meet the Department for Education’s cyber-security standards (DfE, 2024) as a minimum. For example, protecting all devices behind a firewall, using multi-factor authentication, conducting regular data protection impact assessments, and having at least three back-up copies of important data on at least two separate drives, with one being kept offsite. For more tips, see this SecEd article from the ICO (Joorawan, 2023).

The data that our schools, trusts and local authorities hold are attractive to criminals. Anything which ties together location, personal identification and financial details is precious and can be sold to the highest bidder.

Back in March, Leicester City Council experienced a cyber-attack on its systems, bringing down telephone and internet systems, with a potential loss of data. And more recently, a “brute force” attack on de Ferrers Trust in Derbyshire caused it to close some schools for a day as it checked for potential risks. There is no indication of any data loss, but it brings into focus the threat we face.

Last year, SecEd reported on the top three methods of cyber-attacks on schools, namely malicious software, phishing, and spoofing (when attackers impersonate somebody else to gain access to a system). Meanwhile, the ICO’s figures list the top five causes of the breaches reported in 2023:

  • Phishing: Where scam messages trick the user and persuade people to share passwords or accidentally download malware.
  • Brute force attacks: Where criminals use trial and error to guess username and password combinations, or encryption keys.
  • Denial of service: Where criminals aim to stop the normal functioning of a website or computer network by overloading it. 
  • Errors: Where security settings are misconfigured, including being poorly implemented, not maintained and or left on default settings.
  • Supply chain attacks: Where products, services, or technology you use are compromised and then used to infiltrate your own systems.

Research by the National Cyber Security Centre has found that one in five schools have been left without access to important and sensitive information about pupils and staff due to malware and ransomware (see SecEd, 2023).

And it is not just about stealing data. Ransomware attacks are becoming more prevalent. This is where data and information are locked down and the user is told they have to pay a ransom in order to retrieve it.

As more and more of our systems are digitised, the risk to our data security becomes ever greater. And it is so much bigger than data – it’s about communications; it’s about health and safety because of record-keeping on electronic registers; it’s about access to school meals, safeguarding, wraparound childcare provision, even telephones. If the systems are compromised, even the ability to contact parents might be disrupted.

And then there is the direct impact on learners. A loss of systems can mean that a site is no longer safe for pupils – in some schools, the electronic door locks cannot work if the network is down, meaning rooms cannot be secured. Lack of access to registers and safeguarding records – or even being able to provide school dinners – all contribute to this and mean that, in some instances, schools have to close.

And then it gets exponentially worse as schools cannot access their internal systems to advise parents of this via email, text or even telephone. Furthermore, the work that teachers rely on, the lesson plans, PowerPoints, and resources, are all locked down and cannot be accessed, and remote learning is compromised as a result.

Exams and official assessments are fixed moments in time. Ofqual recommends schools reflect on any contingency arrangements they might need – both practical and electronic arrangements – and make sure there are back-ups of NEA (non-exam assessment) evidence and marks, that seating plans and access arrangement details are prepared and printed well in advance should systems go down so that schools are as well prepared as possible.

Ultimately, schools need to ensure they have a robust action plan in place for what needs to happen if something goes wrong. To that end, the advice in the ICO article cited above is a good place to start.

As mentioned, you can never have too many back-ups. And we can all play our part, too, by making sure that we adhere to the highest standards of personal cyber-hygiene. When was the last time you changed that password? Where do you store your USB stick? When did you last back-up your laptop?

Community Learn offers Community members training to support IT security so they can feel safe online at home as well as in the workplace. This is especially important if you ever work at home, like we know many of you will every week. So make sure you follow your workplace policy to stay safe online.

There is probably little you individually can do to stop a determined cyber-attacker, but we all have a role to play in ensuring that we make life as difficult as possible for them.

 

Further information & resource