News

School cyber-attacks: Top three methods revealed

Safeguarding School management Infrastructure E-safety Whole-school issues
Malware and ransomware attacks have left one in five schools without access to important and sensitive information about pupils and staff, research reveals.

The national Cybersecurity Schools Audit also shows that almost four in five schools fell victim to at least one type of cyber-incident in 2022.

The government’s National Cyber Security Centre (NCSC) warns that schools remain at a high risk from cyber-criminal attacks and vigilance is “essential”.

The audit involved 805 UK schools and took place in May 2022. It reveals that 78% – almost four in five – of the schools had experienced at least one type of cyber-incident with 7% experiencing “significant disruption as a result”. And 18% have experienced loss of access to important information – both short-term and permanent loss.

This is an improvement since 2019 when 35% of schools reported experiencing a loss of access to information, but it still represents almost one in five of the schools audited and comes since the advent of GDPR which put new requirements upon schools regarding data access and protection.

The audit also finds that 26% had not implemented multi-factor authentication to safeguard important accounts, 25% continued to allow limited staff access to USBs that can compromise systems through infections from computer viruses, malware, and spyware, and 4% had no back-up facilities.

The 2022 audit – which also offers advice and tips for schools in addition to existing resources available via the NCSC (see below) – also reveals the three most common methods used by cyber-criminals
  • Phishing: Fraudulent emails from attackers used to deceive staff into revealing sensitive information.
  • Spoofing: Attackers impersonate someone else to gain a victim's confidence, access to a system, steal data, or spread malware.
  • Malicious software: Include malware (used to disrupt or gain access to systems), viruses (programs that when executed replicate themselves by modifying other computer programs and inserting their own code), and ransomware (designed to block access to a computer system until a sum of money is paid).

The audit emphasises the threat posed via email: “We saw an increase in the number of schools that report spoofing (email impersonation). Given how realistic these emails look, how busy teachers are, and that 90% of ransomware attacks are delivered by phishing emails, this is a worrying trend.

“Email continues to be the number one vector of choice for cyber-criminals; no other tool can as easily connect an attacker to their prey at such scale, at zero cost, and with an aura of trust. This email threat is present across every sector, however the education sector remains a key target.”

There have been high-profile attacks on schools in recent months. In one sustained attack targeting 14 schools in 2021 and 2022, highly confidential documents were stolen and subsequently leaked online including children's SEN information, child passport scans, staff pay scales, and contract details. Elsewhere, over Christmas hackers attacked 16 schools in Hull and Yorkshire, locking staff out of their computers and demanding a ransom of £15m.

Malware is software designed to cause disruption to computer networks and servers in order to interfere with security and privacy, gain unauthorised access to information or systems, or deprive access to information.

Ransomware is a specific type of malware that prevents you from accessing your systems or the data held on them. Typically, the data is encrypted, but it may also be deleted or stolen or the computer itself may be made inaccessible.

Following the initial attack, those responsible will usually send a ransom note demanding payment to recover the data. Recently, there has been a trend for cyber-criminals to threaten to release sensitive data stolen from the network if the ransom is not paid.

The audit is run by the NCSC, which is part of GCHQ, and edtech charity LGfL. It has been published alongside a report offering further analysis, advice and “next steps” for schools.

Mark Bentley, cyber-security lead at LGfL, said that a shortage of experienced cyber-security professionals was leaving schools vulnerable. He continued: “Cyber-security can sometimes feel like a Rubik’s cube that changes its colours just as you are on the verge of solving it. Every week seems to bring new threats and make the list of ‘vital steps to stay protected’ grow even longer. But as with any complex issue, you can do a lot to manage and mitigate cyber-security risks.”

There are signs of improved security within schools. The audit found that awareness of phishing has increased from 69% in 2019 to 73% in 2022 and 55% of schools are now implementing staff training around cyber-security (this compared to 35% in 2019).

Sarah Lyons, deputy director for economy and society at the NCSC, added: “Our schools rely so much on the myriad of data required to run efficiently – including sensitive data on students, parents, governors and staff – therefore more work must be done to support the cyber-security around these essential services. The National Cyber Security Centre has been working with schools and the education sector to provide free tools and guidance to help schools manage their cyber-risks effectively and supporting them to keep this valuable information safe.”


Resources from the NCSC