School cyber attacks are making national news headlines, with the Information Commissioner’s Office revealing a 55% increase in cyber incidents in the education sector in 2023 compared with the previous year.
As this BBC report outlines, the impact of an attack reaches into every aspect of school life and can even force a school to close.
Schools are particularly vulnerable to ransomware attacks which encrypt critical school data until the school pays a ransom. In one case, ransomware hackers stole confidential information about students with special educational needs, scans of children’s passports and personal staff details and published it on the dark web.
Cyber attacks cost time as well as money. In a National Cyber Security Centre survey, 19% of schools say it took three weeks or more to recover from an attack.
As a school governor or trustee, you are already focused on making sure your schools have cyber security strategies in place. However, at a time of rapidly escalating cybercrime, you need to be sure your school or MAT has strong enough defences to withstand the evolving threat – both internally and when procuring third-party software providers.
Here are some questions for you to ask your school leaders:
- Who is responsible for cyber security?
It’s vitally important your school has someone who takes ownership of cyber security. This can be an individual – or a third party such as an IT-managed service provider or dedicated cyber services provider.
Ask for the names, job titles or company details of the people at the helm.
If your school has an in-house person or team with cyber security responsibility, check they have the necessary skills and resources to protect your school. If it’s a third party, make sure they fully understand your school’s cyber security needs.
- How do you know your school or MAT’s cyber security strategy is working?
Your school might have cyber security measures in place, but these need regular testing. Schools should carry out periodic penetration testing where an experienced provider uses hacking techniques to try to access their systems.
Check your school can provide evidence of recent security testing.
As well as penetration testing, schools can also use vulnerability scanners and attack surface management tools to make sure their security is working. Ask your cyber security team whether they have these defences in their armoury.
- What are your schools’ most important digital assets?
Every school and MAT has digital assets which they rely on for their day-to-day running, and these need securing the most. For instance, your school’s management information system (MIS), student safeguarding datasets and finance systems.
Ask how these critical digital assets are managed and secured. Ensure your school understands the need to prioritise the security of these assets.
- How is your schools’ cyber security funded?
Free cyber security tools and open-source options will not be adequate to protect your school or MAT – and they can carry their own hidden costs and risks if they let hackers into your systems.
Find out how your school is securing their investment in cyber security.
Your school should be able to outline its security budget and identify when and how these funds are spent. If there appears to be a shortfall, get together with your school leadership to plan sufficient funding. Cyber security is too important to be left to free, cheap, or risky solutions which could end up costing your school a lot more should an attack happen.
- Where are the biggest security weaknesses?
There’s no such thing as a perfectly secure system or organisation. Every school or MAT will have vulnerabilities in their security, and it’s important to know where these are so you can mitigate the risks. Is it their payment system, their antivirus solutions, or their ‘bring your own device’ policy?
Ask your school where they feel least confident about cyber security.
Knowing where the vulnerabilities are will help with cyber security planning. Check your school has a plan to shore up their weaknesses and ask what that plan involves.
- What is the plan if an attack happens?
Even the most mature, security-aware organisations experience cyber incidents. What’s important is how you respond to them. Schools need a cyber incident response plan which is documented and regularly reviewed. Staff need to be aware of the plan and know what to do in the event of a cyberattack.
Check your school/s have an effective cyber incident response plan.
Backups are an essential part of any response plan, so make sure your school has included details of which data is backed up, where the data is held and how often the backup is tested to make sure it works. The backup should be secured and protected so the attackers cannot destroy school data.
- How are staff made aware of cyber security?
The mistakes people make are the weakest link in an organisation’s cyber security, and attackers are all too willing to exploit these mistakes. When people download content, respond to an email or click on a link, they need to remember they might be opening the door to cybercriminals.
Ask to see your school or MAT’s strategy for cyber security and data protection awareness.
The strategy should contain information about how awareness is measured, and which training is available to which members of staff. Training should be regular and up to date. Schools can create a security-conscious culture by reminding everyone how important it is to tread carefully in the digital world.
- Who are your schools’ critical IT service providers?
Schools and MATs rely on IT suppliers, but these supply chains can open the door to data breaches. One example of this is a trojan horse attack where genuine software is infected with malware which downloads onto a school system disguised as a legitimate program.
Investigate which suppliers your school uses – they should be able to provide an exhaustive list.
To reduce the risk of attacks coming in via third parties, schools should be monitoring suppliers – and data processors in particular – to assess their security position. Make sure your school carries out due diligence on all these suppliers.
These questions are only the start of what should become an ongoing cyber security conversation between governors, school leaders and IT teams. The more you can do to promote the importance of cyber security, the better prepared your school or MAT will be to build a digital fortress against cybercrime.