A cyber-attack could mean that you cannot contact your staff in an emergency, that you are unable to pay your staff or other service providers, or that you lose students’ coursework or all of your data and financial records.
School data is incredibly sensitive; if it is compromised this can present a risk to the pupils in your care. As such, it is not just the responsibility of your IT department. While you should work closely with your colleagues in IT, it is up to you and your governing board to make sure that cyber-security is given the time and resources needed to make your school secure.
Some of the elements involved in making your school cyber-secure can be expensive, for example, replacing your IT software, but the alternative can be far more financially damaging; if your school experiences a data breach under the General Data Protection Regulation its reputation could be damaged and it could be investigated and fined by the Information Commissioner’s Office.
Seek support from your local authority or trust
You do not need to tackle this all on your own. Make sure you speak to your local authority or trust about what it can offer your school regarding cyber-security; it may be able to advise you on what service providers to use or it may assist in procurement.
Get training for your staff
Training is a crucial part of protecting your school. From phishing emails to pressured ‘phone calls, many attacks succeed as a result of limited staff training. Make sure colleagues are trained annually on the basics of cyber-security; this will keep them up-to-date with the latest threats and what to be on alert for.
Cyber-attacks are often spread by email, so basic safety precautions are your school’s first line of defence. Training is particularly important for defending your school against attacks, such as phishing and payment fraud. The Metropolitan Police’s Little Book of Cyber Scams 2.0 explains that this training should cover how to:
check the sender address in an email;
respond to a request for bank details, personal information or log-in details;
verify requests for payments, or changes to information.
Make sure that you include cyber-security training as part of induction for any new starters. This is especially important if they start outside of your school’s annual training window.
You can access free sources for training and support from the National Cyber Security Centre (NCSC) and Regional Organised Crime Units. If you decide to find your own provider to deliver training, check that it is school-specific and that the provider has experience in delivering training to schools.
You should also make sure you are clear on what will be covered in the training – it should cover areas such as data, as well as phishing and ransomware – and that you know what staff should understand by the end of it.
Check what precautions you have in place
When reviewing the controls your school has in place, you should consider a number of areas, not least whether your controls are ‘proportionate’. Indeed, for academies specifically, the Education and Skills Funding Agency notes that academies should have ‘proportionate controls’ in place against cyber-crime, as explained in the Academy Trust Handbook.
However, it is difficult to provide a hard-and-fast way to tell if what you have in place is ‘proportionate’, as this will vary depending on your school size and what tasks people are performing. The best way to work out whether what you have got in place is proportionate, and working well, is to get the specialists in, such as through a third-party audit. They will be able to objectively test what you have in place and advise whether it is up-to-scratch for your school. Other considerations include:
Multi-layered: everyone needs to be aware of cyber-security risks. From front-line staff to your wider supply chain, everyone should be clear on what to look out for to keep your systems safe.
Up-to-date: running old, unsupported and out-of-date software can leave your system vulnerable.
Regularly reviewed and tested: you need to make sure that your systems are up-to-scratch and as secure as they can be.
Precautions to consider
Here are some areas that you can discuss with your IT manager, IT service provider, local authority and/or trust. However, do not treat this as a checklist, self-review or audit; you should not carry out an audit yourself as you may not have the expertise to determine whether or not your systems have the right type of security. As cyber-security is a specialised area, it is best looked at by someone who is objective and specially trained.
However, the topics below will help you to start thinking about what you might need to do to make your school more secure; they can help you to spot areas that a formal audit should look at, although this is not a comprehensive list. Be sure to organise a formal audit to identify any gaps in your cyber-security. Topics to discuss include:
Getting staff trained.
Updating your systems and software.
Regularly backing-up your data.
Making sure your management information system is secure.
Enabling multi-factor authentication.
Making sure your IT staff conduct regular access/permissions reviews.
Using a password manager.
Having a firewall in place.
Checking your supply chain is secure and not a risk to your school.
Develop, review and test an incident response plan with your IT department
Your incident response plan should cover what procedures you will follow in the event of a cyber-attack. For example, it should include how you will communicate with your school if communications go down, who you will contact and when, and who will notify Action Fraud of the incident.
Make sure you review and test your procedures with your IT department at least annually (ideally, every six months) and after a significant event has occurred. To test your procedures, you can use the NCSC’s Exercise in a Box resource to help you practise your response to a cyber-attack. You might decide to organise an audit to coincide with this review of your procedures.
Organise an annual audit
The best way to know if your school systems are up-to-scratch is to initiate an annual audit. Speak to your local authority or trust first about potential providers – they may be able to give you more bespoke guidance.
If it is up to you to pick a provider, work with your IT manager to choose a third-party provider which specialises in cyber-security and also specifically in cyber-security auditing for schools; if a third-party provider’s website advertises lots of different IT services, it might not be a specialist in cyber-security.
An audit should assess what measures your school has in place and where your weaknesses are. It will then identify the next steps you can take to tighten up your cyber-security.
Be the first to comment