Cyber-attacks should be very high on the agenda for all schools and Trusts for several reasons:
- We hold significant amounts of sensitive data ranging from a child’s personal data to financial data.
- With each passing day we rely more and more on our ICT systems.
- Attacks are becoming more common and ever more sophisticated.
- Schools and Trusts are a target for criminals. Schools are public organisations that value transparency. Whilst this is a benefit in earning the trust of those we serve it is a weakness that those wishing to harm us can exploit. For a number of reasons – budget, priorities, knowledge - schools also have a history of building poor defences against cyber-attacks.
- The consequences – loss of access to staff and pupil records, compromised safeguarding & prevent duties, loss of pupils’ work, non-compliance (e.g. GDPR, OFQUAL, DfES, OFSTED), financial costs, significant damage to reputation….
Points 1-4 can be thought of in terms of likelihood; point 5 in terms of impact. The likelihood of an attack is rising and the impact can be extremely severe. Schools cannot afford to put this off any longer.
What is the answer?
There isn’t a one-size-fits-all solution.
The first step is likely to be raising the profile of the issue with other senior leaders, governors and trustees. Investment of time and money is very likely to be needed to develop a shared understanding of the issues, identify weaknesses and introduce new solutions.
Understanding how exposed your school or trust is to a cyber-attack will help raise the profile and inform an action plan. The National Cyber Security Centre (NCSC) is a good place to start; they have training plans to support awareness-raising and managing key threats. Alternatively, commission an independent audit to carry out a thorough review of your cyber-security.
Trusted ICT advisors will be critical in informing this work. Some gaps (e.g. weak passwords) are fairly straightforward to understand; others such as effective backup and restore policies, ensuring robust firewalls, blocking removable storage devices, multi-factor authentication can be more difficult to implement. Don’t forget to consider all of the third-party software and applications used by schools that contain sensitive data. Each should be reviewed as part of a robust cyber-security assessment.
A communication strategy is a really important tool. Some solutions – eliminating USB devices, forcing strong passwords, restricting use of staff-owned devices - may be unpopular but that doesn’t mean they shouldn’t be implemented.
Revisit the schools disaster recovery and business continuity policies. What would happen if you couldn’t access your servers for days or even weeks? What would happen if data was permanently lost?
A training plan. Anyone that uses ICT and has access to the school network should as a minimum undertake annual cyber-security training to ensure they know the basics.
Cyber security should be on the development plans of the majority of schools and trusts; if it isn’t then it is time to review and consider why not.
Visit the NCSC pages on support for schools.