How to protect your school from cyber-attacks

Make cyber-security a priority for your school

Everything in your school relies on your computer network but as Headteacher Update has recently reported there have been an increasing number of ransomware attacks targeting school networks.

A cyber-attack could mean that you cannot contact your staff in an emergency, that you are unable to pay your staff or other service providers, or that you lose students’ coursework or all of your data and financial records.

It is important to remember that you are responsible for making sure you have the appropriate level of security protection and procedures in place – this is explained in the statutory guidance Keeping Children Safe in Education (DfE, 2021).

School data is incredibly sensitive; if it is compromised this can present a risk to the pupils in your care. As such, it is not just the responsibility of your IT department. While you should work closely with your colleagues in IT, it is up to you and your governing board to make sure that cyber-security is given the time and resources needed to make your school secure.

Some of the elements involved in making your school cyber-secure can be expensive (for example, replacing your IT software), but the alternative can be far more financially damaging.

For example, if your school experiences a data breach under the General Data Protection Regulation (see DfE, 2018), its reputation could be damaged and it could be investigated and fined by the Information Commissioner’s Office (see further information).
So prevention is definitely better than cure. It is also worth remembering that in the event of a ransomware attack, even if you were to pay a ransom (which you should never do), there is no guarantee that you would get your data back.

Seek support from your local authority or trust

You do not need to tackle this all on your own. Make sure you speak to your local authority or trust about what it can offer your school regarding cyber-security; it may be able to advise you on what service providers to use or it may assist in procurement.

Get training for your staff

Training is a crucial part of protecting your school. From phishing emails to pressured phone calls, many attacks can succeed as a result of limited staff training. Make sure colleagues are trained annually on the basics of cyber-security. This will keep them up-to-date with the latest threats and what to be on alert for.

Cyber-attacks are often spread by email, so basic safety precautions are your school's first line of defence. Training is particularly important for defending your school against social engineering attacks, such as phishing and payment fraud. The Metropolitan Police’s Little Book of Cyber Scams 2.0 (see further information) explains that this training should cover how to:

• Check the sender address in an email.
• Respond to a request for bank details, personal information or log-in details.
• Verify requests for payments or changes to information.

Make sure that you include cyber-security training as part of induction for any new starters. This is especially important if they start outside of your school’s annual training window.

You can access free sources of training and support from the National Cyber Security Centre (NCSC) and Regional Organised Crime Units (ROCU). If you decide to find your own provider to deliver training, check that the training is school-specific and that the provider has experience in delivering training to schools.

You should also make sure you are clear on what will be covered in the training (it should cover areas such as data as well as phishing and ransomware) and that you know what staff should understand by the end of it.

Check what precautions you have in place

When reviewing the controls your school has in place, you should consider a number of areas, not least whether your controls are “proportionate”.

Indeed, for academies specifically, the Education and Skills Funding Agency notes that academies should have “proportionate controls” in place against cyber-crime, as explained in the Academy Trust Handbook.

However, it is difficult to provide a hard and fast way to tell if what you have in place is “proportionate”, as it will vary depending on your school size and what tasks people are performing.

The best way to work out whether what you have got in place is proportionate and working well is to get the specialists in, such as through a third-party audit (see later). They will be able to objectively test what you have in place and advise whether it is up-to-scratch for your school.

Other considerations include:

• Multi-layered: Everyone needs to be aware of cyber-security risks. From front-line staff to your wider supply chain, everyone should be clear on what to look out for to keep your systems safe.
• Up-to-date: Running old, unsupported and out-of-date software can leave your system vulnerable.
• Regularly reviewed and tested: You need to make sure that your systems are up-to-scratch and as secure as they can be. You can carry out a self-review of your online safety procedures with the free tool from 360 degrees safe (see further information).

Precautions to consider

Below are some areas that you can discuss with your IT manager, IT service provider, local authority and/or trust. However, do not treat this as a checklist, self-review or audit. You should not carry out an audit yourself as you may not have the expertise to determine whether your systems have the right type of security. As cyber-security is a specialised area, it is best looked at by someone who is objective and specially trained.

However, the topics below are to help you start thinking about what you might need to do to make your school more secure; they can help you to spot areas that a formal audit should look at, although it is not a comprehensive list. Be sure to organise a formal audit to identify any gaps in your cyber-security. Topics to discuss include:

• Getting staff trained
• Updating your systems and software
• Regularly backing-up your data
• Making sure your management information system (MIS) is secure
• Enabling multi-factor authentication
• Making sure your IT staff conduct regular access/permissions reviews
• Using a password manager
• Having a firewall in place
• Checking your supply chain is secure and not a risk to your school

Develop, review and test an incident response plan with your IT department

Your plan should cover what procedures you will follow in the event of a cyber-attack. For example, it should include how you will communicate with your school if communications go down, who you will contact and when, and who will notify Action Fraud of the incident.

Make sure you review and test your procedures with your IT department annually (although ideally every six months) and after a significant event has occurred.

To test your procedures, you can use the NCSC’s “Exercise in a Box” resource to help you practise your response to a cyber-attack. You might decide to organise an audit to coincide with the review of your procedures.

Organise an annual audit

The best way to know if your school systems are up-to-scratch is to initiate an annual audit. Speak to your local authority or trust first about potential providers – they may be able to give you more bespoke guidance.

If it is up to you to pick an auditor, work with your IT manager to choose a third-party provider which specialises in cyber-security and also specifically in cyber-security auditing for schools. If a third-party provider’s website advertises lots of different IT services, it might not be a specialist in cyber-security.

An audit should assess what measures your school has in place and where your weaknesses are. It will then identify the next steps you can take to tighten up cyber-security.

• Sarah Bull is a specialist content editor at The Key, a provider of intelligence and resources for education leaders. Visit https://thekeysupport.com/

Further reading

The advice in this article is taken from The Key’s resource How to protect your school from cyber-attacks, which was created in partnership with independent consultant Karen Mitchell, and Vickie Cieplak and Edward Trimbee from the West Midlands Regional Cyber Crime Unit, which is funded by the National Cyber Security Centre (NCSC). Visit www.ncsc.gov.uk/section/education-skills/cyber-security-schools

Further information & resources

• Action Fraud: www.actionfraud.police.uk
• 360 degrees safe: https://360safe.org.uk/
• DfE: Keeping children safe in education, last updated September 2021: www.gov.uk/government/publications/keeping-children-safe-in-education--2
• DfE: Data protection: Toolkit for schools, September 2018: www.gov.uk/government/publications/data-protection-toolkit-for-schools
• Information Commissioner’s Office: Introduction to data protection: https://bit.ly/3vRgCP3
• Metropolitan Police: The Little Guide to: Preventing fraud and cyber-crime (links to a number of documents, including the Little Book of Cyber Scams 2.0: www.met.police.uk/littlemedia
• NCSC: www.ncsc.gov.uk/information/cyber-security-training-schools
• NCSC: Cyber Security for Schools: Practical resources to help schools improve their cyber security: www.ncsc.gov.uk/section/education-skills/cyber-security-schools
• NCSC: Exercise in a Box: www.ncsc.gov.uk/information/exercise-in-a-box
• NCSC: Regional Organised Crime Units: www.ncsc.gov.uk/information/regional-organised-crime-units-rocus