The Department for Education has today released its cyber security standards, building on the four digital and technology guidelines released in March that outline how schools and colleges can meet IT service and digital equipment standards.
It is hard to imagine that many schools, colleges or trusts would be rash enough to ignore these new standards. They provide the cyber security baseline that all institutions should implement if they want to ensure that their data and systems are secure.
Cyber security attacks on schools
The impact that a successful cyber attack has on a school, college or trust can be profound. In March 2021 four academy trusts were subject to successful attacks, the most significant being that on The Harris Federation: it cost in excess of £500,000 to return its systems to normal due to the time taken to clean and check all devices.
Beyond just the financial cost, there are other serious implications. These include the impact on teaching and learning, as resources become inaccessible; the inability to pay staff; the loss of MIS/HR data; as well as the need to redirect time and energy away from improving the outcomes for pupils.
Additionally, there is a huge burden on student and staff wellbeing, as students and staff worry about lost coursework and examination data. Any cyber attack carries not only the risk of losing data but also the potential threat of financial and personal information being leaked on to the dark web and used for identity theft or fraud.
Stealing sensitive information through compromised credentials, email addresses and passwords is a more insidious threat. The user may not even be aware that they have given away access to all their emails and files.
If this person is in IT or senior leadership, cyber criminals can get very sensitive information, leading to significant safeguarding concerns, as the data can be downloaded automatically once someone has had their password “phished”.
This is why United Learning has implemented multi-factor authentication (MFA), and I cannot emphasise enough the importance for all schools and colleges to implement it urgently. The risks of not doing so far outweigh any challenges about implementing it, and it forms a key part of the DfE standards.
Evolving technology and threats
The threats that we face will continue to evolve and the standards will no doubt evolve with them, just as we saw several years ago with ransomware as the main threat giving way to credential stealing as we all migrated to the cloud.
With the wider adoption of MFA access from home and personal devices, I foresee ransomware and end-user device compromise becoming more of an issue again. The wider adoption of one-to-one devices and pupil “bring your own device” (BYOD) schemes will also increase the risk to school and college systems and their data.
Everyone should be conscious that their pupils could pose a threat, either through the use of easily accessible hacking tools, the use of cheap denial-of-service attacks to bring down their internet connection or website, or by shoulder surfing senior leaders for passwords to access school systems.
Cyber security is a leadership issue
The cyber security standards provide a clear set of attainable benchmarks that will enable IT teams and their managers to ensure that they have undertaken sufficient steps to protect their systems and data.
Along with the guidance on the National Cyber Security Centre (NCSC) website, the standards should help to shape the conversations governors have with leaders, and leaders have with their IT teams or third-party providers to better understand the risks and mitigations already put in place.
The lesson we should learn from the recent cyber attacks on schools and colleges is that: should an educational institution suffer a successful attack, the impact on learners and staff will be significant and could last for weeks.
Implementing the standards will not stop attempted attacks but will reduce their likelihood and limit their impact.
Wargaming a cyber attack
Cyber security should be seen as a key element of normal working practices: checking aged passwords, patching devices or cyber security training. If the policies and practices developed out of the standards are implemented effectively, technical teams should not have sleepless nights.
However, preparing for an incident and developing a “game plan” for dealing with an attack is as important as putting the defences in place.
The NCSC “exercise in a box” provides IT teams and their leadership with scenarios to develop plans for dealing with incidents, as well as identifying possible gaps in their cyber security strategy.
At United Learning we have used it to refine how we would respond to an incident and it identified areas of weakness, such as in our BYOD policy or not having hard copies of key documents.
I urge everyone reading this, especially those in leadership positions, to review their cyber security standards with their IT teams.
It is of paramount importance that you determine what measures are needed to meet the standards, as they provide an essential benchmark for you to measure the security and safety of your data and systems against.
If you fail to implement the standards, even during the current financial challenges, you are leaving you and your educational institutions open to financial and data loss, reputational damage, lost learning and a significant impact on pupil outcomes.
This article also appeared in the TES October 2022