Five crucial reasons why the education sector should prioritise cybersecurity

Earlier this year, the BBC reported that highly confidential information from 14 schools had been leaked online. Hackers had obtained information about children with SEN, child passport scans, staff pay scales and contract details. Around the same time, fifteen schools within a trust in Hull and Yorkshire were also reported to have been asked to pay a £15 million ransom following a cyber attack on its systems.

That's likely to be the tip of the iceberg. Research compiled from National Cyber Security Centre and the National Grid for Learning in 2022 found that 78% of UK schools had experienced at least one cyber incident. And, official statistics into cyber security breaches in the education sector, published by the government in April this year reveal that this sector are more likely to face cyber security breaches or attacks than the average UK business. It's key findings are that: 

• Further education and higher education institutions are more susceptible to attacks than schools
• Around half of further and higher education institutions have a cyber security strategy in place
• Cyber crime is prevalent in all types of education institutions, with further and higher education institutions experiencing more cyber crime than schools

What are the risks?

Schools and colleges face complex cybersecurity risks. Hackers can use various techniques to gain unauthorised access to its systems and data, such as phishing, ransomware, and malware attacks. Weak passwords, unsecured devices, and insider threats can also pose a security risk. 

Attacks can, effectively, shut down a school or college. That's what happened to the Harris Federation after it found itself at the centre of a cyber attack by anonymous hackers. Teachers turned up to school to find that nothing worked - including its electronic gates, CCTV and electronic registers. The hackers gained access to its system via a phishing email and they encrypted anything of value - including personal details about its staff and credit card details. It received a ransom demand of nearly £3 million and school leaders had to decide quickly whether to pay or suffer the consequences. It's a fascinating (and frankly, terrifying) account which is available on BBC4 File on 4: held to ransom.

Why are schools and colleges vulnerable to attacks?

Schools and colleges are particularly vulnerable to cyber attacks because they often lack the money and technical expertise to invest in good cybersecurity measures. They may also use outdated technology, which makes it harder to protect against threats. Plus, schools and colleges hold a lot of valuable personal data, which make them attractive targets to cybercriminals. 

Staff and students may not know about the risks associated with cyber threats, making them more susceptible to social engineering attacks. Social engineering attacks are a type of cyber attack that relies on psychological manipulation to trick people into divulging sensitive information. These can take many forms, including phishing emails which look as though they are from a reputable source, pretexting - where the attacker impersonates a trusted individual (such as an IT support advisor) to gain access to sensitive information, and quid pro-quo - where the attacker offers something in exchange for sensitive information such as promising a gift card in exchange for login details.

Five reasons to prioritise cybersecurity

Schools and colleges need to be vigilant and take appropriate cybersecurity measures: 

1. To protect confidential information

Schools and colleges hold a vast amount of sensitive and confidential data, from student records to financial information. This information can be targeted by cybercriminals looking to steal data for fraudulent activities or to sell on the dark web. Using cybersecurity measures such as encryption, two-factor authentication, and access controls will help to protect this information from unauthorised access or theft.

2. To prevent disruption to learning

Cybersecurity threats such as ransomware and denial-of-service attacks can cause significant disruptions to school and college operations and learning. Ransomware can lock down education computer systems, preventing students and staff from accessing important data, while denial-of-service attacks can render websites and online learning platforms unusable. Taking measures such as firewalls, anti-virus software, and regularly backing up data will help to ensures that students and staff can continue learning and working without interruptions.

3. To prevent reputational damage

A cyber attack can damage a school/college's reputation, which can take time to rebuild. A data breach or cyber attack can result in negative media attention and erode the trust of parents, students, and staff. Putting in place a strong incident response plan will help to maintain a positive reputation and instill confidence in stakeholders. 

4. To comply with regulations and avoid fines

Schools and colleges have to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These regulations require employers to take appropriate measures to protect personal data and prevent data breaches. The Information Commissioner has set out its strategic objectives for the next three years which include safeguarding the privacy of children and is likely to take a very dim view of organisations that have left themselves open to attack which could result in large fines. Recently an organisation was fined £98,000 for failing to have appropriate security in place which led to a data breach.

Bear in mind that a lot of the personal data held by schools and colleges will have to comply with the rules on sensitive personal data, and that's likely to increase as they adopt new technologies such as facial recognition and access via thumb prints.

Having a suitable data breach procedure, conducting staff training, carrying out risk assessments (including Data Protection Impact Assessments), and regular security audits will help the sector comply with these regulations and avoid penalties or legal action.

5. To prepare for the future

The nature and complexity of cyber threats are constantly changing. Prioritising cybersecurity will help schools and colleges prepare for new challenges. That means staying up to day with the latest trends and best practices. 

How we can help

We have recently launched our Cyber Security Health Check for clients. 

Specialists from our cyber team will carry out a comprehensive audit of your cyber-security covering 15 risk areas, including checking your real-world digital footprint and cyber-risk exposure. We'll then report back on the findings – highlighting practical steps you can take to better protect your organisation and reduce cyber-risk by up to 98%.

Please contact our Chief Information Security Officer, Graham Thomson for more information.

Our newsletters

We publish monthly employment and education newsletters. If you'd like to be added to the mailing list, please let me know. 

Our fixed price employment law service

We also have a fixed price employment law service. Please contact Gordon Rodham if you'd like to find out how we can help you avoid these sorts of problems with our fixed-fee annual retainer, or flexible discounted bank of hours service.