Instances of cybercrime have risen dramatically in recent years, and schools are no exception - particularly in the midst of the pandemic where hackers have found new, inventive ways to attack remote-working facilities and de-fraud unsuspecting fee-payers.
In fact, our 2019 survey found that 61% of independent schools had been targeted for cyber-attacks in the five years prior.
With sensitive pupil data, the financial information of fee-paying parents and other private details on file, have you taken measures to stay one step ahead of cyberattacks?
In this guide we’ve outlined the most common types of cyberattack you’ll need to safeguard against, as well as some of the ways to mitigate cyber risks for your school.
Common cyber risks
There are many different types of cyberattack that could affect your school, so it’s important to familiarise yourself with the most common variations so that you can recognise the red flags when you see them. This will then inform what you need to include in your cyber risk management strategy and staff training protocols.
Here’s an overview of the most common cyberattacks:
Phishing was listed as a top concern for 51% of bursars surveyed, and is a technique that tricks users into thinking an email or text came from a person or entity they either know or can trust. This is then used as a gateway to elicit or access the victim’s personal data, usually bank details.
A common school fees scam is where hackers break into a school’s IT system and contact parents with false payment details when school fees are due. Unsuspecting parents readily accept the new information, with the hackers quick to close down accounts once any payments have been made.
Malware (or “malicious software”) is one of the biggest threats on the internet, and is a collective term for a number of malicious software variants, including (but definitely not limited to) viruses, spyware, Trojan horses, Distributed Denial-of-Service (DDoS) attacks and ransomware.
Ransomware is, unfortunately, one of the more common cyber threats for independent schools, involving hackers gaining access to sensitive data – such as pupil records, parents’ financial information, or even CCTV footage – and demanding huge sums of money to relinquish the data, often with no guarantee once payments have been made. They can also take over individual devices or entire networks and only relinquish control once a ‘ransom’ has been paid.
Other threats include the permanent deletion of digital files, ranging from educational resources to sensitive data.
Safeguarding against cyberbullying
Remember, it’s not just the risk of a data breach or cyberattack you need to consider when risk assessing cyber security at your school - it’s vital that everyone can enjoy a harassment-free learning environment, so schools are also responsible for safeguarding their teachers, pupils and parents against cyberbullying while they’re attending or working at the school.
While there is not specific legislation around how these risks should be managed, the Department for Education does provide some cyberbullying guidance for schools here.
Cyber risk management for schools
The first step to any cyber risk management strategy is identifying any high-risk areas of your IT framework. These are a few of the things you’ll need to consider when identifying risks to your cyber security:
- Does anyone take company-owned mobile devices (e.g. laptops, smartphones and USB drives) off school grounds, either to their home or when travelling?
- Does your school use cloud-based software or storage, or have critical operational systems connected to a public network?
- Does anyone in your school use computers to access bank accounts or initiate money transfers?
- Does your school store sensitive information (e.g. pupil data, financial reports) that could potentially compromise your organisation if stolen?
- Does your school digitally store sensitive employee or customer information? This can include government issued ID numbers and financial information. Would your school lose critical information in the event of a system failure or other network disaster? How quickly could you respond if a system was compromised?
- Does your school use suppliers, or are you part of a supply chain?
If any of these scenarios apply to your school, then you may need to take steps to ensure you have identified and mitigated any risks relating to these activities. This could include actions such as implementing regular review processes to identify inefficiencies in your school’s IT infrastructure, or taking out cyber liability insurance.
Not sure whether you need cyber liability insurance for your school? You can calculate your independent school’s cyber risk here.
5 quick ways to reduce cyber risks in schools
Train staff in basic cyber-security principals to ensure they understand why certain protocols should be undertaken when it comes to data protection, and how to spot potential breaches. It’s also worth reviewing whether accesses to particularly sensitive data needs to be restricted to only staff where the data is essential to carrying out their role.
A cybersecurity officer should be appointed to ensure best practice is maintained, with regular audits and a clear reporting process to flag any concerns or potential breaches.
Install protection software on all operating devices to detect and prevent attacks from occurring. Be sure to update all devices when prompted, and regularly check for operating system upgrades.
Encrypt and back-up your systems to ensure you can recover your data following a cyber breach.
Wi-Fi networks should also be made secure, and adequate firewalls used for all internet connections. Passwords should be regularly changed.
Cyber insurance for schools
Successfully managing cyber risks will help support the operational management of your school – which is why we work with you to identify cyber risks and implement measures to keep your school operating should you experience a cyberattack.
With more than 55 years’ experience within the education community, we offer tailored risk management proposals to identify and address your emerging risks, including advice to mitigate online reputational and cyber risks.