Did you know that 41% of primary schools and 70% of secondary schools surveyed identified cyber breaches or attacks between 2021 and 2022? And these numbers could be higher, as they only include attacks that were actually identified by the schools.
Between 2020 and 2021, although the proportion of primary and secondary schools identifying cyber breaches and attacks fell from 76% to 41%, the government suggest that it wasn’t a case of the number of attacks against schools decreasing. But, due to the move to remote working during the pandemic, there may have been less monitoring and therefore reporting of breaches during this time. And with the increase in working from home, hackers finding new, inventive ways to attack remote-working facilities and de-fraud unsuspecting fee-payers, focusing on cyber security in schools has never been more important than now.
As specialists in insuring the education sector, we know exactly the kinds of risks you face and are committed to doing everything in our power help you protect your school, data and financial information.
In this guide we’ve outlined everything you need to know about cyber-attacks, including the most common attacks you’ll need to safeguard against, tips on cyber education for pupils and staff, plus tips to mitigate cyber risk for your school – helping you stay one step ahead of cyber-attacks!
What is cyber security within a school setting?
Cyber security in schools is all about protecting the devices and services you offer or access online, and the data you hold within those devices and systems. As we’ll cover later in this guide, there are lots of different ways attackers can attempt to infiltrate your school’s systems – from theft to damage – on site or at home – and as a school, it is your responsibility to do everything in your power to prevent unauthorised access to these devices and systems.
Who needs cyber security?
Any organisation who is connected to the internet needs to implement measures for cyber security. But many organisations think that their specialist field won’t be a target for cyber attackers. However, most cyber-attacks aim to manipulate system vulnerabilities, rather than target specific websites or organisations. And did you know that one in five schools and colleges have fallen victim to cybercrime? And also, research we did in 2019 showed that 61% of independent schools had been targeted for cyber-attacks in the five years prior. As a school whose pupil and parent data and financial information is extremely important to you, we know that cyber security will be a big priority.
Why we need cyber security
Cyber security is so important because it includes everything that relates to protecting your school’s data. From pupil data to parents’ financial information, with the increased focus on digitalisation, comes increased risk of cyber-attacks. Cyber security helps you actively protect your devices and systems and do everything in your power to prevent harm coming to them.
Motives of cyber-attacks in schools
As we mentioned above, many organisations don’t think that their specialist area would be a target for cyber attackers. However, there are lots of different motives for cyber-attacks in the education sector, such as:
With the main aim being to cause widespread disruption to your school’s network and negatively impacting school productivity, these kinds of attacks are usually Distributed Denial of Service (DDoS) attacks. They’re relatively easy to undertake, even by amateurs. And there have even been stories of students and teachers carrying them out in the education sector - maybe because they want a day off, or aren’t happy with how a specific situation was handled by the school.
• Data theft
Whether they’re planning on selling data to a third party company or using it as a bargaining tool to extort money, data theft is another big motive for cyber attackers.
• Financial gain
Institutions like schools who handle large sums of tuition fees each term can be targets of cyber-attacks for the hacker’s financial gain.
This is where attackers are aiming to find valuable information held by your school in a targeted attack. For example, if you’re working on a specific research project, and it’s deemed as being valuable intellectual property.
Get a quote
Types of cyber-attacks in schools
There are many different types of cyber-attack that could affect your school, so it’s important to familiarise yourself with the most common variations so that you can recognise the red flags when you see them. This will then inform what you need to include in your cyber risk management strategy and staff training protocols. Here’s an overview of the most common cyberattacks in the education sector:
Phishing was listed as a top concern for 51% of bursars surveyed, and is a technique that tricks users into thinking an email or text came from a person or entity they either know or can trust. This is then used as a gateway to elicit or access the victim’s personal data, usually bank details.
A common school fees scam is where hackers break into a school’s IT system and contact parents with false payment details when school fees are due. Unsuspecting parents readily accept the new information, with the hackers quick to close accounts once any payments have been made.
Malware (or “malicious software”) is one of the biggest threats on the internet and is a collective term for a number of malicious software variants, including (but definitely not limited to) viruses, spyware, Trojan horses, Distributed Denial-of-Service (DDoS) attacks and ransomware.
Ransomware is, unfortunately, one of the more common cyber threats for schools, involving hackers gaining access to sensitive data – such as pupil records, parents’ financial information, or even CCTV footage – and demanding huge sums of money to relinquish the data, often with no guarantee once payments have been made. They can also take over individual devices or entire networks and only relinquish control once a ‘ransom’ has been paid.
Other threats include the permanent deletion of digital files, ranging from educational resources to sensitive data.
Another risk to your school’s cyber security is human error. And this is normally caused by a lack of understanding about cyber security. For example, teaching staff may be fully trained on safeguarding risks when it comes to the internet, but when considering cyber risks and the consequences to the school, they may be less aware. This highlights the importance for more in-depth cyber security training and policies for your staff to follow. For example, education around phishing, password policies etc.
Whilst your school’s website may not always be your number one priority, certain functionality (or lack thereof) can be a big indicator of weak security measures – putting your school at higher risk. For example, if your school hosts a blog with a comments section, and this blog is neglected, with minimal security measures for spam comments, or lack of general website security measures. Not only does this look unprofessional to prospective students and their parents, but it also indicates to hackers that you have weak security measures. Taking greater care of your online presence, using spam filters and engaging the person or company responsible for your website can be a great way to enhance your website’s security.
This is where hackers aim to gain access to your school’s system by trying to figure out the passwords. If they manage to succeed, they could be able to gain access to a variety of things such as confidential data, or an administrative account which allows them to make network changes. Password information could also be sold on the dark web to enable targeted attacks. This is where having a strong and secure password policy comes into play.
Safeguarding against cyberbullying
As you’ll know, it’s not just the risk of a data breach or cyber-attack you need to consider when risk assessing cyber security at your school. It’s vital that everyone can enjoy a harassment-free learning environment, so schools are also responsible for safeguarding their teachers, pupils and parents against cyberbullying while they’re attending or working at the school.
While there is not specific legislation around how these risks should be managed, the Department for Education does provide some cyberbullying guidance for schools here.
Cyber security in the education sector
With the increase and ever-growing reliance on the digitalisation of the education sector, cyber security and reducing cybercrime in schools should be high up on the list for all education institutions - especially schools who manage significant school fee payments each term.
Cyber security incidents in schools
The Cyber Security Breaches Survey was carried out 2021-2022 and identified incidence and impact of cyber security breaches or attacks. In relation to UK educational institutions, it was found that the following percentages of institutions surveyed identified breaches or attacks in the last 12 months:
• Primary schools – 41%
• Secondary schools – 70%
• Further education colleges – 88%
• Higher education colleges – 92%
• All UK businesses – 39%
It’s important to keep in mind that these percentages only include attacks that were identified by the organisations and that there are likely to be hidden school cyber-attacks and breaches. So, these figures don’t highlight the full extent of the issue. Compared to the previous year, the percentage of attacks within businesses and primary schools remained the same, or at least at very similar levels. But there was a substantial increase in secondary school breaches or attacks in 2022 (raising from 58% to 70%).
Tips to increase cyber security in schools
There are lots of things to consider when increasing your school’s cyber security. A great place to start is with a cyber risk management plan.
Cyber risk management for schools
The first step to any cyber risk management strategy is identifying any high-risk areas of your IT framework, and then taking steps to ensure you have identified and mitigated any risks relating to these activities. This could include actions such as implementing regular review processes to identify inefficiencies in your school’s IT infrastructure or taking out cyber liability insurance.
If your school doesn’t already have a cyber risk management plan, the National Cyber Security Centre has published a free Cyber Assessment Framework and guidance for organisations responsible for vitally important services and activities.
You can also find out whether you need cyber liability insurance for your school by calculating your school’s cyber risk here.
These are a few topics you’ll need to consider when identifying risks to your school’s cyber security:
• Does anyone take company-owned mobile devices (e.g. laptops, smartphones and USB drives) off school grounds, either to their home or when travelling?
• Does your school use cloud-based software or storage, or have critical operational systems connected to a public network?
• Does anyone in your school use computers to access bank accounts or initiate money transfers?
• Does your school store sensitive information (e.g. pupil data, financial reports) that could potentially compromise your organisation if stolen?
• Does your school digitally store sensitive employee or customer information? This can include government issued ID numbers and financial information. Would your school lose critical information in the event of a system failure or other network disaster? How quickly could you respond if a system was compromised?
• Does your school use suppliers, or are you part of a supply chain?
Five quick ways to reduce cyber risks in schools
Whilst you’re sorting your risk assessment out, here are some potential quick wins that could help you reduce your school’s cyber risk.
• Train staff in basic cyber-security principals to ensure they understand why certain protocols should be undertaken when it comes to data protection, and how to spot potential breaches. It’s also worth reviewing whether access to particularly sensitive data needs to be restricted to only staff where the data is essential to carrying out their role.
• A cyber-security officer, or school cyber security analyst should be appointed to ensure best practice is maintained, with regular audits and a clear reporting process to flag any concerns or potential breaches.
•Install protection software on all operating devices to detect and prevent attacks from occurring. Be sure to update all devices when prompted, and regularly check for operating system upgrades.
• Encrypt and back-up your systemsto ensure you can recover your data following a cyber breach.
• Wi-Fi networks should also be made secure, and adequate firewalls used for all internet connections. Passwords should be regularly changed.
What to do if your school suffers a data breach
Unfortunately, even the best plans and procedures can't completely eliminate risk. If you do suffer a cyber-attack, there are some important actions school leaders should take:
Establish a crisis team: If you haven’t already, create a team that specifically understands what they should do in the case of a cyber emergency. The protocol should include the communications strategy (both internal and external), and clearly identify who is responsible for contacting relevant stakeholders and who manages the insurance and legal aspects that follow.
In addition, you must be aware of your school’s requirement to notify security breaches to the Information Commissioner’s Office (ICO) within the stipulated time frames. For example, with regards to personal data breaches, the GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach.
Contact your insurers and legal advisers: It’s important that you act quickly: contact your legal advisers and insurers immediately to ensure that you understand how you’re protected and whether you need to take any legal action.
Communications plan: Another important action is to establish the communications that need to be made once an attack takes place. Consider the messages you want to share with your employees, pupils and parents to ensure concerns are addressed, and where possible, alleviated.
Restrict access: Restricting access is very important. If you do not feel that an employee requires the data, do not allow them access to it. If an attack does happen, ensure that interim access can be restricted to the crisis team.
Cyber skills lessons
We’ve touched on the need for cyber awareness amongst school pupils and staff throughout this article. But just where do you get started?
Internet security for students
When it comes to educating students about the internet, a lot of focus (and rightly so) is on safeguarding. But cyber security for school students is just as important.
The National Cyber Security Centre have helpful resources for school children of all ages when it comes to cyber security education.
CyberSprinters – 7–11-year-olds
This is an interactive digital game which can be played on phones, tablets, and desktops, helping students focus on cyber-security education and learn about making smart decisions to help them stay safe online. It includes topics like passwords, devices, and suspicious messages, plus there are options for practitioner-led and home-based activities.
CyberFirst – 11–17-year-olds
CyberFirst is a programme of activities to inspire and encourage students from all backgrounds to consider a career in cyber security – well and truly putting cyber first! It enables students to apply for a CyberFirst UK bursary. The bursary scheme offers lots of opportunities such as financially supporting undergraduates through university and degree apprenticeships, free places on CyberFirst courses and more.
Internet security for school staff
As with students, there are lots of IT security resources out there to support teachers with education on cyber security.
The National Cyber Security Centre have more practical resources specifically for school staff (from admin teams, to procurers, to teachers and senior leaders. And this includes free cyber security training especially for school staff, with practical tips to support their understanding of cyber security.
Cyber insurance for schools
As concerns grow that the independent schools sector is a target for cyber criminals, bursars and school leaders need to be aware of the insurance options available to them.
Schools should also regularly evaluate their insurance policies. Whilst having public liability, employers’ liability, and buildings and contents insurance is standard practice for schools, having a robust cyber insurance policy is something that shouldn’t be overlooked.
By having cyber liability insurance, you can help protect against privacy breach costs, digital asset replacement expenses, business interruption, cyber extortion, reputation damage and media liability, to name but a few.
Why cyber insurance for schools?
Successfully managing cyber risks will help support the operational management of your school – which is why cyber insurance for schools is so important if you’re looking to protect your institution against the different risks that come with digital transformation.
As specialists in insuring the education sector, we work with you to identify cyber risks and implement measures to keep your school operating should you experience a cyber-attack. This means that your school could be covered for various circumstances like forensic analysis to identify the attack origin, specialist support in handling ransom negotiations and more.
Cyber insurance will help your school cover costs, get access to experts in the event of an emergency, plus give your students and their parents assurance that you’re looking after their data, and are prepared if your school gets targeted.
With more than 55 years’ experience within the education community, we offer tailored risk management proposals to identify and address your emerging risks, including advice to mitigate online reputational and cyber risks.