Cyber security in education: lessons from the pandemic and what’s next

During your early years, you probably encountered many measures to protect your and your school’s safety. Depending on your age, that might have been the Green Cross Code helping you across roads, Charley the cat warning you about talking to strangers, or even weekly fire alarm testing in your school.

Now, in 2021, one of the biggest dangers facing young people and the schools they attend include something far less tangible – but it is just as critical. It is, of course, cyber crime, and the enormous challenge it poses to the education sector.

It’s a problem exacerbated by the pandemic – as indicated by a February 2021 surge in ransomware attacks on schools – and the subject of this alert by the government’s National Cyber Security Centre (NCSC).

In that report, the NCSC’s explanation of ransomware hints at why schools and education establishments, with their wealth of sensitive data, are such an irresistible draw for cyber criminals:

“Ransomware is a type of malware that prevents you from accessing your systems or the data held on them. Typically, the data is encrypted, but it may also be deleted or stolen, or the computer itself may be made inaccessible.

“Following the initial attack, those responsible will usually send a ransom note demanding payment to recover the data. They will typically use an anonymous email address (for example ProtonMail) to make contact and will request payment in the form of a crypto currency.”

It’s worth translating this for the real world: a ransomware attack involves stealing everything from a school’s financial records, to student coursework, to confidential pupil information, and extorting money from the organisation in exchange for returning those items. This is precisely what happened in the spate of attacks mentioned above.

With such valuable data at stake, it may come as no surprise that the education sector tends to suffer an above-average level of cyber crime – as illustrated by this government survey of the education sector.

Conducted by phone between 12 October 2020 and 22 January 2021, the survey assessed the experiences of 350 primaries, secondaries and further education colleges and found, on average, 56 per cent of these organisations suffered a cyber breach of some kind in the preceding 12 months compared to the 39 per cent average for all UK businesses.*

Even if we focus on the report’s lowest percentage of education organisations suffering a cyber breach – 36 per cent for primary schools – that’s almost four in ten primaries that experienced an incident during an already arduous period for education.

And you needn’t be an IT professional to understand why that might have happened. As with all businesses and organisations during the pandemic, schools saw their users accessing systems through home devices and personal networks – bringing with that a greater volume and variety of vulnerabilities, which bad actors were only too ready to exploit.

Now that a degree of normality is returning, it would be understandable to assume such risks will fade. But unfortunately, this is not such a clear-cut conclusion – and for a couple of reasons.

First, schools and the education sector have made considerable investment, both in time and money, in education technology over the past 18 months. For example, that same government study found 92 per cent of headteachers had introduced, increased or upgraded technology due to the pandemic. And this is mirrored by our own experience, which includes helping almost 600 schools set up the Google or Microsoft remote teaching platforms.

Consequently, based on discussions with our school clients, we believe the education sector will now be exploring ways to get the most out of those technology investments. And that suggests that even though students have returned to classrooms, schools want to ensure their digital teaching platforms are ‘earning their keep’ as a central part of their IT suite.

Second, when it comes to cyber crime, schools have several complicating factors. As suggested above – and as with other public sector organisations such as local authorities – school databases contain extremely sensitive data. And they also have a huge number and variety of users accessing their systems – many of whom, due to their young age, may not be as digitally literate as would be ideal. Digital teaching platforms, though hugely helpful, can have particular weaknesses in this respect if they are not carefully set up and maintained.

So how can your school protect itself? Though cyber crime is a never-ending concern, there are similarly endless resources and tools to help you protect your school, your staff and students. And some of the methods cost nothing other than a little time and planning.

In this respect, one piece of good news is the DfE’s forthcoming ‘Cyber Secure’ scorecard tool, which will allow a school to assess its cyber security measures and pinpoint weaknesses, helping to form a clear plan of action.

Being launched in January 2022 – and following a pilot between 16 September and 9 October – the free and anonymous self-assessment tool will evaluate your school’s cyber security, signposting you towards a range of guidance aimed at both IT and non-IT staff.

Ahead of that launch, there are some other steps you can take – and that includes putting aside some time to explore the NCSC’s existing guidance for schools. As there’s a lot to cover, here are a few of the starting points we focus on with our school clients:

  • Where does the responsibility for cyber security sit in your organisation? If it lies only with IT, then it’s time for a rethink. As the examples above demonstrate, cyber security is an organisation-wide challenge – so it takes the whole organisation to tackle it. And it’s important to remember that fighting cyber crime is about much more than technology – it’s part of your governance, internal communications and organisational culture.
  • How do your school’s business continuity and disaster recovery plans look? That’s a bit of a jargon-packed mouthful – so in other words, could your school keep running in the event of an attack? What plans do you have in place for reporting cyber or data breaches? How would your school bounce back? Here’s a little more free reading material on this.
  • Your school has a physical perimeter to protect pupils. How are your virtual perimeters – your firewalls and your internet gateways? It’s worth noting here that entire networks can be secured as well as individual devices.
  • What are your rules around passwords? As an everyday part of life, this can be a common weakness. A good tip for creating them is to use three random words – and to add an extra layer of protection with two-factor authentication (2FA). In fact, some systems go beyond this and allow only approved devices, from approved locations – and even only at set times – to log into systems – see the ‘Microsoft Enterprise Mobility Security’ section here. Also, we often find the biggest challenge is convincing staff of the importance of good password hygiene – so if this rings a bell, then talk to us.
  • How up to date are your software and systems? If they don’t have the latest patches and upgrades, they could be susceptible to cyber breaches. Cloud-based systems can help in this respect since they tend to be easier to maintain than on-premise hardware – but the debate over cloud versus on-premise is definitely one for another blog – so if you have any questions, get in touch today.
  • Your organisation’s cyber security is only as strong as the security of your IT supply chain. Of course, procuring products and services through official bodies, such as the Crown Commercial Service (CCS), goes a long way to ensure your suppliers meet the legal standards. But not all frameworks are created equal – and different education establishments must comply with different rules.

    For example, multi-academy trusts must comply with ESFA Trust Handbook section 6.16 and ESFA Conditions of Funding (Grant) (Trusts) – Schedule 7: Security & Department Policies (if applicable to the Trust). And they must do this to pass the NCSC’s Cyber Essentials scheme – see below.

It’s worth noting on this point that AdEPT Education, as part of AdEPT Technology Group, is an approved supplier on two CCS frameworks – RM3808 (Network Services 2) and RM6100 (Technology Services 3), as well as five lots of the Telecommunications Services framework run by the Crescent Purchasing Consortium

Aside from those starting points and the NCSC’s forthcoming Cyber Secure tool, another area that may be of interest is the NCSC’s Cyber Essentials scheme. This government-backed programme helps your school improve its cyber security through a series of assessments. If you pass, your school will become certified, which can be of great value for reassuring your staff and your wider school community, such as parents and guardians.

As with school exams, it’s vital to ‘revise’ ahead of the Cyber Essentials evaluation. So we have developed our own Security Readiness Assessment (SRA), which is rather like having your own private tutor to get you ready for the big test, so you pass with flying colours.

Whether or not you work in IT, hopefully this blog has given you, as an education professional, a good overview of current cyber security topics affecting your organisation. And hopefully it’s also offered some positive news for an often-intimidating subject. But if you have any questions – or would like to find out more about our SRA, then get in touch on 0333 400 2490 or through enquiries@adept.co.uk.

*Percentage of UK organisations suffering a cyber breach in 12 months to 22 January 2021, according to the Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2021:

All UK businesses: 39 per cent

  • Primary schools: 36 per cent
  • Secondary schools: 58 per cent
  • Further education colleges: 75 per cent

Mean average of these education organisations: 56.33 per cent

Written by Stuart Johnson

Security Consultant