Are you safe from a cyber attack?

Written By Nigel Milligan

I would like to help raise awareness about how much your school is protected against cyber crime. There’s so many schools that have fallen victim to this issue and it has cost them a great deal financially as well as affecting their reputation and confidence moving forward.

In a recent article posted by BBC News ‘New figures from the ICO, (Information Commissioner's Office) show 347 cyber incidents were reported in the education and childcare sector in 2023 - an increase of 55% on 2022.’, ‘The type of cyber attack which increased most across all sectors between the end of 2022 and 2023, according to the ICO, was ransomware, incidents of which increased by 170%.’

This news highlights the need for all schools to check out the latest DfE Standards ‘Meeting digital and technology standards in schools and colleges’ , 20th May 2024 https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/updates and then work closely with your IT Support Provider to ensure that your school is protected and that all staff have carried out annual Cyber security awareness training too. 

There are certainly many schools who have yet to carry out any staff training and many systems that have old servers with weak passwords that are in a very vulnerable state. 

There are around 12 main areas to focus on, to be fair much of this should be covered by all IT Support Providers to some extent with varying degrees of protection.

  1. Network Security: Firewalls & Intrusion Detection / Prevention Systems

  2. Endpoint Protection: Antivirus, Malware & Ransomware Protection + Detection Systems

  3. Data Protection: Encryption & Backup

  4. Access Control: User Authentication including strong passwords & Two Factor Authentication. Role Based Access based on user roles.

  5. Network Segmentation: Split the network into segments to limit the spread of malware etc.

  6. Email Security: Spam filters & Email Filtering.

  7. Web security: Content Filtering & Secure Web Gateways

  8. Incident Response: Plan & Response

  9. User Education & Training: Cybersecurity Awareness Training & Phishing simulations

  10. Policy & Compliance: Security Policies & Compliance with relevant laws etc

  11. Monitoring & Auditing: Continuous Monitoring & Regular Audits

  12. Physical Security: Secure Access, ensure physical assets are secure & Use of CCTV and access logs to monitor who has accessed

There have been many different cases where schools have fallen victim to a cyber attack of some sort. There have been many that have been supported by large IT support providers who have a full team of Cyber security experts and have Cyber Essentials status amongst other things. Then, on the flip side, there are many schools who have in house IT staff or they use small IT Support businesses who don’t have the same cybersecurity certifications who haven’t been a victim of such attacks as they are very proactive in safeguarding the schools to ensure they don’t get attacked. The main message is that everyone is at risk. If everyone does their best to be diligent in all areas then the risk will be reduced massively.

The most recent common attacks in schools are ‘Phishing attacks’. There are many ways that users are ‘Phished’, ranging from spoof emails with a link to a site that looks real and fools the user into submitting data that will help cyber attackers access systems.This is a form of social engineering which attempts to fools users into doing things they wouldn’t normally do. This is why staff awareness training is so important to reduce this risk. 

I would like to conclude this month with 2 examples of the harsh reality of such attacks:

  1. 2020 - Redcar and Cleveland Borough Council - This primarily affected the council but as part of the attack it had serious repercussions for local schools. In addition to the disruption the overall cost was over £7 million.

  2. 2021 - Harris Federation, a large MAT in London. 50 schools were affected. Phone lines, emails & devices were impacted. Everything had to be taken offline until the issue was resolved.

There are many resources online to help, here are some that should be very useful for your school.

SWGfl - https://swgfl.org.uk/research/cyber-security-in-uk-schools/ 

National Cyber Security Centre - https://www.ncsc.gov.uk/section/education-skills/cyber-security-schools 

Cyber Secure Check for Schools - https://cybersecurecheckforschools.uk/ 

One last thing! I know many of you will have a little book in your desk drawer with all your passwords written down, or another common one I have seen too often, post-it notes stuck around with passwords written down! Please rethink how you manage your passwords. 

I hope that has been helpful for you and not put too much fear into everyone. I will aim next month to bring something more positive for you all. 

Nigel Milligan

IT Director.

Nigel Milligan
Previous

The rise of the refurb.
Next

Add new life to the screens in your school.