Image source: LGfL
Schools remain at particular risk from cyber attacks and have to maintain high vigilance, the London Grid for Learning (LGfL) and National Cyber Security Centre (NCSC) have warned.
The two bodies have published reports deriving from an audit on the issue, pointing to progress with cyber security measures but also emphasising the problems in maintaining defences; and LGfL’s lead official on the issue told UKAuthority there are structural problems for many schools.
Key findings of the audit – which involved responses from 432 schools in the second half of last year – include that 78% fell victim to at least one type of cyber incident during the year, with 7% suffering significant disruption, 21% suffered a malware or ransomware attack, 18% had periods with no access to important information, 26% had experienced email impersonation and 73% had received fraudulent emails.
In addition, six reported parents losing money due to a cyber incident involving the school.
There were signs of increased awareness of cyber threats, with 53% saying they felt prepared for a cyber attack, 73% being aware of phishing, 55% having implemented training for non-IT staff and 90% having at least one of a cyber security register, risk register or business continuity plan.
But there were also shortcomings in plenty of schools, such as 26% not having implemented multifactor authentication, 25% continuing to allow limited staff access to USBs that could compromise systems, and 4% having no back-up facilities.
Varying capability
LGfL safeguarding and cyber security manager Mark Bentley told UKAuthority that a major part of the problem is that many schools have a limited resource for ensuring cyber security measures are in place, that the capability varies widely within the sector and there is often no strategic view of security.
“Even now cyber security in lots of schools is the technician, the network manager,” he said. “For example, a primary school may only have a technician in once a fortnight and they have a list of things to do with no strategic approach there.
“This is changing as the Department for Education is doing more, with cyber security standards coming out recently, and the general awareness is rising as there have been bad news stories. But even when you get that awareness the understanding and strategy level is not there.
“That’s something we’re working on supporting by helping out on template policies and training, to help schools understand the strategic issues and how to deal with them.”
He said that a multi-academy trust is likely to provide a centralised team to disseminate advice and best practice, and take decisions that will standardise the approach to cyber security among its schools.
But: “The local authority picture is a lot more mixed. If you compare the picture today to 15 years ago it was clear what a local authority school was, but these days a lot have moved out of local authority control and there are lots somewhere in between and there is not the same level of support.”
Compounding the problems
Bentley added that the disparate hardware and software systems used in schools with their “natural vulnerabilities” adds to the problem, and the financial squeeze, exacerbated by the recent surge in energy bills, is making it harder for them to devote resources to dealing with the threats.
LGfL – the edtech supplier that operates as a charity – aims to support schools by providing the strategic guidance and has outlined a number of crucial steps they should take within its report.
These are to: ensure they know how many devices they have and where they are; ensure all antivirus and other security software is up to date; get multifactor authentication in place; make sure the incident response plan works; and check on its updates to cyber security threats to schools.
Bentley said there is also a need to ensure that any new applications or changing settings does not disrupt the workings of antivirus software; but also that all this has to be balanced with a need to maintain regular operations.
“Also you need to not just ramp up security but be prepared to look at whether you are locking things down too much,” he added. “Are we making it impossible to do your job? It will only work if you are giving alternatives.”
He expressed the overall message as: “Don’t panic but do think about it.”
NCSC emphasis
The NCSC report emphasises that schools rely heavily on a myriad of data, some of which is sensitive, and more remains to be done to support their cyber security.
Its deputy director for economy and society, Sarah Lyons, said: “Our schools rely so much on the myriad of data required to run efficiently - including sensitive data on students, parents, governors and staff - therefore more work must be done to support the cyber security around these essential services.
“That’s why the National Cyber Security Centre has been working with schools and the education sector to provide free tools and guidance to help schools manage their cyber risks effectively and supporting them to keep this valuable information safe.”