Changing government policies, panicked parents and general misinformation. When combined it doesn’t just put schools that are working through COVID-19 between a rock and hard place, but under the microscope too.
As education moved into the home, parents and guardians quickly got to grips with the importance of internet and online learning as part of their children’s education. Alongside access to online resources, the importance of good cybersecurity practices became a prominent talking point.
With schools opening back up, it’ll be easier for teachers to deliver fairer access and ensure e-safety is observed, but all educational institutions must stay alert to potential cyber threats - and be willing to put best practices in place to avoid the loss of vital resources or exposure of sensitive student data.
Threats against schools are well documented. Like any other institution, they face countless cyber security attacks each year. In Beaming’s latest report on cyber threats to UK organisations, 51 per cent of educators surveyed reported falling victim to a cyber attack within the last year.
With the nature of cyber threats constantly shifting, it’s important to understand what you’re up against and how to tackle the problems: by training teachers, educating students and ensuring the technology you use to defend yourself is working at its best.
Where are the threats?
In 2019 there were two leading forms of cyber attack against schools. One in five suffered a successful phishing attack while just under a fifth were exposed to malware, designed to disrupt or damage a computer system with viruses. It’s crucial to understand the consequences of these forms of attack - particularly with where your responsibility as an educator lies in accordance with the latest government regulations.
In one form of phishing attack, criminals send fraudulent emails that look like they are from a reputable source to dupe victims into granting access to malware or divulging sensitive information. Personal data can be stolen, exposed and even put up for sale on the Dark Web.
Under new GDPR rules, organisations can be fined if they fail to take adequate steps to secure their systems against this. The Information Commissioner has warned that unauthorised access to personal information would be particularly harmful to pupils, parents and staff; people with a right to seek compensation if the loss of their personal data caused them damage.
The risk is also financial. As well as a responsibility to protect ‘special category’ data under GDPR regulation (religious beliefs and medical history of students), schools receiving money from parents - for fees or additional service such as after-school care - must secure the financial details of parents and guardians. Action Fraud, the UK cybercrime and fraud reporting centre has warned schools to be wary of cybercriminals claiming to be from the ‘Department of Education’. This followed a series of incidents in which bogus emails were used to infect school computer systems with malicious software that prevented legitimate users from accessing them.
As well as appearing in phishing emails, malware can also take the form of Trojans, innocuous seeming programs that are downloaded with the virus hidden inside. Ransomware is a particular form of malware that could heavily punish schools.
Once downloaded, it blocks access to computer systems or software until a ransom is paid. With schools making greater use of technology and the internet, any successful attempts to block access will have a real and immediate impact on students’ learning.
Working on a solution
Teachers and students are exposed to threats like these in different ways. Without a ‘silver bullet’ to address any potential problems, schools have to weigh up policy, education and investment into hardware and software solutions in equal measure.
Educators must understand their role in upholding good cyber security practices at school. The Department for Education (DfE) suggests that “as part of the requirement for staff to undergo regularly updated safeguarding training…online safety training should be integrated, aligned and considered as part of the overarching safeguarding approach.” Phishing relies on a target’s naivety. Educating all staff on how to spot this danger is the best way of guarding against it.
Governmental guidance already requires that a member of the senior leadership team is made responsible for safeguarding in schools. Cybersecurity and online safety should be seen as a serious part of this, with appropriate policies implemented and enforced by the senior leadership team itself.
While putting restrictive measures in place is good, schools must also educate kids on the dangers of poor cyber security practices. The DfE states how schools should “ensure that children are taught about safeguarding, including online safety. Schools should consider this as part of providing a broad and balanced curriculum.”
Education should extend to personal devices like mobile phones. Although this is less of an issue at key stages 1 and 2, primary schools should have clear policies around mobile technology and how it is used. Students should be taught about acceptable use of personal devices, how they interact with each other on social media and where to turn for help.
Taking steps to improve cybersecurity doesn’t always mean investment into expensive technologies. Something as simple as regularly updating the hardware and software being used on a school’s network can help. Implemented updates and patches as soon as they’re released by manufacturers helps to avoid falling victim to old insecurities.
Physical security can also safeguard against loss of data or access. Having backups of the information on a school’s system protects against ransomware but it’s crucial that these physical devices are encrypted, preventing information from being accessed in the event of loss or theft.
It’s as important as ever to be serious about cyber security. After all, it has the same end goal as any other safeguarding policy: to keep school a safe place for kids to learn and grow.
Here’s what you can do
Three measures schools can put in place to improve cyber safeguarding:
- Schools should monitor all of their systems continuously and analyse them for unusual activity that could indicate an attack. Criminal incidents should be reported to the police and other relevant authorities.
- Third-party providers should be checked thoroughly not just for legitimacy but for commitment to cybersecurity. Vulnerabilities can sneak in through a supply chain, so any external organisations you work with should be as committed as you.
- Establish effective processes for managing user privileges to their systems to minimise the risk of deliberate and accidental attacks.
- Users should be provided with the minimum level of access they need to do their job. When staff members leave, their access should be revoked promptly. All records should be kept up to date to prevent exploitation of old accounts.
Sonia Blizzard, managing director of Beaming, an independent Internet Service Provider offering high-performance connectivity and managed services to thousands of organisations across the UK.