One of the biggest concerns for schools, academies and MATs right now is cyber security. This is partly because of the increase in fraud: the National Cyber Security Centre has revealed an increase in ransomware attacks on schools. It’s also because the Academy Trust Handbook 2021 (also known as the Academy Financial Handbook) makes the need for robust cyber security one of its key recommendations.
In the preface to the handbook, Baroness Berridge, parliamentary under secretary of state for the school system, alludes to the ‘devastating effects’ ransomware can have on organisations and individuals, and the work the department does to ‘help trusts protect themselves’.
In this post, we look at what the handbook says about cyber security, what your responsibilities are, and where you can get help.
What Does the Academy Trust Handbook Say About Cyber Crime?
Two key paragraphs in the handbook specifically relate to cyber security.
- 6.16 Academy trusts must also be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred.
- 6.17 Trusts must obtain permission from ESFA to pay any cyber ransom demands. ESFA supports the National Crime Agency’s recommendation not to encourage, endorse, or condone the payment of ransom demands. Payment of ransoms has no guarantee of restoring access or services and is likely to result in repeat incidents.
What Does this Mean for My Academy?
Point 6.17 is a fairly simple protocol. Ensure you contact the ESFA before considering paying a ransom. This is important because compliance with their demands encourages criminals and creates a vicious circle of attack, payment, attack.
Point 6.16 requires a bit more unpacking. First we’ll look at what the risks actually are and then the ‘proportionate controls’ and ‘appropriate actions’ you can take in response.
The Risk of Cyber Crime for Schools
A report from August 2021 suggests that the UK’s education sector has seen a 93% increase in cyber attacks. Some commentators have referred to a school ‘cybercrime epidemic’.
The reason for this spike appears to be twofold. Firstly, attackers are turning away from larger organisations, which have solid security controls, and focusing their attention on smaller institutions that may be less well protected. Many schools, unfortunately, fit into this category.
Meanwhile, the pandemic has massively increased what cyber security experts call the ‘attack surface’. Students and teachers working remotely may have insufficient security and this is the opportunity for criminals to launch devastating strikes.
As for the consequences, schools can lose essential files and data or be unable to teach for a period of time. Most educators don’t need to stretch their imaginations very far to see how devastating this outcome would be.
For any under-prepared school, this potential threat requires an immediate response through the implementation of solid cyber security protocols.
How Can I Implement ‘Proportionate Controls and Actions’ to Protect Against Cyber Attacks?
You will need a comprehensive strategy and cyber security policy. If you don’t have one, or if you suspect it is less than comprehensive, ask yourself these fundamental cyber security questions.
- Do I know who coordinates IT within my school?
- Do the school’s governance and IT policies emphasise the importance of good cyber security?
- Do I know the location of our most critical digital estate and am I sure it is secure?
- Does the school have a data backup and restoration plan?
- Have the changes in our IT approach since covid-19 (for instance, home and blended learning solutions, and remote access) been complemented with appropriate cyber security measures?
- Do we train staff on good cyber security and threat awareness?
- Does the school know whom to contact in the event of a breach?
A Risk Based Approach
A response considered proportionate by many organisations is to formally assess risks. Determining the likelihood and impact of breaches in a Risk Assessment, and presenting this within a Cyber Security Risk Register, is a way of creating clear evidence that can be used to demonstrate (for example, for School Governance and for HMI — Her Majesty’s Inspectors), that you have approached compliance in a methodical way.
Where Can I Get Further Help?
While your IT department may do a brilliant job keeping your Multi Academy Trust or individual school’s IT up and running, they are unlikely to have the expertise or resources to deal with sophisticated cyber security threats.
If you want to comply with the spirit and letter of the cyber security requirements as stated in the Academy Trust Handbook 2021, we recommend you work with a cyber security specialist.
When searching for a partner, you should look out for relevant cyber security accreditations, including ensuring that your partner holds UKAS accredited ISO27001 certification. You should also look for a track record of working with schools.
Once you are assured a provider has the relevant accreditations and experience, talk to them about their methodology for implementing cyber security in your school. Broadly speaking, this should include:
- A cyber security audit for schools, to review your current set up, search for flaws, and recommend improvements (including ensuring your are fully compliant). This may include a Cyber Security Risk Assessment, which you can incorporate into your existing Risk Register.
- Cyber security policies, including a formal breach and response plan. If you need help with this, here is a link to our own resource — how to write a cyber security policy for schools
- Ongoing protection, including 24/7 monitoring of networks and up to date anti-virus and anti-malware software
- User awareness training
- Breach response, to investigate, limit and rectify damage in accordance with all relevant rules and legislation
In Conclusion
The guidance in the Academy Trust Handbook 2021 makes it clear what the Department of Education expects from schools. Whether you choose Intersys or another provider, we strongly recommend you don’t delay on implementing or updating your cyber security plan. The alternative, in terms of lost data, delays in learning, or potential ransom payments, is unthinkable.
Intersys provides IT support for all schools and colleges, cyber security services for the education sector, and schools data breach support. We also offer the software Impero Education Pro, which is a sophisticated security solution for schools, and help procure laptops and devices for schools at preferential prices.
Take a look at a: