Blog

The Academy Trust Handbook 2021: Your Cyber Security Questions Answered

The Academy Trust Handbook 2021: Your Cyber Security Questions Answered

One of the biggest concerns for schools, academies and MATs right now is cyber security. This is partly because of the increase in fraud: the National Cyber Security Centre has revealed an increase in ransomware attacks on schools. It’s also because the Academy Trust Handbook 2021 (also known as the Academy Financial Handbook) makes the need for robust cyber security one of its key recommendations.

In the preface to the handbook, Baroness Berridge, parliamentary under secretary of state for the school system, alludes to the ‘devastating effects’ ransomware can have on organisations and individuals, and the work the department does to ‘help trusts protect themselves’.

In this post, we look at what the handbook says about cyber security, what your responsibilities are, and where you can get help.

What does the Academy Trust Handbook say about cybercrime?

 

Two key paragraphs in the handbook specifically relate to cyber security.

  • 6.16 Academy trusts must also be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred.
  • 6.17 Trusts must obtain permission from ESFA to pay any cyber ransom demands. ESFA supports the National Crime Agency’s recommendation not to encourage, endorse, or condone the payment of ransom demands. Payment of ransoms has no guarantee of restoring access or services and is likely to result in repeat incidents.

What does this mean for my Academy?

 

Point 6.17 is a fairly simple protocol. Ensure you contact the ESFA before considering paying a ransom. This is important because compliance with their demands encourages criminals and creates a vicious circle of attack, payment, attack.

Point 6.16 requires a bit more unpacking. First we’ll look at what the risks actually are and then the ‘proportionate controls’ and ‘appropriate actions’ you can take in response.

The risk of cyber crime for schools

 

Virus detected warning message on computer screen, Cyber attack concept. Man working on a laptop, office business wood desk background.

A report from August 2021 suggests that the UK’s education sector has seen a 93% increase in cyber attacks. Some commentators have referred to a school ‘cybercrime epidemic’.

The reason for this spike appears to be twofold. Firstly, attackers are turning away from larger organisations, which have solid security controls, and focusing their attention on smaller institutions that may be less well protected. Many schools, unfortunately, fit into this category.

Meanwhile, the pandemic has massively increased what cyber security experts call the ‘attack surface’. Students and teachers working remotely may have insufficient security and this is the opportunity for criminals to launch devastating strikes.

As for the consequences, schools can lose essential files and data or be unable to teach for a period of time. Most educators don’t need to stretch their imaginations very far to see how devastating this outcome would be.

For any under-prepared school, this potential threat requires an immediate response through the implementation of solid cyber security protocols.

 

How can I implement ‘proportionate controls and actions’ to protect against cyber attacks?

 

You will need a comprehensive strategy and cyber security plan. If you don’t have one, or if you suspect it is less than comprehensive, ask yourself these fundamental cyber security questions.

  • Do I know who coordinates IT within my school?
  • Do the school’s governance and IT policies emphasise the importance of good cyber security?
  • Do I know the location of our most critical digital estate and am I sure it is secure?
  • Does the school have a data backup and restoration plan?
  • Have the changes in our IT approach since covid-19 (for instance, home and blended learning solutions, and remote access) been complemented with appropriate cyber security measures?
  • Do we train staff on good cyber security and threat awareness?
  • Does the school know whom to contact in the event of a breach?

 

A risk based approach

 

A response considered proportionate by many organisations is to formally assess risks. Determining the likelihood and impact of breaches in a Risk Assessment, and presenting this within a Cyber Security Risk Register, is a way of creating clear evidence that can be used to demonstrate (for example, for School Governance and for HMI – Her Majesty’s Inspectors), that you have approached compliance in a methodical way.

 

Where can I get further help?

 

While your IT department may do a brilliant job keeping your Multi Academy Trust or individual school’s IT up and running, they are unlikely to have the expertise or resources to deal with sophisticated cyber security threats.

If you want to comply with the spirit and letter of the cyber security requirements as stated in the Academy Trust Handbook 2021, we recommend you work with a cyber security specialist.

When searching for a partner, you should look out for relevant cyber security accreditations, including ensuring that your partner holds UKAS accredited ISO27001 certification. You should also look for a track record of working with schools.

Once you are assured a provider has the relevant accreditations and experience, talk to them about their methodology for implementing cyber security in your school. Broadly speaking, this should include:

  • A cyber security audit for schools, to review your current set up, search for flaws, and recommend improvements (including ensuring your are fully compliant). This may include a Cyber Security Risk Assessment, which you can incorporate into your existing Risk Register.
  • Cyber security policies, including a formal breach and response plan
  • Ongoing protection, including 24/7 monitoring of networks and up to date anti-virus and anti-malware software
  • User awareness training
  • Breach response, to investigate, limit and rectify damage in accordance with all relevant rules and legislation

 

In conclusion

 

The guidance in the Academy Trust Handbook 2021 makes it clear what the Department of Education expects from schools. Whether you choose Intersys or another provider, we strongly recommend you don’t delay on implementing or updating your cyber security plan. The alternative, in terms of lost data, delays in learning, or potential ransom payments, is unthinkable.

Intersys is a cyber security provider that specialises in providing complete security solutions for schools and colleges. Find out more about our cyber security services for schools. Or get in touch now and talk to us about how we can help.

 

 

 

 

 

Intersys IT Support

Get fast, reliable IT now.

Since 1996, Intersys has provided fast, reliable IT to help businesses succeed and grow. We offer IT support and consultancy services, cyber security, and software development – including flexible pricing options suitable for organisations of all sizes. Why not take the step to speedier, more efficient systems? Contact us today.

Our Services

Intersys