While there is a legal requirement for schools to provide a basic e‑safety and computer usage policy, there is no similar requirement for a cyber security policy. This doesn’t mean you shouldn’t have one. In fact, there are compelling reasons why you absolutely should.
We’ll outline these reasons and then describe how to write a school cyber security policy that is comprehensive, fit-for-purpose and achievable to implement.
Why Should Schools Have a Cyber Security Policy?
Your policy will help you to clearly outline and follow best practice, to protect you from attack. Over three-quarters of UK schools have suffered one or more cyber incidents, according to the National Cyber Security Centre (NCSC) and the National Grid for Learning (NGfL).
During our work providing cyber security for schools and colleges service, we’ve seen underprepared schools suffer the following (and much more):
- Viruses spreading through every school PC, slowing down servers and making the whole IT estate virtually unworkable
- Data theft from devices, including potentially highly sensitive information
- Successful phishing campaigns, in which school teams have sent money to criminals
- Encryption of shared files, and demands for ransoms to de-encrypt data
So far, so bad for schools that aren’t creating clear policies and procedures.
But there’s also a compelling insurance reason to create a policy, as outlined below.
Complying With Your Risk Protection Arrangement (RPA)
As you may know, the risk protection arrangement (RPA) was introduced to schools in 2014 to provide an alternative to commercial insurance for schools and academies. Currently, approximately 40% of eligible schools have joined and now pay less and suffer less admin burden as a result.
From April 2022, cyber cover was introduced to this RPA. It will also provide an Incident Response Service with a dedicated 24/7/365 Cyber Incident Breach Response hotline and email, as well as restoration, remediation and ongoing monitoring for cyber incidents.
This is fantastic news for schools who have RPA coverage but – as with all insurance – it does mean you have an obligation to show due diligence and best practice. Anything less could affect the support you receive.
Regardless of whether your school has RPA cover or not, having a cyber security policy is a really good idea if you’re serious about protecting your school’s data and information assets.
Says Georgia Shepherd, Product Delivery Lead for RPA Cyber in a post on the gov.uk website,
“Cyber security should be high on the agenda for any school with a reliance on IT and online systems. Whilst Cyber Essentials isn’t currently a condition for the RPA Cyber Cover, we are actively encouraging schools to work towards achieving Cyber Essentials as it is an industry baseline for cyber security.”
Which Cyber Policy Should Schools Have in Place?
There is no recommended policy for schools at the date of writing.
However, we won’t leave you guessing when figuring out how to write a school cyber security policy. We’ll outline the key elements you should include to help ensure you follow best practice according to UK government advice.
What Should a School Cyber Security Policy Include?
The government has published cyber security standards for schools and colleges regarding cyber security, user accounts and data protection. If you closely follow these standards in your policy and your application, you will be extremely well-placed to meet the requirements of an insurer.
We’ve written a summary of the requirements below. You can also delve deeper at the gov.uk page ‘Meeting digital and technology standards in schools and colleges’ to find the technical requirements for your IT team or provider.
Here’s what you should cover:
Protecting all devices with boundary or software firewalls
When you properly configure a firewall, you repel many attacks. A firewall also makes it more difficult for scammers to scan for hacking targets.
Logging all network devices and ensuring their security features are enabled, correctly configured and up to date
Scammers are constantly looking for weak links, which may well be a device not configured correctly for security. By tracking all devices methodically – and ensuring correct security – you remove opportunities for attack.
Applying the principle of least privilege to properly authenticated accounts
Accounts with extensive admin access are extremely valuable to cyber criminals. Only give users the access they need to undertake the role – and nothing more.
Using multi-factor authentication (MFA) for sensitive accounts
For any accounts holding data that would have a serious impact on your establishment, use MFA.
Using anti-malware software to protect all devices in your network
You will need protection against general malware and viruses.
Checking the security of all applications
Protocols should be in place to ensure your IT provider checks all apps for malware.
Ensuring all devices and software are correctly licensed and patched with the latest security updates
Unlicensed or unsupported hardware and software is a significant security risk.
Correctly backing up data
Have at least three backup copies of important data, one of which must be offline.
A contingency plan for a cyber attack
This should appear in your business continuity and disaster recovery plan.
Reporting serious cyber attacks
So perpetrators can be found and countermeasures identified.
Conducting a Data Protection Impact assessment for personal data held, as per GDPR
Protecting sensitive data is vital for staff and students. This is a mandatory exercise and must be completed.
Training staff
All staff with access to IT networks should have an understanding of the basics of cyber security.
What Should You Do Next?
This post should give you a topline understanding of How to Write a School Cyber Security Policy – and why it’s important you do so.
You can look at the full recommendations from the UK government to help create your policy.
We also have a FREE cyber security policy template available for you to download.
Just enter your email in the box below for your FREE template.
Or you can talk to a cyber security provider such as Intersys.
An ISO 27001-certified provider, we deliver cyber security for highly regulated industries, and not for profits. We have helped schools with cyber security for over 20 years and can help draft and implement a cyber security policy. We can also undertake any work required to ensure you follow your own policy’s recommendations. This includes:
- Security assessments of your infrastructure
- Suggestions for remedial actions
- Staff training
- Breach response
We understand the constraints on schools and can provide these services within your budget.
Call us on 020 3005 4440 for more information.
Intersys provides specialist IT support for schools, cyber security services for schools and colleges, and data breach support for schools. We also offer Impero Education Pro software, which is a sophisticated security solution for schools, and help schools buy laptops and devices at preferential prices.
Take a look at a: