Cybersecurity: why schools need to follow the new DfE guidelines


The Department of Education released its cybersecurity standards today, building on the four digital and technology guidelines released in March that outline how schools and colleges can meet standards for IT services and digital equipment.

It’s hard to imagine that many schools, colleges or trusts would be foolhardy enough to ignore these new standards. They provide the cybersecurity foundation that all institutions must implement if they want to ensure that their data and systems are secure.

Cybersecurity attacks against schools

The impact of a successful cyberattack on a school, college or trust can be profound. In March 2021, four academy trusts were the subject of successful attacks, the largest being that of the Harris Federation: it cost over £500,000 to restore its systems to normal due to the time taken to clean and check all appliances.

Beyond the financial cost, there are other serious implications. These include the impact on teaching and learning, as resources become inaccessible; inability to pay staff; loss of MIS/HR data; and the need to devote time and energy to improving student achievement.

Additionally, the well-being of students and staff weighs heavily as students and staff worry about the loss of course and exam data. Any cyber attack not only carries the risk of losing data, but also the potential threat of financial and personal information being leaked onto the dark web and used for identity theft or fraud.

The theft of sensitive information through compromised credentials, email addresses, and passwords is a more insidious threat. The user may not even know that he has given access to all his emails and files.

If that person is in IT or senior management, cybercriminals can obtain very sensitive information, which leads to significant security issues, as data can be downloaded automatically once someone has their “phished” password.

That’s why United Learning implemented Multi-Factor Authentication (MFA), and I can’t stress enough how important it is for all schools and colleges to implement it urgently. The risks of not doing so so far outweigh the challenges of implementing it, and this is a key part of the DfE standards.

Evolution of technology and threats

The threats we face will continue to evolve and the standards will no doubt evolve with them, just as we saw many years ago with ransomware as the main threat giving way to credential theft then that we are all moving to the cloud.

With the wider adoption of MFA access from home and personal devices, I anticipate that ransomware and the compromise of end-user devices will once again become more of an issue. Wider adoption of individual devices and bring-your-own-device (BYOD) programs for students will also increase the risk to school and college systems and their data.

Everyone should be aware that their students can pose a threat, either through the use of readily available hacking tools or by resorting to cheap denial of service attacks to bring down their internet connection or website. , or surfing senior leaders to find passwords to access school systems.

Cybersecurity is a leadership issue

Cybersecurity standards provide a clear set of achievable benchmarks that will allow IT teams and their managers to ensure that they have taken sufficient steps to protect their systems and data.

Along with guidance on the National Cyber ​​​​Security Center (NCSC) website, the standards should help shape the conversations governors have with executives and leaders with their IT teams or third-party vendors to better understand risks and mitigations already in place. square.

The lesson we need to learn from recent cyberattacks on schools and colleges is this: if an educational institution suffers a successful attack, the impact on learners and staff will be significant and could last for weeks.

Implementing the standards will not stop attempted attacks, but will reduce their likelihood and limit their impact.

Wargaming a cyberattack

Cybersecurity should be considered a key part of normal work practices: checking old passwords, patching devices, or training in cybersecurity. If the policies and practices developed from the standards are implemented effectively, technical teams shouldn’t have sleepless nights.

However, preparing for an incident and developing a “game plan” to deal with an attack is as important as setting up the defences.

NCSC’s “exercise in a box” provides IT teams and their management with scenarios to develop incident management plans, as well as identify potential gaps in their cybersecurity strategy.

At United Learning, we used it to refine how we would respond to an incident and it identified areas of weakness, such as in our BYOD policy or not having hard copies of key documents.

I urge everyone reading this, especially those in leadership positions, to review their cybersecurity standards with their IT teams.

It is essential that you determine what measures are necessary to meet the standards, as they provide an essential benchmark for you to measure the safety and security of your data and systems.

If you fail to implement the standards, even during the current financial difficulties, you expose yourself and your educational institutions to financial and data loss, reputational damage, loss of learning and a significant impact on student achievement.

James Garnett is Director of IT at the United Learning Multi-Academy Trust


Comments are closed.