Cyber criminals will often intentionally gain unauthorised access to your school or college’s network, to change or damage data.
For all schools and colleges, a cyber attack would result in substantial operational and financial repercussions, which can leave long-lasting and damaging effects. These include:
- Safeguarding issues if student information is accessed
- Operational disruption, including school or college closure
- Impact on student learning and results
- Associated schools or colleges in your organisational network being impacted – such as Multi-Academy Trusts
- Damage to reputation
To help defend against cyber crime, there are a set of cyber security standards recommended by the Department of Education for all schools and colleges to undertake to build and enhance their cyber resilience.
You will need input from various departments within your school or college to action these cyber security standards, including your Head Teacher, Senior Leadership Team (SLT), IT Support Team and Data Protection Officer (DPO).
If you are part of a Multi-Academy Trust, you should consult with your central team when thinking about cyber security support as you may have to follow set protocols.
7 Cyber Security Standards All Schools or Colleges Should Abide By
- Conduct termly and annual cyber risk assessments
Understanding the risks associated with your school or college’s hardware, software and data enables you to defend against potential cyber threats or incidents.
By conducting termly and annual cyber risk assessments, you will be able to identify weaknesses and implement processes to help reduce risk within your school and college, which will help you to keep students and staff safe.
If your school or college does not have the required IT expertise in-house, you will need to consult with an external IT Support Provider who will be able to assist with the requirements of this standard.
For this cyber security standard, the SLT Digital Lead and your IT Support Team will evaluate your digital technology assets and any related cyber security risk associated to them. You will ensure that all of your school or college’s digital technology is licensed, appropriately supported and updated.
You will also need to work with your school or college’s Data Processing Officer and consider data processing, determine access and agree on permissions. For new and current systems that store or process personal and sensitive data, you should complete a record of processing activities (ROPA). It’s important to determine who needs access to what and only provide access and permissions to those who need it.
At this stage, you should also review your cyber security solutions. As a minimum, you should ensure that your email security is up to scratch and that your password policy is actioned by all.
- Cyber awareness education for staff and students
Educating your staff and students on how to stay secure whilst using digital technology is the second cyber security standard for your school or college to implement. Providing continuous cyber security training will empower your staff and students to recognise typical cyber threats, reducing the chances of them falling victim to an attack.
Creating a positive security culture within your school or college will help everyone feel comfortable discussing cyber security and reporting cyber threats. This should result in incidents being identified quickly ensuring students and staff are kept safe.
Training should be tailored appropriately to your school or college and the age group. When providing cyber security training, you should cover the ways cyber criminals are tricking people into handing over their personal information, phishing attacks, how to create a strong password, staying safe online and the importance of using multi-factor authentication, to name a few.
Many schools and colleges do not have the expertise in-house, therefore it is important to seek security awareness guidance from an external IT support provider when you are planning how you should implement cyber security training.
- Anti-malware and firewall protection
Anti-malware and firewall protection are crucial to schools and colleges because they safeguard your system from malicious attacks, preventing data breaches and unauthorised access. They also ensure your personal and sensitive information remains secure, maintaining the overall integrity of your network.
As part of this cyber security standard, your IT Support Team will need to implement the following:
- A comprehensive firewall
- Ensure your devices are safe and secure with robust endpoint security
- Anti-malware software must be installed on all devices, monitored and updated when required
- Manage the security of all applications downloaded or installed into your network
- Prohibit the use of USB (except for unique circumstances, such as the examination board requiring this)
This is a brief list of actions your IT Support Team should take. If you are unsure on whether you have the right set up to help keep your school or college secure, you should seek professional guidance.
If your school or college has been provided with a firewall as part of your broadband connection, you will need to contact them to discuss.
Alternatively, if you would like to find out about our Managed Firewall or other Cyber Security Solutions and let us take care of everything for you, please get in touch with our team who will be happy to guide you on this journey.
- Manage controls for user accounts
Part of safeguarding your school or college is ensuring students, staff and third parties only have access to the things they need. Giving everyone access to everything puts your users and data at risk, therefore restricting access helps prevent this from happening.
If you do not appropriately manage controls for user accounts this could lead to a significant breach or major disruptions and you may not be covered by your insurer as you did not put the appropriate measures in place.
As part of this cyber security standard, your DPO may need to complete a data protection impact assessment and provide advice on data protection legislation compliance. Your school or college will also need to consider your internal process for new starters and leavers and as a priority, you should have a password policy in place and enforce multi-factor authentication for all logins.
Providing cyber security awareness training to explain the importance of managing device controls and the repercussions of cyber attacks will help give staff and students transparency and will help encourage a positive security culture within your school or college.
- License and keep digital technology up to date
Software programmes, operating systems and applications that are running on your devices, cloud and servers are all classed as digital technology and must all be licensed.
Your IT Support Team should keep an asset register and mobile device management system which details the end of support dates for each device’s operating system. On a termly basis, SLT should be informed when technology is due and has become unsupported.
When your digital technology is licensed, you will be able to receive updates and upgrades that will enhance your user experience and more importantly, you will receive bugfixes to keep your digital technology secure.
If you fail to licence or update your digital technology your school or college’s devices will not run efficiently or at all, which will disrupt teaching. It would result in a breach of your licencing agreement and leave you open to a cyber attack.
- Establish your backup plan
Backup and Disaster Recovery Solutions are vital for schools and colleges to ensure the continuity of educational operations and the safeguarding of critical data, such as student records, academic materials and administrative data.
If the worst-case scenario occurred and your school or college was hit with a cyber attack or hardware failure, a robust backup and recovery solution would enable a smooth restoration process.
To meet this cyber security standard, it is useful to first understand what your current backup plan looks like and whether you need to make improvements. You must consider what data is currently being backed up and how often, how many copies and the location. How the data is being backed up and how often it is tested to check the backups are successful, as well as the restoration process and the time it will take to complete.
If you do not have an adequate backup plan or in-house IT resource to provide you with one, outsourcing to an IT Support Provider to help with your Backup and Disaster Recovery is recommended.
- Cyber attack reporting
Providing cyber security training within your school or college is not only to make staff and students feel confident about spotting cyber threats, but it is also about creating a positive security culture where everyone feels comfortable reporting cyber incidents that take place.
It is your school or college’s responsibility to ensure staff and students understand the internal processes of reporting an incident or attack to help keep your data secure and safe.
Once reported, an investigation would proceed immediately to assess the issues and next steps. Unfortunately, if an incident or attack is not reported this could lead to a severe spread, and damage to data and systems. It may have to be reported to the Information Commissioners Officer (ICO).
In addition to this set of essential cyber security standards, Cyber Essentials is also an advised and highly regarded government-backed scheme that your school or college should consider working towards.
Being Cyber Essentials certified helps schools and colleges protect sensitive data, ensuring a safer digital environment for students and staff. Getting Cyber Essentials certified also demonstrates your dedication to data and security protection.
