In this article, Gary Henderson highlights the vital role of cybersecurity in schools, focusing on practical strategies, effective risk management and the necessity of cultivating a cyber-aware culture
In today’s digital world, cybersecurity is essential for schools to protect sensitive data, prevent identity theft and comply with legal requirements. And this is a world where we are increasingly using technology in our schools and in our everyday lives, thereby exposing us to increasing levels of cyber risk.
Keeping Children Safe in Education, a key piece of statutory guidance for schools, mentions the need for schools to have “an appropriate level of security protection procedures in place in order to safeguard their systems, staff and learners”.
As such, robust cybersecurity measures are essential and ensure the continuity of educational services and minimising downtime during a cyber incident
How Can Schools Protect Themselves?
First and foremost, schools must focus on fundamental cybersecurity practices. Regularly patching and updating software is crucial to protect against vulnerabilities. I often take a “better than yesterday” approach here, meaning if you can’t patch everything, identify the key servers or client devices and update those, making you “better than yesterday”.
Limiting permissions and ensuring that users only have access to the data and systems necessary for their roles can significantly reduce the risk of unauthorised access. This includes ensuring you have effective off-boarding processes to disable and delete user accounts associated with users, staff or students, who have left. It is often unmonitored accounts which people have forgotten about which provide a method of ingress for cyber criminals.
User awareness training is imperative, as it equips both students and staff with the knowledge to recognise and respond to potential threats. I have found sharing of real-life examples such as phishing emails which have been received by the school to be particularly effective here. It is also important to try and make sure user awareness a part of the everyday operation of the school, rather than a once a year, through sharing via weekly or monthly newsletters, briefings or meetings. Testing of awareness programmes is also important, to check if they are successful and to identify where they could be improved, with phishing awareness testing a key tool here.
Finally, deploying multi-factor authentication (MFA) adds an extra layer of security by requiring a second form of verification, making it more challenging for attackers to compromise accounts. I think it also signals to staff and students the importance of enabling MFA where they can in relation to their online accounts, where this is a key and simple method to reduce the risk of account takeover and the corresponding risk of fraud, data loss and, maybe most importantly, the stress which results from the loss of access to an online service and all you have stored within that service.
Preventative Measures Aren’t Enough
Schools must accept that despite their best efforts, breaches can occur. It is therefore imperative to have robust response plans in place. Regular desktop exercises can be conducted to simulate cyber incident scenarios, ensuring that relevant staff members understand their roles and responsibilities during an incident. It is important that cyber incidents are seen as a school issue rather than an IT issue, as when they occur, they impact on the whole school. It is therefore important to involve a variety of stakeholders in simulated exercises. These exercises help identify gaps in the response plan and improve the school’s overall readiness.
Additionally, testing of backup systems is crucial. Backups should be performed frequently and stored securely, with regular tests conducted to ensure that data can be restored swiftly and accurately in the event of an attack. The 3-2-1 model for backups is useful, looking at three backups, in two different media and with one being offsite, while considering the use of cloud based immutable backups is also important. The key however isn’t in having the backups but in the ability to recover the data when an incident occurs which highlights the need to test backups to ensure they work as they should plus that the staff concerned are familiar with recovery processes. Through planning schools can minimise disruption when the inevitable cyber incident happens.
It’s All About Risk
When considering cybersecurity in schools, it is essential to shift the perspective from mere compliance to a holistic risk management approach. Rather than viewing security measures like multi-factor authentication (MFA) or patching as checkboxes to be ticked off, schools should evaluate the broader risks, and the trade-offs associated with different mitigation strategies. This means understanding the potential impact of various cyber threats, weighing the costs and drawbacks of implementing security measures, and making informed decisions that balance security with the operational needs of the school. By adopting a risk-focused mindset, schools can create more resilient and adaptable security frameworks that protect against a wide array of cyber threats while maintaining the flexibility needed to support their educational mission.
Cyber Culture
In today’s rapidly evolving digital landscape, the integration of technology into our everyday lives is undeniable, making it imperative that cybersecurity awareness and safe online behaviours become deeply ingrained in how we use technology tools and services. Safe and secure cyber practices need to become the way we do things in every part of our lives, both in school and beyond school. For me this means it is critical that schools consider cybersecurity and that it is openly talked about, planned for and generally discussed as part of the everyday goings on of a busy school. We need to engage staff, students, parents and the wider community in these discussions so that everyone gives time and thought to cyber security, their online behaviours and those of others around them.
Cybersecurity impacts us all; We can either engage or wait for the impact to be the unpleasant and stressful experience associated with a cyber incident which we failed to prepare for.
Be the first to comment