The number of data breaches and security incidents reported by schools has risen dramatically since the introduction of GDPR. Are schools being targeted for their sensitive information, or is the risk of a large fine from the Information Commissioner’s Office, and an increased awareness of responsibilities, now revealing the true scale of attacks faced by schools?
Schools in the UK reported 703 data breaches to the Information Commissioner’s Office (ICO) in 2016-2017, compared with 571 in 2014-2015. This rise in reported incidents grew even further last year, with 511 reported in the second quarter alone; this is the first data to be released since the GDPR regulations came into place in May 2018.
GDPR regulations make it compulsory for all organisation to report any data breach where there is a risk to people’s data security, including incidents where no information is actually lost or stolen. When it comes to schools, it requires them to be clearer about the data they hold and to have a data protection officer and respond quickly.
Considering the sensitive information held by schools on both students and parents, and the rise of data attacks globally, it seems to be an anomaly that schools have, so far, avoided being targeted – with many in education feeling that it is only a matter of time.
The rise in reported incidents follows trends across other industries, however; the ICO revealed that there were 6,281 complaints between May 25 – when GDPR came into force – and July 3. This is a 160% rise in complaints over the same period in 2017.
While there is, undoubtedly, a case that mandatory reporting has driven up the numbers, research from specialist insurer Ecclesiastical reveals that one-in-five schools and colleges have fallen victim to cyber-crime across the UK.
Of those affected, 71% downloaded malware and 50% experience phishing attacks, both of which exploit human error; data losses (82%) and remediation costs (47%) were the biggest concerns in relation to these attacks.
In a world where cyber-attacks are becoming ever more prevalent, the pressure on schools to protect their data is growing, but budget restraints, the speed of change in technology and the specialist knowledge required to maintain a secure network mean that schools are facing a challenging situation in keeping their data safe.
“School business professionals need to be prepared for cyber-attacks and to have clear checks and reviews, as well as processes in place if an attack happens,” Stephen Morales, chief executive of the Institute of School Business Leaders, points out. “However, the pressure on school budgets means that it is likely there will be less, rather than more, capacity to ensure schools are prepared for, and protected from, attack.”