Audit shows schools at high cyber risk

Mark Bentley

Mark Bentley
Image source: LGfL

Schools remain particularly vulnerable to cyberattacks and must maintain high vigilance, the London Grid for Learning (LGfL) and the National Cyber ​​Security Center (NCSC) have warned.

The two bodies have published reports from an audit on the matter, highlighting progress in cybersecurity measures but also highlighting issues with maintaining defenses; and LGfL’s lead on the issue told UKAuthority there were structural problems for many schools.

Key findings from the audit – which involved responses from 432 schools in the second half of last year – include that 78% experienced at least one type of cyber incident during the year, 7% experienced significant disruption, 21% experienced malware. or a ransomware attack, 18% experienced periods without access to important information, 26% experienced email impersonation, and 73% received fraudulent emails.

Additionally, six parents said they lost money due to a cyber incident involving the school.

There were signs of increased awareness of cyber threats, with 53% saying they felt prepared for a cyberattack, 73% being aware of phishing, 55% having training in place for non-IT staff, and 90% having at least cybersecurity training. register, risk register or business continuity plan.

But there were also shortcomings at many schools, such as 26% not having implemented multi-factor authentication, 25% continuing to allow limited staff access to USB drives that could compromise systems, and 4% not having no backup facilities.

variable capacity

Mark Bentley, LGfL’s head of cybersecurity and protection, told the UK authority that a big part of the problem is that many schools have limited resources to ensure cybersecurity measures are in place, which the capacity varies considerably within the sector and that there is often no strategic vision for Security.

“Even now cybersecurity in many schools is the technician, the network manager,” he said. “For example, a primary school may only have a technician once a fortnight and they have a to-do list without a strategic approach.

“That is changing as the Department of Education does more, with cybersecurity standards released recently, and general awareness is growing as there has been bad news. But even when you get that awareness, the level of understanding and strategy isn’t there.

“It’s something we’re working to support by helping with policy and training models, to help schools understand strategic issues and how to address them.”

He said a multi-academy trust is likely to provide a centralized team to spread advice and best practices, and make decisions that will standardize the approach to cybersecurity in its schools.

But: “The picture of local authorities is much more mixed. If you compare the picture today to that of 15 years ago it was clear what a local authority school was, but these days a lot has gone outside the control of the local authority and there are many somewhere in between and there is not the same level of support.

Worsening of problems

Bentley added that the disparate hardware and software systems used in schools with their “natural vulnerabilities” compound the problem, and the financial strain, exacerbated by the recent spike in energy bills, makes it harder for them to devote resources to face the threats.

LGfL – the edtech provider which operates as a charity – aims to support schools by providing strategic advice and has outlined a number of crucial steps they should take in its report.

These are: making sure they know how many devices they have and where they are; ensure that all anti-virus and other security software is up to date; implement multi-factor authentication; ensure that the incident response plan works; and check its updates on cybersecurity threats for schools.

Bentley said it was also necessary to ensure that any new application or change in settings does not interfere with the operation of the anti-virus software; but also that all of this must be balanced with the need to maintain regular operations.

“You also have to not only tighten security, but be prepared to determine if you’re locking things down too much,” he added. “Are we preventing you from doing your job? It will only work if you offer alternatives.

He expressed the general message as follows: “Don’t panic, but think about it.”

Focus on NCSC

The NCSC report highlights that schools rely heavily on a myriad of data, some of which is sensitive, and that more needs to be done to support their cybersecurity.

Its Deputy Director for Economy and Society, Sarah Lyons, said: “Our schools are so dependent on the myriad of data needed to operate effectively – including sensitive data about students, parents, governors and staff – therefore more work needs to be done to support cybersecurity around these essential services.

“That’s why the National Cyber ​​Security Center is working with schools and the education sector to provide free tools and guidance to help schools effectively manage their cyber risks and help them protect this valuable information.”

Leave a Reply