GCHQ’s National Cybersecurity Center today announced the results of its National School Cybersecurity Audit, revealing alarming statistics on cybersecurity attacks against schools.
- 78% of schools experienced at least one type of cyber incident in 2022, and 7% experienced significant disruption as a result
- 21% experienced a malware and/or ransomware attack and 18% experienced periods without access to important information
- 26% had not implemented multi-factor authentication to protect important accounts
- 25% continued to allow limited staff access to USB drives that could compromise systems through computer virus, malware and spyware infections
- 4% had no back-up facilities
- 6 schools reported that a parent lost money due to a cyber incident.
The three main attack vectors used by criminals:
- Phishing – fraudulent emails from attackers used to trick staff into revealing sensitive information
- Impersonation – where attackers impersonate someone else to gain a victim’s trust, gain access to a system, steal data, or spread malware
- Malware, including:
Malware – used to disrupt or gain access to systems
Viruses – programs which, when executed, reproduce themselves by modifying other computer programs and inserting their own code
Ransomware – designed to block access to a computer system until a sum of money is paid.
Schools remain particularly vulnerable to cybercriminals and need to be vigilant, says the National Cyber Security Center (NCSC, part of GCHQ) and edtech charity LGfL-The National Grid for Learning (LGfL), who today published their 2022 Cybersecurity School Audit UK schools across the country. The report can be downloaded here securityaudit.lgfl.net
Given the global shortage of qualified and experienced cybersecurity professionals, even large companies are struggling to recruit qualified personnel. According to Mark Bentley, Head of Cybersecurity at LGfL, “For cash-strapped schools – rightly focused on teaching and learning and child safety – recruiting qualified staff is both a challenge important and an added expense – which is why LGfL and its partners, which include some of the world’s largest security vendors, have released an additional report that includes further analysis and important next steps for schools, also available at securityaudit.lgfl.net.
However, the audit found that schools are aware of the cyber threats they face:
- 53% of schools say they feel prepared for a cyberattack (up from 49% in 2019)
- Phishing awareness in schools increased from 69% in 2019 to 73% in 2022
- 55% (compared to 35% in 2019) have implemented staff training for non-IT staff
- 49% (compared to 41% in 2019) have included their basic IT services in a risk register or business continuity plan
- 90% (compared to 33% in 2019) have at least one of the following: a cybersecurity register, a risk register or a business continuity plan.
Sarah Lyons, NCSC Deputy Director for Economy and Society, said:
“Our schools are so dependent on the myriad of data needed to operate effectively – including sensitive student, parent, governor and staff data – so more work needs to be done to support cybersecurity around these critical services. That’s why the National Cyber Security Center works with schools and the education sector to provide free tools and guidance to help schools effectively manage their cyber risks and help them protect this valuable information.
In conclusion, Mark Bentley said:
“Cybersecurity can sometimes be like a Rubik’s cube that changes color just as you’re about to solve it. Every week seems to bring new threats and make the list of “vital steps to stay protected” even longer! But as with any complex issue, there is a lot you can do to manage and mitigate cybersecurity risks and this report helps us shape the support needed for schools to do just that.
Recommend0 recommendationsPosted in