The worrying state of cyber security in schools

How can your school protect itself?

An audit by the LGfL (London Grid for Learning) and NCSC (National Cyber Security Centre) revealed alarming yet unsurprising statistics about cyber security weaknesses in schools.

Here are three key findings:

83% experienced a cyber security incident
83% of responding schools had experienced at least one of the types of cyber security incident they were asked about; 69% suffered a phishing attack (a social engineering attack, often via an email, that tries to trick you into clicking a malicious link or downloading an infected attachment).

97% said that losing access to network-connected IT services would cause considerable disruption
In many ways, technology is pivotal to everything that happens in school – 97% of schools confirmed that losing access to it would cause considerable disruption. 35% had actually experienced periods with no access to important information.

A successful cyber attack can be disruptive and expensive to fix. It can also compromise safeguarding and access to confidential or sensitive information, damage your reputation and, under the GDPR (General Data Protection Regulation), lead to fines. It can even delay the start of the new academic year, which recently happened to a school in New York.

Most schools don’t train non-IT staff in cyber security (but almost all want to)
Even though 83% of schools have experienced a cyber security incident and understand how critical it is to have access to IT networks, only 35% trained non-IT staff in cyber security. However, 92% would welcome more cyber security staff awareness training. The discrepancy may hint at a lack of resources, even though not training staff could end up costing far more than investing in staff awareness.

What simple things can you do to combat and prepare for cyber security threats?

Train staff in the basics
In all organisations, staff are seen as a soft target by cyber criminals, and busy school staff are no different.

With 69% of schools surveyed suffering a phishing attack, training staff how to spot them is a sensible and effective place to start, as is displaying posters in staff work areas that remind them to be vigilant. A little simple training and regular reminders can go a long way in quickly teaching staff how to spot phishing scams and how to respond to them.

Read about our staff awareness e-learning courses from our sister company GRC E-learning.

Achieve Cyber Essentials certification
The UK government’s Cyber Essentials scheme is a useful and cost-effective first step in improving cyber security and can help protect your organisation from around 80% of cyber attacks. It is suitable for organisations of all sizes and a great way to review your cyber security and prioritise improvements.

The Cyber Essentials certification process includes a self-assessment questionnaire and an external vulnerability scan that independently verifies your security status. If you need support with the questionnaire, we can offer it in varying amounts depending on your needs. Cyber Essentials Plus certification is a more advanced assessment and includes an internal vulnerability scan of your network, PCs and mobile devices. Read about the Cyber Essentials scheme and the levels of support we offer.

Introduce business continuity measures
BCM (business continuity management) isn’t just for businesses. It is a form of risk management that considers possible disruptions and how to carry on despite them.

BCM involves planning for the worst and ensuring you can both continue to operate at a minimum acceptable level despite any disruption and quickly return to normal operations.

Adding ‘service and data availability’ to the school’s risk register can help you acknowledge the possibility of, and plan for, the worst. Find out more about BCM and disaster recovery from