Cyber Essentials for Schools and Colleges
What is Cyber Essentials?
One of the most straightforward and cost effective ways for your school or college to improve its cyber security is to achieve Cyber Essentials certification. Cyber Essentials is a UK government scheme supported by the NCSC (National Cyber Security Centre)
, and is intended to help organisations of any size demonstrate their commitment to cyber security, while keeping the approach simple and the costs low. The scheme focuses on five key cyber security measures (also called controls), which are simple to put in place yet protect organisations from around 80% of common cyber attacks, and has two tiers of achievement: Cyber Essentials and Cyber Essentials Plus. Both tiers require the same five security controls, but are certified differently.
Our sister company IT Governance
can help you get Cyber Essentials certified quickly, easily and affordably.
Why Cyber Essentials?
Schools and other education providers that receive ESFA funding will be required to have Cyber Essentials certification. This supports the UK’s push towards improving its cyber security in every facet of society. Whatever the size of your school, trust or college, the scheme brings benefits across the organisation and raises the profile of cyber security with colleagues. Every organisation must start somewhere, and the basic yet effective controls described in the Cyber Essentials scheme are a good place to begin before progressing to more robust (and potentially costly) controls. For schools and colleges, Cyber Essentials also has the benefit of being backed by the UK government, and is a prerequisite for ESFA Education and Skills contracts
for the 2020–2021 funding year. For 2021–2022, those that receive ESFA funding are expected to progress to Cyber Essentials Plus.
Achieving Cyber Essentials certification helps prove to pupils, parents, authorities and any other stakeholders that you take cyber security seriously and have implemented effective protection. It also helps raise cyber security awareness within the organisation, which helps ensure staff take more care when using their computers or handling confidential information. Article 32 of the GDPR also requires organisations to protect the security of personal data with “appropriate technical and organisational measures”. The controls set out in the Cyber Essentials scheme are an excellent start, and in some cases may prove to be all that you need. Cyber Essentials certification is affordable and offers a great return on investment simply by protecting you from a host of the most common cyber security threats.
How will Cyber Essentials help?
Cyber Essentials is designed to minimise the risk posed by the most common cyber attacks. Around 80% of all attacks rely on the target not having implemented basic cyber security; these attacks are almost always automated and require very little effort from the criminals. While the attacks are very simple, they can have devastating results. In 2018, a group of criminals used information they gained from basic attacks to send emails to parents from a school account advising them that they could get 25% off their fees if they paid in bitcoin. Criminals have also used similar techniques to attack schools with ransomware, which is increasingly popular.
How does Cyber Essentials certification work?
The first step in any cyber security project, including Cyber Essentials, is to define the scope – how large is the network you need to protect? Both Cyber Essentials and Cyber Essentials Plus certification can apply to all or a subset of your IT, and may include hardware and software.
Once you have defined the scope, the next steps for both Cyber Essentials tiers involve completing an SAQ (self-assessment questionnaire) to show that you’ve implemented the controls. For the basic level of certification, this is all you need to do. Cyber Essentials Plus also requires an external vulnerability scan, an on-site assessment and an additional scan to look for vulnerabilities within your network, providing further assurance.
What are the Cyber Essentials controls?
In many cases, these controls will already be in place to some degree, so the cost of implementing them is probably lower than you might expect. One of the key parts of meeting the requirements and protecting your organisation will simply be making sure that you address these controls consistently – for instance, making sure that all firewalls meet the necessary standards and that all computers have a consistent setup, and ensuring both are kept up to date.
The five basic security controls are:
Firewalls function as the barrier between the internal networks, which need to remain secure, and the Internet, which should be treated with caution. They should be installed on any device that can access the Internet. They’re particularly important when staff use public or otherwise insecure Wi-Fi, whether they’re using school or college devices or their own to access work resources.
2. Secure configuration
The default configurations on devices and software are often as open as possible to make things convenient and easy to use, but they also provide more access points for unauthorised users. Disabling or removing any unnecessary functions and changing default passwords reduce the risk of a security breach.
3. Access control
Giving a lot of people access to your data and services is convenient, but also means that there are more accounts that, if compromised, can lead to a serious breach of security. It also increases the chance of an unintentional breach, like someone accidentally deleting data that should be kept. Ensuring that access is given on a ‘need-to-know’ basis only, with ‘access denied’ as the default option, will help reduce the scope for a breach. On top of that, all accounts should be password-protected with strong passwords, and where the risk of a breach is particularly high, like the compromise of an admin account, you should consider implementing 2FA (two-factor authentication). The cyber attack described earlier could have been prevented with 2FA.
4. Malware protection
Malware such as viruses and ransomware can infect your systems when, for example, a member of staff is tricked by a phishing email, but it is also commonly introduced through removable storage drives like USB sticks. You can protect the organisation from malware by using antivirus or anti-malware software, and techniques like ‘whitelisting’ and ‘sandboxing’(running an application in an isolated environment with no access to the rest of your networks or devices, to find out if it’s malicious).
4. Patch management
Manufacturers and developers normally release regular updates that not only improve the software but also fix or ‘patch’ any discovered vulnerabilities. Installing those updates as soon as they’re available minimises the time frame in which those vulnerabilities can be exploited. If the manufacturer stops offering support for the hardware/software you’re using, it’s time to replace it with a more up-to-date alternative or retire it.
Find out more
Visit our sister company IT Governance to find out more and purchase Cyber Essentials or Cyber Essentials plus.