Schools are under cyber attack - here’s why

School leaders are being urged to make sure they are keeping their systems secure amid a growing amount of cyber attacks.

Here's why schools are being targeted and what can be done about it.

Education is a unique sector, with tech savvy but perhaps naïve students having access to the internet with limited filtering, as well as the need to access a variety of sites for research purposes.

Back in March 2021, the National Cyber Security Centre (NCSC) issued a warning to educational facilities, as a sharp increase on ransomware attacks were noted. This continued into May and June of 2021, with notable hacks such as that of Oxford University laboratories and Cambridge Meridian Academies Trust, which affected 50 schools for just under a week. Schools are under attack daily, but why, and how can the risk be reduced?

Breach numbers by type of education

Across the education sector, there’s higher risk of a data breach the older the students get. According to data from the government’s Cybersecurity Breaches Survey 2021, 26% of further education facilities reported a breach, 15% of secondary schools reported a breach and just 6% of primary schools reported breaches.

This spread across the age categories shows that as pupils get older and get more unrestricted access to the internet, the rate of data breaches, which includes any cybercrime related ones, increases.

Why do breaches and hacks affect the education sector?

With a combination of naïve students, hundreds of users logging in to the same devices and long periods of inactivity during the summer months, it’s no wonder that schools can be seen as an easy target.

Now that most secondary schools are no longer run by the government, instead through academy trusts, the central support network of resource has to be sourced by the trust, who may have less experience and the lack of a designated cyber expert who can assist in times of trouble.

On the same tune, the budget to upgrade hardware, especially in state schools, is not there. Old computer systems, limited access to modern software and the extensive cost of firewalls all contribute to higher risks and easier targets.

These, coupled with the number of financial transactions processed by one person or a small team, and the number of parent’s bank details that the school may hold.

The data on each pupil, and the value that this data, as well as the detrimental impact that no access to computers has on the education of young people all contribute to the increased risks that schools face daily.

How can you protect your school?

As headteachers and senior leadership, there is a responsibility to provide training and education to both staff and pupils at your schools, and to ensure that there are people who are trained to understand cybersecurity and the risks it brings.

Learn what a phishing email may look like

Phishing emails, whereby an email that appears genuine is actually malicious, can be hard to detect to the untrained eye.

By clicking on a phishing link, you can give a hacker access to details such as computer information, a route into your emails or worse, installing ransomware on your device.

However, with some basic knowledge and training, your staff and pupils can begin to detect the phishing emails amongst the ones they actually need. Similarly, you should also have a reporting process for phishing attacks, and make sure everyone is aware of this process.

Create passwords that are strong

By having the same, or similar, passwords for everything in both your home and work life, you should instead have different passwords for everything. However, remembering these is tricky and can be hard when moving around computers all day, as is typical in schools.

As well as writing them down in a notebook, which isn’t secure, you also shouldn’t save them to your browser where possible.

Password managers such as Dashlane or Last Pass are highly secure ways of storing passwords, and both come with a mobile app, as well as browser extensions.

Rather than using your mother’s maiden name and your first pet combined with the letter one, try and combine two random words together.

Update devices regularly

Whether you have staff who work on laptops around the school, or office staff who work part remote, it’s important that updates, especially security patches are done regularly.

Your IT team should send round reminders when people need to install updates on staff computers and have a schedule for general use computers to ensure all receive updates at the same time.