Cyber-attacks against schools continue to be a concern across the Eastern region.

The reasons for this are fairly simple

• Schools possess large quantities of high value and sensitive data that they may have to pay for to get back.
• Schools’ networks and processes offer a lot of vulnerabilities through either underinvestment or weaknesses in their underlying processes. In many cases these vulnerabilities are caused by the necessity of having so many people and devices to attach to the network

A number of education ransomware alerts have been published by the National Cyber Security Centre throughout 2020 and 2021, and more are expected over the coming year.

1000s of schools have been attacked over the past few years and many have resulted in long term problems for the organisations affected, including the staff, students, and parents. Whilst the rise in attacks was blamed partly on the pandemic and a rise in remote learning, the risk to schools will persist until they are provided with the tools to fight back. And these attacks are happening right now in our region. In the summer of 2021, a ransomware attack against schools in Kent actually caused several of them to close for several days whilst the data breach was resolved.

Common website cyber threats – if you don’t understand the jargon talk to us at the centre

1. Weak passwords so criminals just log in to your systems – no technical experience required but easy to fix from your point of view.
2. Your website isn’t updated with the latest security patches – criminals know when security patches are released and will look for those sites which haven’t been updated and therefore have a known security issue that they can exploit.
3. Your website is vulnerable to SQL injection attacks – this is a technique where a criminal places malicious code into SQL statements via web page inputs and could potentially destroy your database!
4. Your website is vulnerable to XSS (Cross-site scripting) attacks – this is where the criminal compromises the interactions that users have with your website or application.
5. Your website has insecure direct object references – this is part of access control implementation mistakes which can lead to access controls being circumvented and a criminal able to access your valuable data.

Do you know if your website is vulnerable?

The only way to really know is to test your site.

But do you really want to know?

Nothing bad has happened so far and if you don’t know about it then surely you can’t be guilty of not fixing it?

Ask yourself these questions:

• How would your parents feel if their children's sensitive data were stolen and sold?
• How would your supply chain feel if their confidential data were leaked?
• Would your staff, students and families have expected you to do everything you could to protect their data?

The ECRC offers affordable web application vulnerability assessments. We work with university students who conduct the testing and provides you with a detailed report, but explained in plain English, so you understand what the risks are and what you need to do to fix them. Find out more here. We will provide a no obligation quote so you can see just how affordable this testing can be.

Is there anything I can do for free?

The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of business and loss of reputation. In the worst cases it can lead to the closure of the business altogether. But all is not lost.

1. NCSC's Web Check helps you find and fix common security vulnerabilities in the websites that you manage. Another tool that has recently become freely available for schools.
2. Sign up to the Eastern Cyber Resilience Centre and join our growing community of regional schools and businesses who are committed to stranding up to cybercriminals. It's free and we will give you support and guidance around the areas that you need to consider in every aspect of your business to build your resilience.
3. Consider obtaining cyber essentials accreditation. This demonstrates that you are working at the minimum standards. Our Little Step email series which every member of our community receives free, helps to identify those areas which CE will test and we can refer you to a Trusted Partner for the all important test.
4. Apply all security updates to your website, both the platform but also all those add-in and widgets that make your site functional and unique.

Are there any free tools that schools can use to protect themselves from cyber attacks?

YES! It is fully understood that schools are both vulnerable to attack, and that they have limited budgets to pay to strengthen their resilience. The good news is that there are loads of free tools and guides specifically aimed at the education sector.

Look at the free tools and guidance available on the ECRC site Education & Resources at the Eastern Cyber Resilience Centre (ecrcentre.co.uk). All of the below are free and fully supported by the National Cyber Security Centre as well as the ECRC

• Mail Check helps organisations assess their email security compliance and adopt secure email standards which prevent criminals from spoofing your email domains. Now freely available for schools as well as universities and colleges.
• Cyber Security Training for School Staff. The NCSC has produced free cyber security training to raise awareness and help school staff manage some of the key cyber threats facing schools.
• Cyber Security in Schools: questions for Governors & Trustees. Questions for the governing body and trustees to ask school leaders, to help improve a school's understanding of its cyber security risks.
• Early Years practitioners: using cyber security to protect your settings. How to protect sensitive information about your setting and the children in your care from accidental damage and online criminals.

Reporting a live cyber-attack 24/7

​If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing ​

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2