Selling ‘cyber security’ to schools’ senior leadership teams is still a huge challenge due to the financial challenges they are experiencing, and not seeing the educational benefits of putting in place a robust and resilient cyber posture. And yet, there was a 55% increase on reported cybercrime incidents in the education and childcare sector from 2022 to 2023 according to the Information Commissioner's Office (ICO).

WCRC Director, Paul Peters, says: “Schools are vulnerable targets for cyber criminals because they keep extensive amounts of sensitive pupil and staff data and personal information. They also utilise different technologies and systems to facilitate learning and often lack the resources to put in place a comprehensive cyber security program.

“For example, a design and technology department in a school may be using equipment in its lab that dates back a few decades, because there is not the budget to replace it, and it is now not supported and potentially provides an insecure gateway to the schools’ network.

In the second part of our education series, we put our questions to Toby Harris, Learning and Development Lead at Stable, a bespoke IT consultancy and resourcing specialist, on why he thinks cyber security is such a necessity for schools.

Why are schools such an attractive target for cybercriminals?

Schools are dealing with a much wider demographic than conventional workplaces – specifically:

• Impressionable age groups

• Personal information on families and minors

• Peer pressure/seeking validation and approval

What damage can a cyberattack on a school cause?

• Class/exam scheduling disruption

• Data integrity such as assessments and sensitive information related to pupils and staff

• PII: Leaking of sensitive information that directly identifies an individual and could cause significant harm if leaked or stolen.

  • This is particularly relevant in a school environment given the crossover between staff, pupils and extended guardian/family relationships

  
  

In your experience what are the biggest vulnerabilities for a school?

The pupils at the school are arguably the biggest threat – what is often referred to as Insider Threat – specifically:

• Peer pressure

• Use of social media both by staff, pupils and the school itself

• Use of digital imagery revealing the identity of vulnerable pupils and family networks

• Misuse of or lack of understanding of AI tools

• Bring Your Own Devices (BYOD)

• Lack of controls when using web related technologies as learning tools both to help with tasks and general research on topics

What should a school be considering when investing in cyber security as a resource?

• Device mix - highly cost sensitive performance constraints on pupil devices

• A thorough audit of the current school IT estate – it is commonplace that funding challenges and at times staff turnover, not to mention the wide curriculum can cause competing digital strategies to clash or overlap thus opening up security holes due to lack of knowledge and poor patching

What are your top five basic cyber resilient tips a school can put in place to help protect against a cyber-attack?

• Social engineering workshops for parents/guardians, staff and pupils

  •  A collective awareness and responsibility are key.  It is not just IT’s problem, its everyone’s.

  • By involving both parent/guardians, teaching staff and pupils in learning about awareness and prevention presents opportunities for closer collaboration

• Phishing simulation exercises

• Ransomware

  • What it is and how to reduce the threat

• Defence in depth – essential for a school environment with such a wide remit in terms of demographic and delivery

• As an education provider, schools will have access to low-cost cyber security partnerships so they should be making use of them. For example, Microsoft Purview and Defender tools will likely have competitive licensing terms for education

The Police CyberAlarm tool is free and completely available to all who wish to understand and monitor malicious cyber activity. It will detect and provide regular reports of suspected activity, enabling organisations to minimise their vulnerabilities. 

For more information on the WCRC and the services it provides, you can contact a member of its team.