Prevention, recovery and resilience:
The blueprint for school cyber security

By Carl Whitham, Head of Managed IT

Like every sector, education is undergoing an exciting digital transformation. Yet this has also left schools exposed to cyber threats, putting teaching quality, welfare and safety at serious risk.
While there is no silver bullet solution, schools can adopt a common framework for a holistic, proactive approach to cyber security that is intrinsic to digital transformation while also navigating budgetary pressures.

It's not a question of “if”, but “when” with cyber threats

Cyber crime has become the world’s third-largest economy, fuelled by the digital transformation of people, processes and data to unlock productivity, efficiency and collaboration.

The National Cyber Security Centre (NCSC) reported that in 2022, 78 per cent of schools fell victim, while the Department for Culture, Media and Sports reported that 39 per cent of UK businesses identified at least one attack.

This means it should be assumed that we all will be targeted by cyber criminals. But the extent to which we become victims is down to how we approach cyber security as part of digital transformation strategies.

There’s no need to “reinvent the wheel” as schools can follow an approach to cyber security that routinely supports enterprises. Broadly, this comprises four key pillars: understanding the risks, adopting a preventative approach and developing a response and long-term resilience strategy.

Pillar one: Examine the risk profile

Like many organisations and their digital investments, the EdTech and IoT sector unlocks an immersive, enriched teaching experience and transforms day-to-day operations with people, processes and data.

When we’ve been working with schools after incidents, we realise that the two most common objectives are data extraction and exploitation, and disruption. Often the source of these attacks is from within, with current generations of tech-savvy students targeting their institutions either as a prank or with more malicious intentions.

One of the factors behind the unique risk profile schools face is how they have a reputation as “easier” targets. Part of this is because it has been well-known for schools to take a reactive rather than proactive approach to cyber security as it hasn’t been linked to teaching quality.

After examining the risk profile, schools are amongst the most vulnerable organisations at risk of cyber attack. So, it is essential that a more proactive approach is implemented.

Pillar two: Establish preventative measures

While prevention measures limit the introduction of cyber attacks, they are also key factors in their success. If an organisation deploys strong preventative measures, the impact of a cyber attack is significantly reduced and vice versa.

A preventative approach means understanding where threats lie. In schools, the growing number of student laptops and tablets, both issued and bring-your-own-device (BYOD), smartboards, IoT tech and Software-as-a-Service such as Microsoft 365 and Google Classroom have enabled the digital classroom and opened up cyber attack entry points.

A feature of many of these devices and programmes is the prioritisation of ease of use, especially for younger users. We’ve noticed that focusing on an easy user experience means security has been deprioritised and enhancing the cyber threat they pose.

Preventative measures in this space can include leveraging existing solutions, such as the in-built security programmes and deploying software patches that are routinely protecting many enterprises.

Prevention also lies in strengthening device and network access credentials. This could mean reinforcing password hygiene alongside multi-factor authentication (MFA) solutions, which use multiple login forms, such as biometrics or one-time passcodes.

Microsoft estimates that MFA blocks 99.9 per cent of automated and 76 per cent of targeted cyber attacks, and it is becoming increasingly prevalent as most data breaches and cyber attacks involve compromised access credentials. However, the NCSC reported that a quarter of schools had not implemented any MFA solutions to protect the most sensitive parts of digital estates.

End-user education for both staff and students with cyber threats, and how to recognise them and mitigate their impact are also fundamental elements behind prevention. This should be considered not just as part of a school’s cyber strategy, but an essential life skill.

Pillar three: Bounce back with a recovery plan

Education settings are already well versed in developing incident response plans. Today, one vital one to add is a cyber recovery plan to further protect staff and students at risk and preserve reputations.

Cyber attacks on schools, especially highly disruptive ones, frequently become high-profile incidents, attracting a significant amount of media attention and scrutiny from parents, faculty and the community.

Establishing an effective, and timely response and recovery plan will ensure that the impact of a cyber attack is quickly mitigated before the impact becomes significant.

One critical measure is backing up cloud services and developing a data-recovery procedure. Despite this being a mandatory measure directed by the Department of Education, worryingly, the NCSC reported that four per cent of schools had no back up facilities in place.

After understanding which programmes and software are deployed, with many schools often running multiple cloud and Software-as-a-Service applications such as Microsoft 365 and Google Classroom, schools can develop meaningful recovery plans.

Similar to enterprises, for schools, daily backups at a minimum are recommended, which ensures quick recovery of data following corruption or loss.

Reflecting on their value and importance in determining the impact of cyber attacks, school recovery plans are attracting more attention from a regulatory standpoint.

The statutory Keeping children safe in education guidance, which changes in response to the evolving threat landscape, is increasingly integrating elements such as cyber crime and how children and students can be protected and recover from incidents.

Like enterprises, education settings can face serious penalties if they fail to establish effective and timely response and recovery plans, including funding stoppages, and school and federation closures. For fee-paying institutions, poor recovery plans can damage reputational far enough that they will impact revenues.

Pillar four: Look to long-term resilience

Digital transformation, and cyber threats, will be a long-term feature of schools, so a mindset that links cyber security directly to education quality is required. This way, schools can always stay on top of their risk profile and evolve their prevention and recovery approaches to support long-term resilience.

Encouraging progress has been made as the NSCS reports that in 2022 53 per cent of schools felt prepared for cyber attacks compared to 49 per cent in 2019. Schools continue to onboard cyber security registers, risk registers and business continuity plans to support recovery plans.

But there’s still a long way to go. Schools will continue to be targeted, and unlike the hackers, they need to get it right all the time, and to stay ahead, a long-term resilience approach is critical.

There are already excellent resources and practical guidance available to schools, but one limiting factor is the ongoing recruitment challenge for skilled cyber security staff. To combat this, managed IT service providers, especially those dedicated to education settings will become more relevant in education as they are in other sectors.

Specialist providers like this will draw on extensive experience supporting businesses and apply them seamlessly to schools owing to the similarities in infrastructure. They will also ensure that core enterprise software is optimally deployed and managed.

A blueprint for digital success

Following this blueprint and integrating cyber into IT strategies means schools can accelerate their digital transformation journey while not sacrificing safety, security and welfare by falling into the “digitise first…secure later” trap.

Additionally, it also ensures schools can achieve ROI with digital procurement strategies, a key benefit in today’s budget-sensitive environment.