In today’s increasingly digitised world, schools are unfortunately not immune to the growing threat of cyber attacks. Educational institutions store a great deal of sensitive data, including safeguarding and medical details and financial information and are targets of cybercriminals seeking to exploit vulnerabilities. Ransomware attacks are also becoming common, where hackers encrypt critical systems and files, rendering them inaccessible and demanding payment of a ransom. Understanding the risks of cyber attacks is crucial for safeguarding the integrity and security of data systems.
Such an incident not only jeopardises the privacy and security of pupils and staff, but can also undermine trust and reputation and disrupt the day-to-day operations of schools, leading to significant disruptions in teaching and learning, and potential school closures while systems are rebooted and cleansed.
Remediation costs, including the investigation of the breach, restoration of systems, and implementation of security measures, can quickly escalate, draining already limited resources.
In addition, the Academy Trust Handbook 2024 specifically addresses the expectations on academies in relation to cyber attacks, “Academy trusts must also be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred. Trusts should take appropriate action to meet DfE’s cyber security standards, which were developed to help them improve their resilience against cyber-attacks.”
Increase in cyber attacks
This is an issue affecting many organisations and is reflected in the data published by the ICO. By publishing this information, the ICO are aiming to help organisations, such as schools, to understand what risks to look out for and how to take appropriate action if they on the receiving end of a cyber attack.
From the figures that have been reported by the ICO, we can see that 466 incidents were reported to the ICO in the first quarter of 2024 by education and childcare organisations alone. Of these, 90 were cyber-related incidents: https://ico.org.uk/action-weve-taken/data-security-incident-trends/
ICO response to cyber attacks
It is also helpful to consider how the ICO responds to cyber attacks in order to learn lessons from other organisations which have been affected.
For example, the London Borough of Hackney (LBoH) has been issued a reprimand by the Information Commissioner’s Office (ICO) following a cyber-attack in 2020. The attack resulted in hackers gaining access to and encrypting 440,000 files, affecting at least 280,000 residents and other individuals, including staff.
The encrypted data contained sensitive personal data such as information relating to racial or ethnic origin, religious beliefs, sexual orientation, health data, economic data, criminal offence data, and basic personal identifiers. Additionally, 9,605 records were exfiltrated by the attackers, posing a meaningful risk of harm to 230 data subjects. The cyber-attack also caused disruption to LBoH systems for several months, with some services not returning to normal until 2022. The attack also impacted LBoH’s ability to handle Freedom of Information requests and subject access requests, resulting in 39 complaints from individuals who did not receive appropriate responses.
The ICO found that the subsequent investigation revealed a lack of proper security measures and processes to protect personal data, including the failure to apply security patches and change insecure passwords. The ICO Deputy Commissioner, Stephen Bonner, criticised LBoH for the avoidable error and emphasised the need for effective measures to protect personal data. Due to the council’s swift action to mitigate the harm and the implementation of remedial steps, a reprimand was issued instead of a fine due to the positive actions taken by LBoH.
Proactive steps to enhance information security
To protect themselves against a cyber attack, schools should be taking several proactive measures to enhance their information security.
One of the first steps is to secure external connections with multi-factor authentication. This additional layer of security ensures that even if an attacker gains access to a pupil or member of staff’s username and password, they would still need an additional verification method, such as a unique code, to gain entry.
Another important measure is to implement logging and monitoring systems. By regularly reviewing system logs and monitoring for unexpected activity, schools can quickly identify and respond to any potential security breaches. This includes acting on alerts from endpoint protection tools, such as anti-malware or anti-virus software, even if the malware has been successfully removed. Prompt action can help prevent further damage and mitigate the impact of an attack.
Schools should also prioritise the use of strong passwords on internal accounts and ensure that unique passwords are used across multiple accounts. This is particularly crucial for staff or administrator accounts, as these often have access to sensitive information or critical systems. By using strong and unique passwords, staff, and pupils. can significantly reduce the risk of unauthorised access to their accounts.
Additionally, schools should regularly update their systems and applications to mitigate against known vulnerabilities. Regularly updating software and firmware is essential to stay ahead of cyber threats and minimize the risk of an attack.
Addressing the risks of cyber attacks requires a multi-faceted approach that encompasses both technical solutions and education and awareness initiatives. Implementing robust cybersecurity measures, can help fortify school networks against potential threats, and regular security audits and vulnerability assessments can help identify and address weaknesses.
Furthermore, educating pupils and staff about best practices, for example, in respect of password strength, phishing awareness, and data protection is essential for fostering a culture of security within schools and can help to mitigate threats. Additionally, establishing clear protocols and response plans for handling incidents can minimise the impact of attacks.
It’s important that you have effective systems to back-up your data to avoid the permanent loss of data in such circumstances. It’s also important to have a business recovery / disaster response plan in place in case your school is unlucky enough to be on the receiving end of a cyber-attack. From our experience supporting schools in these circumstances, an attack can bring down the school’s entire IT network which can lead to school closures in the aftermath and serious disruption in the following days and weeks.
RPA requirements
It is also important to take note of any requirements from school insurers or the Risk Protection Agency (the ‘RPA’). For example, the RPA membership rules state that schools must:
- have offline backups;
- undertake NCSC Cyber Security Training;
- register with Police CyberAlarm; and
- have a cyber response plan in place.
The DfE has also published a Risk Protection Arrangement Cyber Response Plan Template which sets out steps to take in the event of a cyber attack.
Who to contact following a cyber attack
If you are on the receiving end of a cyber attack, we suggest that a strategic approach is taken and we can support you with that as required. We also note here key contacts schools should approach following an attack:
- The police/Action Fraud (the UK’s national reporting centre for fraud and cybercrime)
- the NCSC website if the incident or attack causes long term school closure, the closure of more than one school, or serious financial damage
- Cyber security experts
- the DfE cyber team at Sector.Incidentreporting@education.gov.uk
- The ESFA if you wish to obtain permission to pay cyber ransom demands (though our experience is that the ICO and the Police do not generally advise schools to pay ransom demands)
- The ICO – there are requirements and timescales for reporting personal data breaches.
- Your bank to notify and check next steps regarding compromised financial information
- Your legal team and insurance provider / RPA
- Your local authority for support, especially if safeguarding or child protection information has been compromised
- Consider PR support to help you to liaise with regarding future communications to the press if comment is sought, as to assist with communications to the school community and your stakeholders, which need to be carefully handled.
For further information and advice, please contact the School Support Service team on 0345 070 7437 or schoolsupport@wslaw.co.uk