Introduction
Cancelled lessons and snaking lunchtime queues are among the ways pupils are being affected by an increasing number of cyber-attacks on schools. New figures from the Information Commissioner's Office (ICO) show 347 cyber incidents were reported in the education and childcare sector in 2023, an increase of 55% from 2022.
As technology plays a bigger role in our daily lives, both in and out of school, and with the increase in reported cyber-attacks, cyber security must become a larger part of a school’s protection system.
What is cyber security?
In case you didn’t know, cyber security refers to protecting computer systems, networks, and data from attacks and unauthorised access. It involves using tools and practices to prevent information and data from being stolen and systems and software from being damaged or misused. This includes securing networks, safeguarding data and apps, protecting individual devices, and responding to any security problems that come up. In simple terms, cyber security ensures your digital world, and in the context of education, your school stays safe and secure.
How do cyber-attacks affect schools?
Cyber-attacks can seriously impact a school’s operational and financial systems, leading to safeguarding issues, data breaches, lasting disruption, financial loss, impact on pupil outcomes, and reputational damage.
Essentially, there are no positive outcomes when a school is hit by a cyber-attack.
How to protect your school from cyber threats
All school settings have a responsibility to ensure ‘they have the appropriate level of security protection procedures in place in order to safeguard their systems, staff and learners and review the effectiveness of these procedures periodically to keep up with evolving cyber-crime technologies,’ as detailed in KCSIE 2024.
As part of this, settings should consider meeting the digital and technology standards set by the DfE, as they can help build their cyber resilience.
Let’s take a closer look at these standards.
The DfE’s digital and technology standards
1. Conduct a cyber risk assessment annually and review every term
It is imperative that school leaders, particularly the digital lead, understand the risks associated with their hardware, software and data. This allows settings to ‘mitigate and defend against any potential attacks or incidents.’
By assessing the risks, leaders can understand how to keep students and staff safe. Furthermore, it allows schools to understand how prepared they are if there is a cyber-attack. By identifying any weaknesses, processes can be put in place to minimise any risk. Crucially, schools can put in place a cyber response plan, which can be implemented quickly in the event of a cyber-attack.
2. Create and implement a cyber awareness plan for students and staff
Communication and being fully informed is a key line of defence against cyber criminals. This is because ‘many cyber incidents and attacks target common processes and human behaviours when using digital technology’.
Training staff and students on cyber security can help reduce the risk of cyber incidents and keep them safe. It is important to create an open culture where all stakeholders feel they can identify and report a risk promptly. Schools can support staff and students through an acceptable use policy, embedding a robust online safety curriculum, and providing regular staff training.
3. Secure digital technology and data with anti-malware and a firewall
As well as creating security around your technology and data, it is crucial that it is maintained. ‘Once a virus or hacker is in your system, they will look for a way to exploit other vulnerabilities.’
Ensuring that anti-malware and a firewall are in place will help reduce the risk of disruption and that any weaknesses are more difficult to find. Staff and student data will also be as secure as it can be. Your IT team will need to work with the school’s Designated Safeguarding Lead for advice on any safeguarding requirements. As part of this standard, settings will need to make sure they have a properly configured firewall and make sure all devices are safe and secure and have anti-malware installed on them. They will also need to check the security of all applications downloaded or installed onto the network.
4. Control and secure user accounts and access privileges
Protecting user accounts is important to ensure that personal data and digital technology are as safe as possible and that staff, students, and third parties only have access to what they need. It should be agreed who should have access to what and that password policies are set up. Furthermore, settings should set up security features, such as multi-factor authentication, for staff.
5. License digital technology and keep it up-to-date
All digital technology must be licensed, and by doing this, settings will receive updates and upgrades which can enhance their use of digital technology. Schools will also receive bug fixes and enhancements and receive support if this is part of their license agreement.
By licensing technology, settings can minimise the risk of viruses, malware and hackers. It can also avoid reputational damage to your setting. Given that school budgets are also being stretched, it may also remove the risk of unexpected costs from having to replace digital technology.
If your setting uses a cloud service, this can be an alternative to licensing software. The supplier is responsible for licensing and updating software.
6. Develop and implement a plan to backup your data and review this every year
The DfE standards describe a backup as an additional copy of data held in a different physical location (which could include being on the cloud) in case the original data is lost or damaged.’ Ensuring your setting has a backup, will help you recover important data and systems and allow teaching to continue. It will also help the recovery of damaged and lost files. A setting’s backup plan should be kept up to date and tested termly to ensure it is effective. It should also be reviewed annually or when there is a major change to the systems and/or data. The government's standards suggest that IT support should have at least 3 backup copies of important data on at least 2 separate devices, and at least one of these copies must be off-site.
7. Report cyber attacks
Everyone is responsible for cyber security, and they must report a cyber incident or attack to their IT team and senior leadership team (SLT). Prompt reporting means an investigation can begin immediately and will help inform the setting of what actions need to be taken. It can also help limit the damage to data and digital technology. Furthermore, appropriate agencies and teams can be notified and brought in to respond to the incident.
What is the difference between these standards and Cyber Essentials?
These standards, as detailed above, are for all schools and colleges to help build their cyber resilience. They address the core principles of cyber governance, processes and strategy.
Cyber Essentials is an annual government-backed certification that provides a level of assurance to organisations across all sectors—not just the education sector—on the technical elements of their cyber security.
Whilst the Cyber Essentials certification is not a requirement, some schools and colleges may wish to complete it as part of their cyber security activities. These standards can help you work towards certification. However, it is for the SLT to decide whether Cyber Essentials is right for your school or college.
Keep your students, staff and school safe online
We understand how important cyber security is to school leaders, and we know that protecting student and staff data is a top priority. That’s why Juniper offers school auditing services to help you assess whether your school meets the DfE’s standards and reduce the risk of cyber threats.
Book a free consultant today with one of our auditing experts for guidance and advice.
However, cyber threats are just one aspect of online safety. As part of safeguarding and child protection, it's crucial for schools, academies, and trusts to focus on online safety.
Our team have also developed remote training courses to help schools keep students safe online and help teachers recognise the signs of online abuse.
Sign up for one of our courses below:
Online safeguarding online abuse course:
10/09/2024 - 10 - 11 am
17/03/2025 - 2 - 3 pm
11/09/2024 - 9.30 - 3 pm
09/01/2025 - 9.30 - 3 pm
17/06/2025 - 9.30 - 3 pm
