As educational establishments become more and more reliant on technology for teaching, administration, and communication, the more they face growing risks from cyber threats. With extremely sensitive data that includes staff and pupils’ personal information and financial records, there is a much higher risk of unauthorised access or theft.
The importance of robust cybersecurity measures for Multi-Academy Trusts cannot be overstated. The reason we are focussing on these today is, whilst cybersecurity is important across all education establishments, when schools merge and become an MAT, there are a lot of risks around information sharing.
The Rising Threat of Cyber Attacks in Education
The education sector needs to protect themselves as much as any other company in the UK:
- 52% of primary schools identified a cybersecurity breach or attack
- 71% of secondary schools identified a breach or attack
- 86% of colleges and 97% of universities reported identifying a breach or attack in the last year.
Primary and secondary schools also reported having less awareness of cybersecurity guidance and practices. Meanwhile, funding constraints mean schools and trusts have become much more reactive to cybersecurity breaches as opposed to being proactive. Both of these factors highlight the need for robust cyber security measures in schools.
Types of cyber threats targeting schools
Schools face a wide range of cyber threats, each with its own set of risks and potential consequences. Phishing, impersonation and malicious software (malware) attacks have emerged as the top 3 ways that cyber criminals attempt to access data within schools.
- Phishing attacks remain a persistent danger. They exploit people to gain unauthorised access to sensitive information, enable theft of school funds, and are the delivery vehicle for malicious software
- Malware infections, including viruses, Trojans and ransomware, pose significant risks to school networks, potentially compromising data integrity and confidentiality, system functionality and denying access to files (availability)
- Distributed Denial of Service (DDoS) attacks have also become increasingly common, overwhelming school networks and disrupting essential online services.
Multi-Academy Trusts can be seen to be more vulnerable to cyber threats due to the wider scope of information sharing. One school may have a thousand pupils and 60 staff members whose information is at risk, with a Multi-Academy Trust, this could be anywhere from 2-20 times higher.
GDPR Compliance
The General Data Protection Regulation (GDPR) plays a significant role in shaping cyber security practises for schools within MATs. Under GDPR, schools must process personal data securely using appropriate technical and organisational measures. This includes implementing strong data protection policies, conducting regular audits, and providing staff training on data handling.
MATs should appoint a Data Protection Officer (DPO) who is responsible for overseeing GDPR compliance and advising on data protection strategies.
While 81% had an appointed Data Protection Officer (DPO), a study from the ICO found that many Multi-Academy Trusts are falling short when it comes to data protection measures. The study revealed that 72% of MATs did not have policies in place to document data minimisation and pseudonymisation practices as required by Article 25 of the GDPR. While some Trusts had a general approach to these practices, they failed to provide staff with clear procedures on implementation. Additionally, 54% of MATs did not integrate core privacy considerations into their project and risk management methodologies and policies.
One key aspect of GDPR compliance is the need to report data breaches to the Information Commissioner’s Office (ICO) within 72 hours of discovery. MATs must have clear procedures in place to identify, assess, and report breaches promptly.
Academy Trust Handbook
The Academy Trust Handbook, which applies to all academy trusts in England, outlines specific cyber security requirements. MATs need to be vigilant about the risk of fraud, theft, and irregularity and must establish appropriate controls to address these risks.
The Handbook also highlights the need to be mindful of cybercrime and implement suitable controls to mitigate this risk.
Essential Cyber Security Measures for MATs
It’s important that MATs, and all educational establishments alike, implement robust cyber security measures to protect digital assets and sensitive information. By focusing on a few key areas, the risk of cyber attacks can be reduced:
- By implementing training programmes that cover essential topics such as data protection, information security, records management, and data sharing and carrying out regular assessments of training needs for all staff groups, including temporary and contract staff to identify gaps in knowledge. Specialised training should be provided to staff in key roles, such as data protection officers, business managers, and head teachers, who may need to deal with data breaches or subject access requests.
- Encouraging open discussions about cyber security and making it easy for staff and students to report potential threats and the importance of strong passwords, staying safe online, and using multi-factor authentication.
- Using multi-factor authentication (MFA) to add an extra layer of protection to user accounts, even if passwords are compromised. MATs should prioritise implementing MFA for senior leaders and staff who work with confidential, financial, and personal data.
- Carrying out regular security audits and assessing cyber policies, incident response plans, and overall risk management strategies.
- Carrying out regular checks on both manual and electronic files to ensure data minimisation and accuracy.
Developing a Robust Cyber Security Plan
Having a well-structured, and robust cyber security plan is important to effectively manage and reduce the impact of cyber attacks. The plan serves as a roadmap for each of the schools within the MAT to follow before and during a crisis to minimise damage and restore normal operations.
The rising threat of cyber attacks in the education sector has a significant impact and by implementing cyber security and data protection strategies, including staff training, multi-factor authentication, and regular security audits, MATs can better protect their digital assets and sensitive information. Finding the right balance can be tricky, but that’s where we come in. Our team is here to help you navigate these challenges and ensure your organisation’s digital defences are robust.