2021 Autumn Term 2

The know zone

  • The Other Pandemic
    We all know that children's mental health and wellbeing has been hit by lockdown, but the problems were acute even before Covid-19. To avoid a crisis, action is needed quickly, says Tiffnie Harris More
  • Deferral danger?
    As the headlines scream of huge numbers of university deferrals this summer, Kevin Gilmartin examines the implications for next year's applicants. More
  • Be cyber secure
    With cybercrime on the rise and fraudsters increasingly targeting schools and colleges, Hayley Dunn shares advice on how to be cyber secure. More
  • Ministerial priorities
    What issues do you believe the new Secretary of State for Education should make a priority? Here ASCL members have their say... More
  • Blue-nosed leader
    Headteacher Neil Wallace says serving as a senior leader in three very different communities put him in good stead to join ASCL Council. Here, he shares his passion for Council, leadership and Birmingham City Football Club. More
  • Who's your Piglet?
    Are you sitting comfortably? An old hand suggests matching members of your team with characters from a favourite children's story to make meetings much more agreeable More
Bookmark and Share

With cybercrime on the rise and fraudsters increasingly targeting schools and colleges, Hayley Dunn shares advice on how to be cyber secure.

Be cyber secure

Since late February 2021, there has been an increased number of ransomware attacks that have affected education settings in the UK, including schools, colleges and universities. 

The National Cyber Security Centre (NCSC), part of Government Communications Headquarters (GCHQ), issued an alert (tinyurl.com/tpj9j446) in response to further targeted ransomware attacks on the education sector by cyber criminals. 

Recent attacks 

Where attacks have taken place, usually large amounts of data are encrypted, but fraudsters may also steal or delete it. An initial attack will be promptly followed by a threatening demand for funds in the form of cryptocurrency to release or restore the compromised files. One academy trust was quoted as saying that the attackers demanded $4 million in cryptocurrency. 

Restoring services can take weeks if not months of work. Rather than just disabling networks, fraudsters have moved to focus on potentially confidential and sensitive information. The costs can be astronomical, including system downtime, lost efficiency, new devices, new network infrastructure, lost opportunities, possible third-party claims and Information Commissioner’s Office (ICO) fines. 

The rise of the risk to the sector is reflected in a recent change to the Academy Trust Handbook 2021; a new section has been introduced in Part 6 of the handbook (tinyurl.com/3e7ny9c4). It states that trusts must be aware of the risk, have proportionate controls, act where an incident has occurred and obtain permission from the Education and Skills Funding Agency (ESFA) to pay any cyber ransom demands. 

Reducing the risk 

The problem with assessing and reducing the risk of cybercrime is that risk assessment is subjective in nature and cyber security is a specialist topic. But there are resources available that will support you in this and I would recommend including cyber security in your risk register. 

Using the ESFA’s risk management good practice guide (tinyurl.com/pwk8fw9b), it is likely that the risk of cybercrime would rate as ‘likelihood’ high or very high, and ‘impact’ as high or very high. You could also use the guide’s 4Ts risk management strategy of Tolerate, Treat, Transfer, and Terminate to assess how to address the risks. Here’s an example:  

Tolerate Cybercrime is not a risk that we can accept or retain; the potential for business continuity disruption and impact on pupils’ learning is too high. Doing nothing is not an option.  

Treat There are actions and resources that can help to reduce the risk and impact. This could include training staff and pupils to be aware of the risks and the actions they should take. The NCSC has an e-learning package that can be completed online or built into your own training platform (tinyurl.com/25nwrnxe). The advice for staff falls into four broad categories: protection, using strong passwords, securing devices, and reporting incidents, with the key phrase being “if in doubt, call it out”.  

Transfer Insurance and external support are both options but need to be assessed for coverage and potential gaps. The NCSC suggests asking your insurance broker or provider what services and support are available to deal with a cyber incident and how cyber insurance could help your school or college get back up and running, should something cyber-related go wrong.  

Terminate Cybercrime is not a risk that can currently be avoided or eliminated; your approach to treating and transferring the risks are key to protecting your school or college. 

Dealing with an attack 

The DfE supports the National Crime Agency’s recommendations not to encourage, endorse or condone the payment of ransom demands. Payment of ransoms has no guarantee of restoring access or services and will likely result in repeat incidents to educational settings. 

If your school or college is attacked, you are advised by the DfE to follow these four steps: enact your incident management plan; contact the National Cyber Security Council (report.ncsc.gov.uk); contact local law enforcement and Action Fraud (www.actionfraud.police.uk); and inform the DfE by emailing sector.securityenquiries@education.gov.uk

It is impossible to eliminate the risk and the attackers are continually adapting their devious methods, but we can make it as difficult as possible for them.  

Hayley Dunn
ASCL Business Leadership Specialist
@ShropshireSBM

LEADING READING