2020 Spring Term 2


  • Rebel with a cause
    Lemn Sissay left behind a troubled childhood to find success as a poet, writer and broadcaster with work highlighting, in particular, the plight of children in care and inequality. He talks to Julie Nightingale. More
  • Trees of diversity
    Making school and college leadership more diverse will ensure our decision-making is better informed and more effective, says ASCL President Rachael Warwick. Here she highlights how ASCL is shining a light on diversity. More
  • Teacher autonomy
    What role does teacher autonomy play in keeping teachers motivated and in the profession? Jack Worth from the National Foundation for Educational Research (NFER) investigates. More
  • Cyber secure?
    Cyber security expert Claire Ashton says protecting your school or college from a cyber attack is vital in order to avoid serious consequences. Here, she shares top tips on how you can protect yourself. More
  • Curriculum, Pedagogy, Assessment
    Professor Dylan Wiliam says school and college leaders need to make explicit trade-offs to improve learning in classrooms. More
  • Blueprint for a fairer education system
    ASCL General Secretary Geoff Barton says while many old habits are hard to break, together we can create new and better ones. Here, he highlights ASCL's work on a new blueprint for education. More
Bookmark and Share

Cyber security expert Claire Ashton says protecting your school or college from a cyber attack is vital in order to avoid serious consequences. Here, she shares top tips on how you can protect yourself.

Cyber secure?

If you have not been hit by a cyber attack, recent surveys and statistics suggest that you are lucky. A London Grid for Learning (LGfL) and National Cyber Security Centre (NCSC) study (http://bit.ly/ASCLITG4) found that 83% of schools had experienced a cyber security incident, 69% a phishing attack and 35% periods with no access to important information. The vast amounts of personal data, often low technical understanding and busy staff make schools and colleges an attractive target.

Not protecting your school or college can have serious consequences, including harm to individuals, financial loss, regulatory action, system failures, reputational damage and even school closure. So, it’s time to act.


Designed to trick a recipient into installing malicious software or revealing personal information, phishing continues to be one of the most common ways for cyber criminals to attack an organisation – on average, one in ten emails is a phishing email. Fraudsters go to great lengths to make messages look genuine, including sending them from compromised email accounts, and replicating logos and fonts of organisations you know and trust.

While phishing emails can be very convincing, there are ways to spot them. Often, they have a sense of urgency, are not from who or where they claim to be (hovering (but not clicking) over the sender’s email address and links reveals this). They do not address you by name, contain grammatical and spelling errors and ask for sensitive information like passwords or PIN numbers, both of which you should never reveal.

If the recipient falls victim to a phishing scam by, for example, downloading an infected attachment or visiting an infected website, they may be installing malicious software (known as malware). This could also happen by plugging an infected removable storage device like a USB into their computer.

One common type of malware is ransomware, which denies access to files or software or threatens to publish data unless a ransom is paid. There is no guarantee that access will be restored or that the attacker will delete the data, and ransoms should never be paid. One US state had to shut down several schools after they were infected with ransomware – read more at http://bit.ly/ASCLITG1 

Steps to improve cyber security 

Phishing and many other cyber attacks exploit common weaknesses in organisations. Here are five ways to protect your organisation that do not require advanced skills and are free or low-cost to introduce.

1. Password management 

Both students and staff can pose a threat to cyber security. Effective password management is a good way to protect your systems and the data stored on them. Even though strong passwords have been a security basic for years, easy-to-crack and reused passwords remain critical vulnerabilities. In 2018, 23.2 million hacked accounts used the password ‘123456’.

Default passwords should be changed as soon as possible, system requirements should enforce sufficient password length and complexity and multi-step log-in processes, such as two-factor authentication, considered where available.

2. Patch management and secure configuration 

Keeping software and apps up to date ‘patches’ weaknesses; updates should be installed as soon as they are available and ideally automated. Shutting down computers every day ensures any updates are identified when rebooting the computer.

As soon as software or apps are no longer supported or required, they should be replaced or retired. Microsoft ended support for Windows 7 this January and has warned customers of the risks of malware if they continue to use it.

3. System privileges

Employees should be allocated system privileges, for example, access to data based on their role; any additional privileges may lead to their accidental or deliberate misuse resulting in unauthorised and unlawful access to information. Accounts with higher levels of access are more appealing to criminal hackers, as breaching one will more likely lead to high-value data theft or greater scope for service disruption.

4. Account management

Forgotten software and network accounts are an easy target for cyber criminals, so the timely removal of leavers’ accounts is critical. If former employees continue to access your systems, the school or college will be held accountable for not appropriately securing personal data (and the unauthorised individual can be prosecuted for unlawfully accessing it).

5. Secure remote working 

The risks of working remotely should not be overlooked. Encrypt laptops and mobile devices as well as removable media, and introduce and enforce policies for remotely accessing sensitive systems and taking sensitive documents out of school or college.

Supporting students into a cyber security career

With a national shortage of cyber security professionals, the National Crime Agency (NCA) and NCSC are working together to encourage children and young people to use their cyber skills positively, including by offering guidance and support to schools and colleges. The NCSC’s CyberFirst programme for ages 11–19 aims to develop the next generation of cyber professionals – find out more at http://bit.ly/ASCLITG2

The NCA has useful information and resources on its website http://bit.ly/ASCLITG9 Find out more about careers in cyber security at http://bit.ly/ASCLITG3

And, finally, be ready

Understanding what to do if things go wrong in terms of recovery, as well as continuing to operate, is critical as no security measure is fool proof. Business continuity management is about taking steps to ensure you can continue to operate during any disruption and recover quickly – see more at http://bit.ly/ASCLITG5

Further guidance and resources

Cyber Essentials: This government-backed scheme is a cost-effective first step in improving cyber security and can help protect from around 80% of cyber attacks. The certification process supports many of the areas covered in this article. Read more at http://bit.ly/ASCLITG6 

IT Governance: ASCL preferred supplier IT Governance offers a complete range of cyber security services, including the Cyber Essentials scheme and security testing. ASCL members are entitled to a 10% discount on its full product range – find out more at http://bit.ly/ASCLITG8

Free awareness poster: Download the IT Governance cyber security awareness poster at http://bit.ly/ASCLITG10

Claire Ashton
Cyber security expert at IT Governance