Cybersecurity advice for schools
Schools hold a wide range of sensitive information about pupils, parents and staff. There are criminal gangs who specialise in attacking schools' IT systems, and who will exploit any technical vulnerability they can to steal that data and use it to commit fraud.
Every school is at risk of being attacked and needs to have direct access to relevantly skilled IT people to maintain and secure their systems. If you only have one IT support person, you need to consider what happens if you are attacked when that person is unavailable.
You should keep all systems up-to-date with security patches and updates. Securing systems to “best practice” levels, including applying emergency patches promptly, will reduce the chance of them being successfully attacked.
If you are successfully attacked, it is likely that Haringey will place restrictions on electronic connections with you, to reduce the heightened risk of the council being attacked via your already compromised systems, or by fake communications using your stolen data.
Stolen data is most often used to:
- blackmail the school by threatening to publish the data online. Criminals will often encrypt the school’s systems and data after the theft, leaving you with no access to the data until the 'ransom' is paid
- commit fraud on individuals, or to impersonate them and commit fraud under their identity
It is therefore essential for schools to act now to make sure their systems are secure.
Recommended actions
- Make sure you have enough IT resources, internal and external, to support your systems to a good standard
- Regularly review your anti-malware, firewall and operating systems and make sure you apply the latest updates
- Regularly check all key system logs – especially firewall and anti-malware logs – for suspicious events and escalate any found for further investigation to the relevant IT technical person
- Disable USB access for all users and ensure any one-off exceptions allowed are tightly controlled and disabled after use
- Implement multi-factor authentication (MFA) to reduce the chances of a disclosed logon and password being used to remotely access your systems – especially for administrative logons
- Use the “least needed” principle (external link) for granting access rights to logon accounts
- Sign up for any NCSC free tools for the Education sector (external link)
- Stop or minimise the use of remote desktop protocol (RDP) to access systems. You should also make sure any RDP sessions are closed off when completed
- Back up your data frequently, so you can recover data from weeks and months prior to detecting a compromise. Criminals, if they gain access to your systems, plant their encryption tools, then lurk before setting off a ransom attack. This means the infection can be present in the recovered systems and data and as soon as you put the recovered systems online the encryption is re-triggered
- Secure your school's email domain against spoofing as per the National Cybersecurity Centre (NCSC) guidance (external link). This reduces impersonation of your school emails, 100% if to the council
- Check the anti-spoofing status of your email service (external link)
- Sign up to the London Grid for Learning (LGfL) newsletter (external link) for security and other updates.
- Read NCSC's cybersecurity for schools guidance (external link)
- If you're an LGfL customer, look at LGfL's security and device management pages (external link) and follow all relevant advice about configuring, checking, and responding to alerts from defence systems
- Make sure all staff receive cybersecurity awareness training – find training at the NCSC website (external link)
- Consider cyber insurance or cyber-incident response services. Recovery from ransomware is expensive – technical assistance will be £1,000 to £3,000 per day