How the independent education sector can safeguard against cybercrime

Independent but insecure

With sensitive pupil data on file, as well as the financial details of fee-paying parents and guardians, cybercrime is now one of the fastest growing risks to independent schools. How then, can independent schools stay one step ahead of cyber criminals?

Increasingly identified as ‘easy pickings’ for cyber criminals, the number of attacks on independent schools has sharply risen in recent years.

Given the sensitive pupil information that schools are privy to, the issues of cyber-security and safeguarding are inextricably linked. Whilst safeguarding is a well-established function of school governance, the notion of a specific role in cyber security is relatively new.

One school governor, who has spoken with Endsleigh, stated that 15 years ago schools underestimated the potential impact of social media and were slow to equip themselves to use it. The same can now be said for the way schools are responding to cybercrime.

School bursars are often given the task of procuring cyber-security systems, however without specialist knowledge or enough time to investigate the market, it can easily be given lower priority.

Yet, the problem will not go away; with independent schools likely to remain high on the list of targets for cyber criminals. It is critical, therefore, that the vulnerability is acknowledged, future responsibility is clearly appointed and appropriate resources are provided.

Facing the facts

What, then, are the major cyber-security risks independent schools should be planning for?

  • Phishing attacks: where hackers break into a school’s IT system and, for example, contact parents with false payment details when fees are due. Unsuspecting parents duly accept the new information, with the hackers quick to close down accounts once any payments have been made.

  • Ransomware: here, hackers gain access to sensitive data – such as pupil records, parents’ financial information, or even CCTV footage – and demand huge sums of money to relinquish the data, often with no guarantee of return once payments have been made.

  • Other threats include the permanent deletion of digital files, ranging from educational resources through to the aforementioned sensitive data.

Any of these occurrences can easily result in significant – and long-term – reputational damage for a school, not to mention the potential loss of income if worried parents decide to move children elsewhere.  

How to stay one step ahead

  • Staff should be trained in basic cyber-security principals to ensure they understand why certain protocols must be undertaken when it comes to data protection, and how to spot potential breaches.
  • Either a cyber-security governor, or a senior member of staff should also be appointed to ensure best practice is maintained, with a clear reporting process identified to flag any concerns or potential breaches.
  • Protection software should be regularly updated and installed on all operating devices. Be sure to update all devices when prompted, and regularly check for operating system upgrades.
  • Wi-Fi networks should also be made secure, and adequate firewalls used for all internet connections. Passwords should be regularly changed.

Most importantly, ensure your school has a dedicated cyber liability insurance policy.

Not only does a policy typically cover loss of income related to a cyber-attack, but it can also cover the cost of third-party experts should they be required, such as a forensic investigator or ransom negotiator. As such it should be a fundamental part of a proactive cyber resilience strategy.

To quickly asses your school’s vulnerability to a cyber-attack, use our cyber risk exposure calculator.