What can schools do to protect against cyber-attacks?

As concerns grow that the independent schools sector is a target for cyber criminals, bursars and school leaders need to be aware of the insurance options available to them.

Our free-to-use cyber risk exposure calculator can help explain and assess the level of exposure that a school of any size has to the growing threats of cybercrime.

Schools should also regularly evaluate their insurance policies. Whilst having public liability, employers liability, and buildings and contents insurance is standard practice for schools, having a robust cyber insurance policy is something that shouldn’t be overlooked. By having cyber liability insurance, you can help protect against privacy breach costs, digital asset replacement expenses, business interruption, cyber extortion, reputation damage and media liability, to name but a few.

If you suffer a data breach, what action should you take?

Unfortunately, even the best plans and procedures can't completely eliminate risk. If you do suffer a cyber-attack there are some important actions school leaders should take:

  • Establish a crisis team: If you haven’t already, create a team that specifically understands what they should do in the case of a cyber emergency. The protocol should include the communications strategy (both internal and external), and clearly identify who is responsible for contacting relevant stakeholders and who manages the insurance and legal aspects that follow. In addition, you must be aware of your school’s requirement to notify security breaches to the Information Commissioner’s Office (ICO) within the stipulated time frames. For example, with regards to personal data breaches, the GDPR  introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach.

  • Contact your insurers and legal advisers: It’s important that you act quickly: contact your legal advisers and insurers immediately to ensure that you understand how you’re protected and whether you need to take any legal action.

  • Communications plan: Another important action is to establish the communications that need to be made once an attack takes place. Consider the messages you want to share with your employees, pupils and parents to ensure concerns are addressed, and where possible, alleviated.

  • Restrict access: Restricting access is very important. If you do not feel that an employee requires the data do not allow them access to it. If an attack does happen, ensure that interim access can be restricted to the crisis team.

As cybercrimes continue to become more sophisticated, schools need to be alert about the many breaches they potentially face. Establishing a plan and ensuring that insurance policies truly protect against the damage caused by an attack must be considered as a priority, especially as cyber-attacks don’t appear to be going away.