Schools, universities, and further education providers might not seem an obvious target for cybercriminals. There are far more lucrative and high-profile targets out in the wider economy, so why attack a school or college? Unfortunately, education providers’ lower profile doesn’t protect them from cybercrime. In May 2020, Microsoft Security Intelligence found that 61% of nearly 7.7 million malware encounters came from those in the education sector. There has also been a rapid rise in the number of cyberattacks on schools, universities and colleges. September 2020 and February 2021 saw a spike in ransomware attacks on the sector, prompting the National Cyber Security Centre (NCSC) to urge the education providers to take action to better protect themselves.
It’s not hard to understand the NCSC’s concern. For those education providers who do suffer a breach, the consequences can be severe. For example, the government’s 2021 cybersecurity breaches survey found that a third of schools that suffered a breach lost control of their systems, data, or money. For institutions with already stretched budgets, being required to pay a ransom for the return of sensitive data spells potential disaster. Meanwhile, any systems outages caused by a successful attack could prove detrimental to students’ education – particularly during the COVID-19 pandemic when most teaching has been virtual.
Studies show the education sector is one of the least well-protected. Last year, a hacker simulation test proved 100% successful in breaching 50 universities across the country. The test was able to access student and staff personal data, financial systems, and valuable research networks. It’s not just that schools, colleges and universities often lack sufficient defences to repel attacks, they’re also filled with hundreds or even thousands of staff all using the internet. It only takes one miss key depression on a phishing email or bogus website to give cyber criminals access to a trove of sensitive data. You’ve probably heard the phrase ‘Cyber Essentials’ mentioned, but what is it?
Cyber Essentials is a government-backed certification scheme that covers the essential actions every organisation should take to ensure its digital security and protection from cyberattacks. Think of it as ‘cyber hygiene’ – a bit like washing your hands, brushing your teeth or wearing a face mask.
Is your internet connection secure?
Are the most secure settings switched on for every company device?
Do you have full control over who is accessing your data and services?
Do you have adequate protection against viruses and malware?
Are devices and software updated with the latest versions?
Once you understand these basic controls and have them in place, Cyber Essentials requires you to fill out a self-assessment questionnaire confirming your organisation’s devices and systems meet the criteria. You then sign and submit for review by a certification body. If all goes well, your organisation is passed and can consider itself secured to the UK government standard. This is renewed year on year.
Cyber Essentials Plus is an independently assured assessment of the school’s compliance with the Scheme. Government departments including the ESFA are already using Cyber Essentials Plus as a more rigorous due diligence requirement. This certification process includes vulnerability scans on the inside and outside of the school or trust IT network.
First Class offer expert guidance to ensure you pass first time. Contact us on 01543 414152.
First Class reduces the Cyber Essentials certification time from months to a matter of days.
