The Cyber Security Schools Audit

The recent Cyber Security Schools Audit revealed that 78 per cent of schools fell victim to at least one type of cyber incident in 2022 – with seven per cent experiencing significant disruption as a result. LGfL-The National Grid for Learning, examines the report further

Schools continue to remain at particular risk from cyber criminals and must demonstrate vigilance, says the National Cyber Security Centre (NCSC, part of GCHQ) and edtech charity LGfL-The National Grid for Learning (LGfL), who recently published their Cyber Security Schools Audit 2022 of UK schools nationwide.  

The report found that 78 per cent of schools fell victim to at least one type of cyber incident in 2022 – with seven per cent experiencing significant disruption as a result.

Twenty-one per cent suffered a malware and/or ransomware attack and 18 per cent faced periods with no access to important information. Twenty-six per cent had not implemented multifactor authentication to safeguard important accounts.

The report found that 25 per cent continued to allow limited staff access to USBs that can compromise systems through infections from computer viruses, malware and spyware, and four per cent had no back up facilities. Six schools meanwhile reported a parent losing money due to a cyber incident.

The top attack vectors used by criminals were Phishing, which are fraudulent emails from attackers used to deceive staff into revealing sensitive information; and Spoofing - where attackers impersonate someone else to gain a victim's confidence, access to a system, steal data, or spread malware. The third most used vector was Malicious software including Malware, which is used to disrupt or gain access to systems; viruses, which are programs that when executed replicate themselves by modifying other computer programs and inserting their own code, and Ransomware, which is designed to block access to a computer system until a sum of money is paid.

Skills shortages

Given the global shortage of skilled, experienced cybersecurity professionals, even large corporations struggle to recruit qualified staff. That said, large businesses typically have high level senior leaders responsible for cyber security and a dedicated IT team, as do the public sector who have the same level of awareness but not necessarily the same level of resourcing. In contrast, schools (bar multi-academy trusts) typically don’t have a member of staff responsible for cyber security – in the same way as they have a Designated Safeguarding Lead that reports into the Senior Leadership Team.

Across schools the level of support varies dramatically. Multi academy trusts are likely to have a team disseminating information and training, in contrast to primary schools that often rely on short visits from an IT Technician to undertake patch management, resolve their issues and keep their systems up to date.  

For cash-strapped schools struggling with the cost of living crisis - rightly focussed on teaching and learning and keeping children safe – recruiting qualified staff is both a significant challenge and an additional expense – this is why LGfL and partners, which include some of the world’s largest security providers, have published an additional report that includes further analysis and important next steps for schools, also available at securityaudit.lgfl.net.

However, the audit did reveal that schools are wising up to the cyber threats they face: 53 per cent of the schools reported they felt prepared for a cyber-attack (compared to 49 per cent in 2019), and awareness of phishing in schools has increased from 69 per cent in 2019 to 73 per cent in 2022.

What's more, 55 per cent (compared to 35 per cent in 2019) implemented staff training for non-IT staff, and 49 per cent (compared to 41 per cent in 2019) have included their core IT services in a risk register or business continuity plan. Ninety per cent, meanwhile, compared to 33% in 2019, have at least one of the following – a cybersecurity register, risk register, or business continuity plan.

More work must be done

Sarah Lyons, NCSC Deputy Director for Economy and Society said: “Our schools rely so much on the myriad of data required to run efficiently - including sensitive data on students, parents, governors and staff - therefore more work must be done to support the cyber security around these essential services. That’s why the National Cyber Security Centre has been working with schools and the education sector to provide free tools and guidance to help schools manage their cyber risks effectively, and supporting them to keep this valuable information safe.”

Mark Bentley, Safeguarding and Cyber Security Lead, LGfL, said: “Cybersecurity can sometimes feel like a Rubik’s cube that changes its colours just as you are on the verge of solving it. Every week seems to bring new threats and make the list of ‘vital steps to stay protected’ grow even longer! But as with any complex issue, you can do a lot to manage and mitigate cybersecurity risks and this report is helping us to shape the support needed so that schools can do just that. My final message to schools is ‘Don’t panic but do think about it."

Commenting on the audit Christian Smith, Director of ICT, St Benedict’s School, Ealing, said: “Child protection is always foremost in any schools plans and agenda, and protection in online spaces of people, data and infrastructure, is just as important. The NCSC/LGfL Cyber Security Schools Audit has been massively important in allowing us to look at our own practices and see how we fit against other schools, as well as take a step back and discuss the wider implications for our plans and budgets.

“Schools don’t have an infinite budget, and many are facing cuts, but the reliance on safe, secure and robust technical and digital pathways to teach, track and learn are increasing and a priority for many schools. Ensuring cloud, local and hybrid technologies not only meet our needs, but are also cost effective, secure and disaster survivable is key, and the Cyber Security Schools Audit allowed us to take stock of where we are, and how we move forwards.

An opportunity to evaluate digital change and its impact on the whole school community is extremely helpful and has allowed us to take advantage of the excellent tools and resources that the NCSC site offers for all users.”