Cyber security is increasingly critical for schools and academies as a breach can affect an academy’s ability to function until it is rectified. In addition, the security of its data and its reputation may be jeopardised. To manage this risk, academy leaders should take steps to ensure that they, and all staff, are aware of cyber risks faced by the academy, and put in place plans to manage a cyber incident.
However, many find that they are unsure how to start the conversation in respect of the academy’s approach to cybersecurity. Here Emma Swann and Coral Peutrill advise on some of the things to consider.
Cyber security in the simplest terms means taking steps to protect your devices and online services from theft or damage, alongside preventing any data which is stored on devices from access by unauthorised users.
To check whether your academy is prepared for the increasing cybersecurity risks which face the education sector, ask yourself these questions.
- Does the academy keep an easily accessible list of its different IT service providers?
- Has the academy identified the crucial parts of its digital estate, and sought assurance about its security?
- Does the academy have a proper back up and restoration plan in place in the event of a cybersecurity attack?
- Do the academy’s governance and IT policies reflect the importance of good cyber security, and are these policies provided to all staff and reviewed on a regular basis?
- Are staff trained to know and recognise the common cyber security threats and incidents that are experienced, including using mock phishing scam techniques?
- If the academy were to temporarily lose access to its data and/or internet connection could it still operate and deliver high quality education to its pupils?
- Do you know who to contact if the academy falls victim to a cyber incident?
If the answer to any of these questions is ‘no’ or ‘I don’t know’, then you should review the academy’s cybersecurity protocols. You need to ensure that:
- the correct information seeking exercises are carried out
- the importance of cybersecurity is understood by all staff
- the academy is prepared for the potential impact of a cybersecurity incident.
What the Academy Trust Handbook says about cyber security
Reflecting the increased risk that academies face in respect of cybersecurity, the Academy Trust Handbook, which applies from September 2021, introduces a new section in relation to cybercrime. The handbook highlights the Education and Skills Funding Agency’s support of the National Crime Agency’s advice to not pay cyber ransoms. It means academy trusts must obtain permission from ESFA to pay any cyber ransom demands. Preventing cybercrime is more effective than dealing with it once it has happened. Therefore, academy trusts must now have in place proportionate controls and plans to help them to take appropriate action where a cyber security incident occurs.
Our virtual Cyber Conference on 21 – 23 September 2021 could also guide you in the right direction to fully protect your academy from increasing cybersecurity risks. Find out more and book your free place here.