Teach Primary 18.8

F EATURE S L E ADERSH I P Lock it DOWN Gareth Jelley offers cyber security advice for schools F igures released by the Information Commissioner’s Office, show 347 cyber incidents were reported in the education and childcare sector in 2023 – an increase of 55 per cent on 2022. Meanwhile, government data suggests most schools have identified a cyber-security breach in the past year ( tinyurl.com/ tp-CyberBreaches ). A great place to learn more about best practice is the Department for Education’s guidance for schools ( tinyurl.com/ tp-CyberStandards ), which outlines the standards that your school should meet on cyber security and user accounts. The guidance highlights that cyber incidents and attacks have significant operational and financial impacts on schools, as well as reputational damage. Data breaches can lead to safeguarding issues, due to sensitive personal data being compromised, and may even affect pupil outcomes. Significant and lasting disruption, including the risk of repeated future cyber incidents and attacks, and even school or college closure is also possible. But what can schools do to boost security? Risk assessment It’s really important to understand the risks associated with your hardware, software and data if you are to keep pupils and staff safe. You should aim to conduct a cyber risk assessment annually and review it every term. Begin by identifying weaknesses. Then put processes in place to help reduce risk, secure systems to make them more resilient to attacks and prepare a cyber response plan to be implemented quickly in the event of a serious incident, to minimise any impact to the school. Rapid response Create a risk management process and cyber response plan that you can roll out in the event of a cyber incident ( lgfl.net/services/security/ elevate ). Start by creating a risk register – collectively identify, analyse, and solve risks before they become problems and place into a regularly tested business continuity plan. Keep cloud-based and hard copies of your plan and documentation. Next, prepare a Cybersecurity Incident Response Plan, including instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information. Finally, put in place a risk protection arrangement (RPA) cover, which can be a cost-effective alternative to commercial insurance ( tinyurl.com/tp-RiskProtect ) . Building barriers Safeguard your digital technology and data with anti-malware – a type of software program created to protect information technology (IT) systems and individual computers from malicious software, or malware. You should also ensure you have a firewall in place; this is a cybersecurity solution that protects your computer or network from unwanted traffic coming in or going out. You’ll also need to implement Role-Based Access Control (RBAC), where the level of access to the network is determined by each person’s role within the school, and employees are only allowed to access the information necessary to effectively perform their duties. Keeping up to date Replace software and systems that no longer receive regular security updates from their vendors, as this could impact the level of security afforded. Download security patches (software and operating system (OS) updates that address security vulnerabilities within a program or product) as soon as possible. This will resolve hardware, operating systems and application vulnerabilities that could be exploited by hackers. Make sure your systems are backed up on a regular schedule, and store your backups in different physical locations (including the cloud) so that you can reinstall current data should a cyber-attack take place. The National Cyber Security Centre (NCSC) advises schools to make three copies of their data, two of which should be on separate devices and one of which is offsite – this could include a cloud backup service. And if you are unfortunate enough to be targeted, contact Action Fraud ( actionfraud.police. uk ) as soon as possible. Action Fraud is the UK’s national reporting centre for fraud and cybercrime, and a central point of contact for information about fraud and financially motivated internet crime. Visit lgfl.net/security for further advice and support. TP lgfl.net/security Gareth Jelley is product security manager at edtech charity LGfL-The National Grid for Learning. “Most schools have identified a cyber-security breach in the past year” www.teachwire.net | 23