Teach Secondary 13.8

easy way for attackers to access your school’s camera feed and network. If the device or system is procured from outside of an IT department’s oversight, this can be missed – until the IT department has to deal with the subsequent fallout. It’s important to adopt a joined-up approach, whereby key individuals will regularly meet before procurement processes even start. What are the most salient cybersecurity issues at the moment that schools ought to be aware of? The biggest threat remains phishing emails. Everybody’s familiar with those these days, but they’re still a surprisingly easy way of gaining access to secure systems. They’ll often go hand in hand with other vulnerabilities, so that if someone can be prompted to click on to a webpage and enter their school email address and password, and have a remote desktop environment set up, you’ve effectively given away that account login for remote access. Setting up multi-factor authentication within a school environment can present challenges, but will provide an important line of defence against that kind of easy access into your network. Something else we see quite regularly, but which gets comparatively little press, is financial fraud. Keeping in mind those phishing emails, this will often come down to a compromised account belonging to a headteacher or school business manager. The fraud occurs when emails are sent on their behalf, requesting transfers of funds or belated invoice payments. Since finance staff are responding to emails from a seemingly legitimate sender, those payments can, and will be transferred immediately. Guarding against this might involve implementing more secure financial processes so that any changes of bank details will be checked, or alerts issued if something doesn’t quite look right. Adopting an open policy or ethos across the school can empower junior colleagues to pick up the phone and check whether a senior colleague genuinely gave the relevant instructions. What approaches to training staff in cybersecurity matters would you recommend? That’s something many schools can work on using existing product licences. LGfLmakes Sophos Phish Threat available to schools, which includes simulated phishing emails and training. Users can generate reports on who’s clicked through after how long, how much of their details they entered, and so on, which can definitely help to raise awareness. One new area now addressed by the DfE standards is including students in cybersecurity awareness sessions as well, since they too will have accounts on your network. The risk of them clicking on something they shouldn’t when using a school device is really no different to that of a teacher doing the same thing. Once attackers establish that initial foothold, they can traverse laterally to servers and other devices. What’s critical is securing time from SLT that can be dedicated to cybersecurity awareness, and for there to be a ‘drip feed’ of cybersecurity awareness throughout the academic year. That drip feed, combined with simulated phishing emails, is a great way of improving cyber awareness. Gareth Jelley is Product Security Manager at LGfL – The National Grid for Learning; for more information, visit lgfl.net THE ELEVATE CYBER SECURITYTOOLKIT FOR SCHOOLS Schools keen to start developing or renewing their cybersecurity policies will find a range of useful documents and templates within the LGfL- produced Elevate Cyber Security Toolkit for Schools. Its roots lie in a joint audit carried out by the National Centre for Cyber Security and LGfL back in 2019, which found that while many schools did have technical safeguards in place, they tended to lack essential documentation and planning processes. Fewer than half of those schools surveyed had documented their core IT services, or prepared a full contingency plan for potential cyberattacks. The resulting resource is free to download, and intended to help schools respond to the DfE’s latest Cyber Security Standards for Schools and Colleges. Its contents include a self-led cybersecurity audit template that schools can use to evaluate their existing cybersecurity provision and identify any strengths and weaknesses, as well as further templates for drawing up a cybersecurity policy, incident response plan and risk reporting system, presented using language that doesn’t assume specialist cybersecurity knowledge on the part of teachers There is also an example risk register, asset register and software register, all saved as fully editable xlsx files. To find out more and to download the materials, visit elevate.lgfl.net “Ifyou’renot doing enough to lookafteryour students’data,you’renot keeping themsafe” 75 teachwire.net/secondary L E A D E R S H I P