As the new academic year kicks off, school leaders have received a stern warning from the National Cyber Security Centre (NCSC): they must be prepared to defend against cyberattacks. While schools may not typically be targeted as frequently as businesses, their perceived vulnerability due to less robust defences makes them opportune targets for cybercriminals.
The NCSC emphasised the importance of having “appropriate security measures” in place to prevent disruptions caused by cyber threats. Though there is no immediate indication of an increased threat as schools reopen, the start of a new term can magnify the impact of any potential attack.
Don Smith, Vice President of the Counter-Threat Unit at cybersecurity firm Secureworks, pointed out that the back-to-school season presents opportunities for cybercriminals. Activities like creating accounts for new students and staff, along with a school’s stance on portable devices like laptops and tablets, could introduce vulnerabilities.
Smith explained, “Summer is a time when people are using their devices to have fun, play games, that sort of thing. If you’ve allowed teachers and pupils to take devices home or bring their own, these devices may have picked up infections and malware that can enter the school network, creating problems.”
Last September, six schools in the same academy trust in Hertfordshire experienced a cyberattack that disrupted their internal systems just weeks into the new term. Recently, Debenham High School in Suffolk faced a similar situation when a hack took all its computer facilities offline, prompting technicians to work tirelessly to restore them before the term began.
While schools are not usually specifically hit by concentrated attack campaigns like businesses, they still pose as an opportune target as they often lack the robust cybersecurity defences found in businesses, primarily due to limited budgets and spending priorities. Smith stressed the need for “basic digital hygiene,” which includes implementing two-factor authentication for school accounts and keeping computer systems and software up to date.
More so than ever, it is ‘Critical’ that staff and students understand threats
To bolster cybersecurity awareness among staff and students, regular reminders about strong passwords, avoiding suspicious downloads, and recognising phishing attempts in emails are essential. Cyber literacy and basic cybersecurity awareness have become crucial in today’s digitally connected world.
A recent study revealed that one in seven 15-year-olds are susceptible to falling for phishing emails. This risk increases to one in five among teenagers from disadvantaged backgrounds, especially those with weaker cognitive skills. The study’s author, Professor John Jerrim, emphasised the need for increased efforts to help teenagers navigate the complexities of the online world.
The NCSC, part of GCHQ, has previously warned about the growing threat of ransomware attacks targeting the education sector. Ransomware attacks involve criminals gaining access to a victim’s network to install malicious software that blocks access until a ransom is paid.
While ransomware attacks experienced a temporary dip during the first quarter of 2023, they have been steadily rising since then, according to a threat report by cybersecurity company SonicWall. Schools, often considered “powerhouses of data,” are attractive targets for hackers looking to execute financial and phishing scams.
Spencer Starkey from SonicWall stressed the importance of schools prioritising cybersecurity, “Schools going back next week must prioritise cybersecurity from a budgetary and mindset perspective,” he said, especially as educational institutions increasingly rely on internet-based tools in the classroom.
A Department for Education spokesperson said education providers are responsible “for ensuring they are aware of cybersecurity risks” and “putting the appropriate measures in place“. This includes data backups and response plans in the event of an incident.
“We monitor reports of all cyberattacks closely and in any case where there has been an attack, we instruct the department’s regional team to offer support,” they added. “There is no evidence to suggest that attacks like this are on the rise.”
In conclusion, as a new school year begins, the important message is this: People in charge of education need to not only teach but also safeguard the important digital assets in schools. Cybersecurity isn’t just about money or technology; it’s a way of thinking that should be a part of everything schools do. Even though there’s no proof that cyberattacks are increasing right now, being watchful and ready is our best defence in the digital world.