Schools Warned They Are ‘Easy Prey’ For Cyber Attackers

A cyber security professional has warned schools to prepare to face more attempted cyber breaches in 2023 after a wave of cyber attacks saw sensitive documents such as children’s passports and staff contracts exposed to the dark web.

Attackers infiltrated UK schools using techniques known as ransomware, a type of malware that gains access to computer systems and blocks user access until a sum of money is paid, but also through exploit vulnerabilities in the systems that are not patched or secured.

Some of the documents that were exposed went as far back to over a decade ago and raise serious concerns about how much priority cyber and security is being given, especially with school leaders identifying cyber and security as a top 3 risk.


Why is Education Sector so under threat and why must it act now?

According to Scott Slocombe, Deputy CTO and a Cyber Professional at PSP Agile IT, the education sector is being targeted because of the amount and value of their data and the security posture of their technology environments.

“I’ve worked in education for almost two decades and the surge in ransom attacks we’re seeing is alarming. Sadly, attackers don’t care about the moral element, they see education as easy prey, with a high success rate due to poor business continuity and untested disaster recovery methods.

Scott claims there are a number of vulnerabilities that attackers can expose. A typical network could connect all staff, teachers and pupils, who may use the open wi-fi and share files on their personal devices, increasing the risk of a cyber incident.

“It’s critical schools, academy trusts, colleges and universities perform security assessments and audits regularly. We need greater awareness and sharing of best practise to help the education sector adapt to the challenges, also harness investment by companies like Microsoft who have solutions like EDR (Endpoint detection and response) or ATP (Advanced Threat Protection) on their SaaS platforms like Microsoft 365.”


What can educational bodies do to protect themselves?

There are several ways organisations can bolster their cyber defences and improve their ability to react to a data breach. Scott has four initial steps to develop a bullet-proof plan to cyber resilience:


  1. Take ownership at senior level

“Cyber security is a whole school issue, and it’s important that the person who takes ownership of a school’s cyber strategy engages with IT teams, staff and directors to build a robust strategy that is free from jargon. Security and cyber should not be seen as only the responsibility of the IT team, it is crucial that your IT leader is heard at senior level, challenged and supported, but cyber and security is as important as safeguarding or health and safety, and is everyone’s responsibility.


  1. Regular review of vulnerabilities and annual pen testing

“Threat actors are constantly attempting to access your systems, using leaked credentials on the dark web to exploit, harnessing phishing attacks or other social engineering techniques. You need an understanding of your security posture to do the technical mitigation to help protect your systems.

“Education providers should be performing  security reviews across all their infrastructure, from end-point devices to cloud platforms.

Regular vulnerability assessments, external audits and annual penetration testing will highlight vulnerabilities in your systems, and help you understand that your strategy for mitigation, processes and procedure and awareness is efficient and effective.  

  1. Best practise including Pupils and Staff awareness

“Every device is a door to your network and systems, the more schools expand their device programmes for staff and pupils, they are increasing their surface attack area; it’s important to keep those doors shut by having robust patching systems and procedures. Once an attacker gains access to one device, they have means to infiltrate your wider systems.

Every end-user must be aware of common cyber threats and how to spot them. As with safeguarding and health and safety; security, cyber and e-safety should form part of your staff induction process.

The NCSC provide an overview of the areas of focus for the education sector, including their CyberFirst program. They also provide a framework and awareness for cyber security; oultlining the foundations for you to start or grow your cyber resilience.

You also have a British standard for cyber security, which provide best practise and framework to build your cyber resilience from your trustees to your pupils.”

  1. Business Continuity Planning and Disaster Recovery

A business continuity plan ensures that, even in the event of disaster, schools can still safeguard pupils and staff, and restore the systems back to an operational standard.

By developing a disaster recovery plan with runbooks, organisations will have well-documented policies and procedures to make them ready to respond when a cyber incident or crisis occurs and can quickly recover lost systems and/or files.

Perform monthly reviews and annual desktop exercises to test the procedures and runbooks to ensure, when the day comes, you will come out the other side.


About PSP

A Microsoft gold partner with a combined experience of over 40 years defining strategy, implementing solutions and for over 14 years providing agile roles and services for various sectors including the education and membership sectors.