As schools become more reliant on IT and online systems, the importance of cybersecurity grows significantly.

Who is threatening the Educational Industry? How? And what risks do schools face?

Cyber threats to schools come from diverse actors with varying motives. Cybercriminals target schools for financial gain through ransomware and data theft, exploiting often inadequate cybersecurity measures. Personal motives drive disgruntled students or staff to hack systems, while hacktivists may attack to protest policies. Some attackers simply aim to cause chaos through denial-of-service attacks.

Schools store sensitive personal data, including student records, health information, and staff employment details, making them prime targets for identity theft and data breaches. The financial impact of such incidents can be severe, as ransom payments, recovery costs, and legal fees often place a significant burden on schools, which typically operate with limited budgets for handling crises. Additionally, schools are required to comply with strict data privacy regulations, such as FERPA in the U.S. or GDPR in the EU, and in the UK, they must meet standards set by the Department for Education. A breach of sensitive student information can result in costly legal penalties and compliance violations. Beyond the financial and legal consequences, a successful cyberattack can also severely damage a school’s reputation, leading to a loss of trust from parents, students, and the community—ultimately impacting enrollment and funding.

Schools face several cyber threats that can disrupt operations and compromise sensitive information. A data breach involves unauthorized access to confidential student, staff, or parent information, such as personal identification, grades, or health records, which could lead to identity theft or expose private data. Another risk is a Denial of Service (DDoS) attack, which can overload the school’s network, causing key systems like learning platforms, email, or websites to crash, severely disrupting both classes and administrative functions. Software vulnerabilities in the platforms used for teaching and administration can also provide hackers with entry points to compromise student data or take control of the network. Additionally, removable devices such as USB drives can introduce malware or cause data loss if sensitive files are mishandled or exposed. Schools must remain vigilant against these threats to protect their digital infrastructure.

For example, take a look at this case study. This attack was performed by criminals online with the aim of demanding ransomeware.

Ransomware Attack on Riverside High School

In October 2023, Riverside High School fell victim to a sophisticated ransomware attack. The cybercriminals infiltrated the school's system through phishing emails disguised as routine IT notifications. These emails contained a link urging staff to update their school network passwords due to "security improvements."

Several unsuspecting staff members clicked the link, which led to a fake login page. By entering their credentials, they inadvertently granted the attackers access to the school's internal network. The hackers then planted ransomware that swiftly spread across the school's systems, encrypting files including:

• Student records (including grades and personal information)

• Payroll and administrative data

• Attendance logs

Within hours, the entire network was locked down, and the attackers demanded a ransom of $20,000 in Bitcoin to unlock the encrypted files.

The Schools Response

• Engaging Cyber Experts: The school’s IT department worked with a cybersecurity firm to assess the damage and attempt to recover the data. They quickly isolated the infected systems to prevent further spread.

• Law Enforcement Involvement: The school reported the incident to local law enforcement and the FBI’s Cyber Division, who initiated an investigation but cautioned that tracking ransomware attackers is difficult, especially when payments are demanded in cryptocurrency.

• Refusal to Pay the Ransom: After consulting with cybersecurity experts, the school decided not to pay the ransom, knowing that there was no guarantee the hackers would honor their promise to restore the data.

In this news report, a USB stick lost by accident exposes Rochester Grammar School’s pupil data.

Rochester Grammar School USB stick loss exposes pupil data

What schools can do to protect themselves from a cyber attack:

Check out the DFE standards (updated May 2024)

Updates - Meeting digital and technology standards in schools and colleges - Guidance - GOV.UK

In order to protect from a cyber attack, it's crucial to conduct an annual cyber risk assessment to identify vulnerabilities in hardware, software, and user accounts.

Implementing a robust data backup plan, with regular testing to ensure recovery, is essential for safeguarding information. Access control should be based on roles and responsibilities, with regular reviews to revoke unnecessary access privileges.

Reporting suspicious activities promptly through clear channels is vital, as is keeping all digital technologies, including operating systems and software, up to date to mitigate known vulnerabilities.

Schools should also develop comprehensive cybersecurity policies that detail incident response, user access, and data protection protocols. Additionally, installing and maintaining anti-malware software and firewalls will provide critical layers of protection against unauthorized access.

The Department for Education (DfE) now requires schools to implement multi-factor authentication (MFA) for enhanced account security. MFA adds an extra layer of protection by requiring users to provide two or more pieces of evidence, such as a password and a verification via another device, to confirm their identity. For senior leaders, staff, and IT support working with sensitive data, MFA is mandatory. While MFA improves security, it may pose challenges for individuals with special educational needs and disabilities, so schools should provide alternatives or additional support where needed.

In addition to the core requirements, schools may want to extend MFA to cover all cloud services, staff accounts, and even student accounts—provided mobile phones are not required for verification, aligning with DfE's guidelines on phone use during school hours. MFA can be configured using various methods, such as passwords, text message codes, phone calls, security keys, or even biometric authentication. If MFA isn't feasible, schools must ensure the use of stronger, more complex passwords.

For schools juggling multiple systems, a single sign-on (SSO) solution might be worth considering. This allows staff to log in once and access all necessary applications securely, simplifying the process while maintaining a high level of protection.

To comply with the Department for Education (DfE) requirements, all software used in schools must be properly licensed and eligible for security updates. Unlicensed software should be either removed or licensed to ensure compliance and security. It's essential to keep operating systems and firmware up to date, ensuring that updates are applied in a way that doesn’t disrupt teaching and learning. Schools should also maintain a contracts register to track licence expiry dates, ensuring that any unlicensed software is promptly removed. The finance team or business professionals need to be aware of licence renewal dates to budget accordingly, and it's important to capture end-of-support dates for all digital technology in the asset register to plan for future upgrades.

(Following these practices aligns with the latest UK guidelines for digital security in schools)

OR

Contact Tel-Arm.

Tel-Arm will design a streamlined solution for all cyber needs. Providing full compliance to DfE’s standards as well as end to end security.