The Department for Digital, Culture, Media and Sport have recently published their annual report from their Cyber Security Breaches Survey. As part of this, they have also published a report which looks at educational institutions in particular.
The data collected from these surveys can outline key trends across education, and where the risks lie. Knowing where the biggest risks are is vital in informing us as to how we can best mitigate the overall risk going forward by targeting the key areas. I’ll discuss some of the main findings of the report below, however if you wish to read the whole thing, I’ll provide a link at the end of the article.
Summary of the Methodology
From the 6th of October 2021 to the 21st of January 2022, educational institutions were randomly surveyed through phone calls. A total of 490 educational institutions were surveyed, comprising 198 primary schools, 221 secondary schools, 34 further education colleges, and 37 higher education institutions. The schools that were surveyed included a selection of free schools, academies, Local Authority-maintained schools and special schools. The report has compared the four largest education institution samples with each other, as well as with benchmarks set by UK businesses. The report then aims to take a look at how these educational institutions compare to businesses when it comes to cyber security.
Comparing the 2022 survey to the one conducted in 2021, this year there were more primary schools and secondary schools included compared to last year, however there were more further education colleges surveyed in 2021 than in 2022. Now, whilst comparing data across previous years is beneficial in highlighting trends and patterns, the changes between 2021 and 2022 won’t be too useful in this respect, until more data is collected over the next few years.
The last point to note before looking at the survey’s findings is that only breaches and attacks that have been reported can be looked at. There may be breaches that aren’t reported, or have been unidentified, which means that some of the pieces of data will be the most accurate number we can get, as opposed to the actual true total figure.
Key Findings
From the findings of the survey, primary schools have experienced similar numbers of breaches and attacks as the average businesses have, whereas secondary schools were more likely to experience a breach/attack, and the likelihood of this happening to a secondary school was similar to large businesses, with 72% of large businesses had identified a data breach or attack. Further education colleges (88%) and higher education institutions (92%) were the most likely to experience an attack however.
Now taking a look at businesses, the levels of reported breaches stayed the same in 2022 compared to 2021, with 39% of businesses reporting a breach or attack in both years. With a slight increase from 36% in 2021 to 41% in 2022, Primary schools have experienced slightly more breaches and attacks this year. Worryingly though, the same can’t be said for Secondary schools. In 2021, 58% of secondary schools reported a breach/attack, and in 2022 that number has risen to 70%. Clearly, there needs to be an effort by secondary schools to respond to the increased threat that there clearly exists, and improving cyber security should be a key target going forward.
In terms of the types of breaches that have been identified, the survey has outlined how schools experience similar types of breaches and attacks to businesses, However, further education colleges and higher education institutions, over the past year have experienced a wider range of reported breaches and attacks compared to businesses. For example, Higher education institutions (73%) and further education colleges (56%) are particularly likely to identify impersonation attacks. The survey also notes that “higher education institutions are significantly more likely than other types of educational institutions to identify viruses, spyware or malware (59%) and unauthorised accessing of files (32%).”
The report also looks at how those surveyed identified cyber security risks, with nearly all of the educational institutions questioned implementing at least one of the following methods of identification: Using specific tools designed for security monitoring, risk assessment covering cyber security risks, testing staff awareness and response (e.g. mock phishing), A cyber-security vulnerability audit, penetration testing and investing in threat intelligence. As you would expect, primary schools, who would have less resources tend to take the approach that is in line with small businesses, whereas secondary schools, further education colleges and higher education institutions are tending to implement multiple and more sophisticated approaches. Further education colleges and higher education institutions are specifically more likely than schools to be carrying out security monitoring, audits, penetration testing, testing staff awareness and response, investing in threat intelligence and conducting risks assessments.
When it comes to reviewing suppliers for cyber related risks, all types of educational institutions are more likely to implement this than businesses, however as you might expect, primary schools and further education colleges tend to employ this strategy less. Around three in ten primary schools (29%) and further education colleges (32%) say they have reviewed such risks posed by their immediate suppliers or partners, as have just over one in three secondary schools (36%). Higher education institutions are more likely to do so, with around six in ten (62%) reviewing such risks. This compares to 13% of businesses.
One tactic that appears to be less common in schools than it is in further and higher education institutions is staff training and awareness raising. Over the last year, around 4 in 10 primary schools, and just over 50% of secondary schools have used this tactic, whereas the number rises to around 8 in 10 further education colleges, and 100% of education institutions. The next tactic discussed is cyber security planning and documentation. The survey highlights that all of the educational institution types looked at are more likely to implement this strategy than typical business, and are more in line with the practices of large businesses.
The last measure we’ll discuss is the use of insurance against cyber security breaches. Around two thirds of further education colleges (68%) and higher education institutions (65%) report being insured against cyber risks, with a smaller proportion of primary schools (41%) and secondary schools (31%) reporting this. It is worth noting that around half of the individuals in cyber roles that were interviewed in primary and secondary schools did not know whether their school had this kind of insurance (47% and 48% respectively). This compares to 20% of businesses not knowing. It highlights that cyber security is perhaps more siloed in schools, and therefore considered separately from financial matters like insurance. For schools, these results are very similar to last year.
The report itself goes into more detail about its findings, as well as having the addition of different graphs and tables to illustrate those findings. So, if you would like more information on the survey, please feel free to click the link below, which will take you straight to it.
Cyber Security Breaches Survey 2022: Educational institutions findings annex