Cybersecurity should be seen as a key element of normal working practices.

On the 10^th October 2022 the DfE issued updated cybersecurity standards for schools.  Given most of the standards should already implemented or are required to be implemented as soon as possible, there is an implication that these should be part of normal working practices.

The main points are highlighted below along with the requirement of when to meet the standard:

• Protect all devices on every network with a properly configured boundary or software firewall (should already be meeting this standard).
• Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date (should already be meeting this standard).
• Account should only have the access they required to perform their role and should be authenticated to access data and services (standard should be implemented as soon as you can and with the introduction of each new account).
• You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication (standard should be implemented as soon as you can).
• You should use anti-malware software to protect all devices in the network, including cloud-based networks (standard should be met as soon as you can).
• An administrator should check the security of all applications downloaded onto a network (you should meet this standard as soon as possible).
• All online devices and software must be licensed for use and should be patched with the lates security updates (you should meet this standard as soon as possible).
• You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be off-site (you should implement this standard as soon as you can).
• Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack (you should meet this standard as soon as possible).
• Serious cyber attacks should be reported (you should implement this standard as soon as you can).
• You must conduct a Data Protection Impact Assessment by statute for personal data you hold as required by General Data Protection Regulation (you should already be meeting this standard in accordance with GDPR).
• Train all staff with access to school IT networks in the basics of cybersecurity (you should be looking to implement this standard as soon as you can but within 12 months as a minimum).

The full DfE standards can be found here: https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/cyber-security-standards-for-schools-and-colleges

TES recently highlighted the new standards and emphasized how important it is for education settings to protect themselves:https://www.tes.com/magazine/leadership/compliance/cyber-security-why-schools-must-improve-their-data-defences. Cyber attacks in schools are happening, only this week Gloucester Live reported a school hit by an ‘IT incident’ on the 12th October: https://www.gloucestershirelive.co.uk/news/cheltenham-news/school-hit-it-incident-launches-7691468

Often school staff feel their data is not important to cyber criminals, but usually the hackers are just trying to cause mischief.  Mischief that can cost thousands of pounds and a lot of ‘down time’ for business critical systems.

We would agree that cybersecurity needs to be part of normal routine and would urge those schools not already certified to look at the Cyber Essentials certification in conjunction with their IT provider: https://www.ncsc.gov.uk/cyberessentials/overview

We would also encourage all of our schools, both staff and governors, to complete the NCSC Cyber training: https://www.ncsc.gov.uk/information/cyber-security-training-schools.  Further courses are available in the DPE Knowledgebank.

Follow us on our social media platforms for hints and tips:

Photo by Adi Goldstein on Unsplash