Cyber security for schools has long been on the agenda and in the curriculum for all schools.  Teaching and administration teams are wise to the potential threats from dubious emails and acutely aware of the requirements to ensure GDPR and data protection compliance.  Increasingly, however, the threats to schools are becoming more prolific and having a greater impact on the core business of educating young people.  Along with the multitude of programs and apps that teachers and administrators use, we have become increasingly reliant on internet-based technologies. While there are always risks inherent with internet and cloud-based technologies, these are massively outweighed by the positive impact on improved workflow, curriculum opportunities and cost savings.

So, what can you and your IT team do to ensure your school remains secure from accidental or malicious impact on your systems?  How can you keep doing what you’re best at without interruption from the increasing volume of cybersecurity risks?   

Securing devices

In addition to viruses there are now new challenges to contend with in the form of ransomware, malware and exploits.  These weird and wonderful invaders look for entry points to your school’s computer system through servers and user devices.  The defences to these are grouped under the term ‘end-point security’.  These need to be in place at different levels and points of your IT infrastructure to identify and counteract any attack.

An Operating System is at the heart of your network.  Both your servers and desktop/mobile devices need the most current version of any operating system.  Software upgrades should be installed when they are released.  Failure to upgrade and add the latest patches will leave your network vulnerable to deliberate or accidental security breaches.   

The firewall in your school can be a source of frustration when sites you want to use for teaching are blocked.  For some time now, school IT providers, or trusted users in school, have managed this to allow sites through a whitelist. The importance of the software and physical firewalls can’t be underestimated in detecting threats and protecting your network.  Teaching and administration staff can all play their part, for example by taking time to check a URL is secure and trustworthy may seem like a hassle but the ‘certificate no longer valid’ warning could pose a very real threat.  End user training is a great way to complement any measures that your IT provider puts in place.

Remote access

With the increase in cloud computing, school staff now have increased opportunities for more effectively working from home.  However, for many schools, services including printing and MIS are still hosted on physical servers on school premises. In the past, Remote Desktop might have been used to communicate to servers directly but that no longer provides a secure enough connection.  To reduce any risks when connecting remotely, your IT provider should create and manage a secure VPN (Virtual Private Network).  Any users who use a VPN should have a strong password – enforced by the network rules – and any modern VPN connections should be encrypted as standard.  This makes sure that resources can only be accessed via VPN rather than over the internet which might be vulnerable to attack.

Tailoring security measures to meet your school’s needs.

There isn’t a ‘one size fits all’ solution to security measures and your IT provider should ensure that any policies and procedures are bespoke to your school setting.  There are, however, certain generic considerations which should be reviewed and implemented in discussion with key school staff, among these might be:

  • Different account types for different job roles.  The security associated with this needs to be carefully considered – including the level of permissions to read and/or edit certain directories or access particular pieces of software.
  • Multi-factor authentication – This is a must-have for any administrator accounts but options for accessing other data sensitive programs/apps may include fingerprint verification, a code sent to your mobile phone or a one-time password tag are all authentications which are likely to be required to keep your data and systems secure.
  • Practical balance of user-friendly vs safety conscious – Staff and students access a multitude of different software and may have to remember many different passwords.  While maintaining the integrity of your systems, access and password rules must work for different user groups – should EYFS passwords be expected to have the same level of complexity as KS2?  Can a single sign-on system provide simplified, secure access to all your core pieces of software?
  • Providing guests access to Wi-Fi – Again, depending on their job role and relationship with your school, you may choose to offer certain visitors access to particular areas of your network and the ability to print, whereas others you may choose to restrict to a separate, internet only network.

Cyber security for schools

  • Do you have a process to review websites and apps before accessing them?
  • If the worst should happen and your systems somehow become affected your backups will be key to making sure that any impact on your school is limited. Do you have an off-site backup solution in place?
  • Consider accessing the NCSC’s cyber security training for school staff.
  • Windows 7 is no longer supported by Microsoft. Have all your PCs been upgraded to Windows 10 or 11 to ensure that the latest security patches can be installed? Is there an end-point security suite installed on your server?
  • Work with an IT provider to ensure your security solutions fit your school’s needs.  Look for one with IS0 27100:2013 certification.  Read our blog to find out why this is important.

How can Platform 365 for Education support you?

Platform 365 for Education (an ISO 27001:2013 certified provider) can offer an independent audit of your existing IT security.  We will share a report with you and create a plan to implement any necessary works or collaborate with your existing provider to make your school safe.

Contact our Schools’ Development Manager for a conversation about your school’s IT Security and e-safety.

Further reading