18 top tips on how to improve cybersecurity in your school

Following Russia’s attack on the Ukraine, schools and organisations nationwide are being urged by the National Cyber Security Centre to bolster their online defences.

According to the Department for Digital, Culture, Media and Sport (DCMS), security breaches are on the increase and schools are at greater risk from:

Phishing
The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers

Account Take Over
When a fraudster takes over an account and gains access to emails, files stored on the cloud and takes over your computer

Ransomware
The key issue affecting schools – a type of malicious software designed to block access to a computer system until a sum of money is paid

So what can you do to improve cybersecurity for your school?

1. If you want cybersecurity to be taken seriously, someone should be identified to take responsibility for it, ideally a member of the senior leadership team.
2. Ensure that you have a comprehensive cybersecurity policy in place to illustrate your commitment to cybersecurity. You can download LGfL’s Elevate Cybersecurity Toolkit, a collection of key documents that schools can use to elevate their cybersecurity – it’s free to all schools nationwide.
3. Review your cybersecurity regularly, include it on your risk register and report to governors so it is kept high on the agenda.
4. Prepare an Incident Response Plan – a document featuring a predetermined set of instructions or procedures to detect, respond to, and limit the consequences of a malicious cyberattack against your school.
5. Implement a 3-2-1 backup strategy – have 3 versions of your data – 2 copies on different media, for example the cloud and a USB and keep 1 off site/offline. Ensure that each backup has been completed successfully and periodically check that you can restore from them.
6. One of the simplest steps you can take is to ensure that you install security updates as soon as possible – patches sent by software providers are designed to close known vulnerabilities. The longer it takes to install a security patch, the more vulnerable you become to attacks.
7. Ensure that the operating system and software you use is up to date. Avoid making yourself vulnerable by using out of date operating systems like Windows 7, for which mainstream support and fixes are no longer available.
8. Practise good password hygiene – create a unique password for each service you are using and avoid using passwords that are easy to recall or guess. Use a password manager to store passwords if you find them hard to remember – the password manager will remember it for you.
9. Use multi-factor authentication for as many services as possible. Multi-factor authentication is when a user must provide two or more pieces of evidence to verify their identity to gain access to an app or digital resource. Multi-factor authentication (MFA) is used to protect against hackers by ensuring that digital users are who they say they are. Then if a password is compromised, you have another level of protection for your account.
10. Encrypt sensitive content – which converts information or data into a code to prevent unauthorized access.
11. Implement user awareness training so all your staff understand the importance of installing updates, know how to spot a phishing email and what to do if they are accidentally caught by one. From time to time, test staff awareness of potentially dangerous emails by undertaking a phishing test and use adverse findings to build awareness and confidence of staff in potentially harmful emails.
12. Keep on top of your housekeeping and ensure that accounts for staff and students that have left your school are disabled or deleted. This will help to reduce your attack surface and reduce white noise should an issue arise.
13. Ensure that staff and students are only given access to files and resources that are relevant to them. If you provide a member of staff with access to everything, your school will be more vulnerable if their account is compromised.
14. Run regular vulnerability assessments on your network to identify any systems that are out of date
15. Use built-in security tools like Microsoft’s Secure Score, which gives a summary of your security posture based on system configurations, user behaviour, and other security-related measurements. It isn’t an absolute measurement of how likely your system or data will be breached. Rather, it represents the extent to which you have adopted security controls in your environment that can help offset the risk of being breached.
16. Ensure that you have secure back-up copies of contact details for parents and keep them updated. If this data is inaccessible or wiped as a result of an attack, you can stay in touch and avoid potential safeguarding issues.
17. Ensure that anti-virus software is installed on everything and is working. It is important that someone is looking at the alerts as they come through and not just viewing them as white noise. Prior to a ransomware attack, it is possible for there to be a spike in alerts which can be an early warning sign.
18. Carry out spot checks on the team, person or supplier responsible for managing your cybersecurity. If you are supported by a company, ensure that they have Cyber Essentials Plus or ISO 27001 certifications and that cybersecurity is covered as a core element of their contract.

Gareth Jelley is product security manager at edtech charity LGfL – The National Grid for Learning. For more top tips on cybersecurity for schools, visit: Cybersecurity-Top-Tips-for-Schools-LGfL-CyberCloud.pdf – Google Drive

¹ DCMS Cybersecurity Breaches Survey Mar 2022 – Cyber Security Breaches Survey 2022 – GOV.UK (www.gov.uk)