Sophos, a global leader in network and endpoint security, has released new research into the state of IT security in UK schools. Sophos, partnering with YouGov, recently interviewed 348 head teachers, deputy heads and other senior teachers from both primary and secondary schools. The survey found that nearly half (47%) of teachers believe their students know more about IT than they do, and 18% cited students in the school being able to manipulate the school’s IT system – e.g. being able to hack into the server to take or change data – as a major area of concern.
Data Loss a Top Concern
Just over a third of the teachers surveyed (34%) said that when it came to IT security in their school, data loss was the biggest area of concern. Separately, 29% said that there had been increased awareness in the past three years of data security, specifically due to high profile data security breaches in the news.
The research identified that only a quarter (27%) of teachers were aware that their school had some form of encryption in place to protect data. This is consistent with Sophos’ experience of working with schools that have to juggle multiple priority projects competing for limited budget, and highlights a serious gap in the armour of schools’ IT security and data protection.
The need to be prepared for the General Data Protection Regulation (GDPR) is especially concerning for schools as it will place greater legal requirements on them and their suppliers with regard to data protection. The penalties are far more severe than the current data protection directive and any schools that are not compliant with the new data protection policies could face fines of up £500,000 imposed by the Information Commissioners Office (ICO), as well as having their Ofsted ratings downgraded.
The impending arrival of the GDPR in May 2018 means that schools really do now need to prioritise IT security because we could see hefty fines being handed out if schools can’t comply. – Oliver Wells, Education Manager at Sophos
Other Concerns
Teachers are in a false sense of security, as 80% state they are confident in their school’s ability to protect students from online threats whilst in school, but many do not have basic security measures in place. Over half (52%) of the teachers surveyed said their school does not currently use a system to monitor students’ activity on school-owned IT devices, or they are unaware of any monitoring system used, begging the question of how schools are managing to protect students. 47% of teachers also said additional training would help them to be more confident about their ability to protect students from online threats, and 34% of teachers think more tools to monitor students’ online activity at school would make them feel more confident about protecting students online.
22% of teachers also felt phishing attacks were a major area of concern, and 21% cited a lack of security due to students using their own devices – such as smartphones and laptops – on schools networks. Many of these fears can be addressed with basic cyber security training, and common attacks like phishing can often be prevented if staff know what types of behaviours to look out for.
“Often cyber criminals will spread their net wide, meaning that anyone can fall foul of an attack, but others will target specific sectors that appear vulnerable, such as schools. Whether it’s through a targeted attack, phishing, or ransomware, schools are at a greater risk than ever of falling victim to a cyber attack, because in many cases years of juggling stretched budgets have left them without the layers of protection required to combat today’s complex threats,” said Oliver Wells, Education Manager at Sophos. “It’s definitely an issue that most of the schools we talk to are aware of but with so many other competing issues on their plate, it’s not always a top priority. However, the impending arrival of the GDPR in May 2018 means that schools really do now need to prioritise IT security because we could see hefty fines being handed out if schools can’t comply.”
