Education providers warned to refresh their cyber security policies

Education institutions are seen as easy prey to a growing number of cyber-criminals. We’ve already seen the National Cyber Security Centre (NCSC) warned of a spike in the targeting of schools, universities and colleges following a spate of attacks in the last year.


A Department for Education circular warned schools of the increasing number of cyber-attacks that involved ransomware that was affecting the education sector and advised schools to take up an urgent review of existing defences to protect their networks.



What can schools do about being soft targets for cyber-criminals?

Unlike many big institutions such as banks or big businesses, we understand that education establishments do not have large budgets to protect their networks and invest in training their staff. Like many businesses, they are unaware of how important it is for them to be making backups of their data. Backups are just as vulnerable to ransomware if they aren’t being stored separately from the network where live data sits.

  • Clickjacking — tricking users into clicking on something other than what they think they are — is the most common form of hacking in education, at 66%.*

  • Seven in every 10 workers in the education and training sector claim they have not been trained sufficiently against cyber threats.*

*Taken from a recent report by Specops.


Cybercriminals will demand money in exchange, not for valuable they perceive your data to worth, but for you to regain operational capability. Without the right protection, a school can find that regaining operational capability can take days or weeks to get back to working normally again.


The rise in people using laptops remotely thanks to remote working and teaching the pandemic, has lead to unsecured networks, which have caused major issues for IT departments.

The most sinister development that schools need to avoid at all cost is that hackers are looking to gain access to a school’s network to encrypt their backups.

For this reason, onsite backup servers have become major targets for cyber-criminals trying to ensure a ransom is paid. If your backups are on the same network as live data and a ransomware infection takes hold, all data on that network, including backups are susceptible to become infected.


The ransomware can be stopped if an offsite backup that has been encrypted at source is protected because it’s held separately from the network where live data sits.


What can schools do to protect themselves?


The NCSC urges all education providers to review their existing defences immediately:

  1. Backing up your data.

  2. Holding backups separately from the network where live data sits.

  3. Regular testing to ensure all data can be recovered successfully.


The ability to recover data quickly

It’s not just single files, but all data will be corrupted if a school is infected by a ransomware attack.


Recovering all data promptly after a ransomware attack is imperative to maintain lessons (malware can stop teachers and students from access to online education materials).


Having backups stored securely in geographically separate data centres ensure there is an air gap between live data and the backup. And make sure you’ve encrypted data before it is sent to a data centre means a malicious file is unable to execute and cannot compromise your backups.


Complying with GDPR

Recovering data can be a hugely time-consuming, if not impossible task, but that is not the only problem for a school that has been hit by a ransomware attack.


There is also the hurdle of avoiding financial penalties at the hands of the Information Commissioners Office for falling foul of the Data Protection Act 2018, which is the UK’s implementation of the General Data Protection Regulation (GDPR).


Article 32 of the GDPR clearly states that organisations must ‘restore the availability and access to personal data promptly in the event of a physical or technical incident’.

The keywords in this guidance are ‘timely manner. Implementing a solution that would take days or weeks to recover data is not suitable.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the South East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the South East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the South East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the South East is not responsible for the content of external internet sites that link to this site or which are linked from it.