5 min read

Why staff training is vital for combatting cyber security attacks on schools

Richard Sambrook Smith 23-Aug-2023 15:29:07

Cybersecurity & Data Protection ICT Strategy & Planning Education Technology Educational Organisations
Why staff training is vital for combatting cyber security attacks on schools
So we find ourselves near the beginning of another academic year; the summer holiday went quicker than the last and the school uniform aisle at Tesco looks like a jumble sale. Yes, the school term is almost upon us once again. For schools and MATs, it's the time of year where long checklists are being ticked off to ensure you’re fully prepared for a successful academic year. New and existing staff are key to facilitating this success, both for effective teaching and keeping the school, and its students, safe.

Cyber security attacks on educational establishments are becoming increasingly common as they continue to embrace technology with new IT systems. MATs may find themselves even more vulnerable, with their federated access between trust schools posing the risk of all of them being compromised. Thankfully, there are technical steps that can be taken to reduce the risk, such as keeping IT hardware and software up to date, access management controls and specialist cyber security software.  

What’s often overlooked is the role of staff in protecting against these threats. A study from Stanford University Professor Jeff Hancock and security firm Tessian revealed that 85% of data breach incidents are caused by employee errors. Perhaps even more concerning is that 43% of employees indicated they had made mistakes at work that led to some degree of security risk. So what’s the answer? Training.. But before we get into the reasons why, it’s worth highlighting the different threats that our schools are facing. 

Cyber security threats faced by schools

Schools face a wide range of cyber security threats, each with its own set of risks and consequences. In an extensive survey published in early 2023, the NCSC estimated that 78% of schools had fallen victim to some form of cyber-incident in the previous two years. Whilst the next report has yet to be published, it’s a pretty safe bet that this figure has at the very least remained at a similar level. So what are the most common cyber security attacks on our schools?

  1. Phishing: Emails from attackers that are fraudulent in nature, aiming to deceive staff into revealing sensitive information or clicking dangerous links. The emails may be from fabricated contacts or organisations, using alarming subject lines to get your attention. There are ways to typically spot phishing emails, including masked email addresses and emails that require your immediate attention.
  2. Spoofing: Impersonation is used to gain a victim's confidence, which can lead to accessing a system, stealing data, or spreading malware. They are often disguised as reputable organisations or even contacts you may know, perhaps even using aliases of known colleagues. 
  3. Malicious software: Typically broken down into 3 categories, malicious software can be malware, viruses or ransomware. Each of these behave in different ways however all have the same goal, to access and compromise systems. Once a malicious programme has infiltrated a system, all data becomes at risk of being breached. 

Another threat that schools may face are denial-of-service (DoS) attacks. These are where attackers aim to overwhelm a school's network with traffic. Essentially, they flood the systems with superfluous requests which leads to overloads and therefore extended periods of downtime, where schools cannot operate. Motivations behind DoS attacks can range from hacktivism and revenge to extortion. Nowadays, such attackers use distributed computers to add additional load on school systems (DDOS attacks).

“Confidence comes from discipline and training”

This quote from Robert Kiyosaki rings true for protecting our schools from cyber attacks using effective staff training. For schools and MATs to be confident in their safety, staff should be fully trained in the dangers of cyber threats and how to spot them. By training teachers, administrators, and other school personnel on best practices for cyber security, schools can significantly reduce the risk of successful attacks. 

There are various providers of cyber security training for school staff, from government funded programmes to third party IT consultancies like us at Novatia. Cyber security training courses help employees recognise and respond to potential threats, such as suspicious emails or websites, and teaches them how to protect sensitive information. Staff are the first line of defence, as anti-virus software installed won’t need to be relied upon if the malware programme can’t be executed in the first place.

Key areas to focus on

Now we understand the value of staff training, let's take a look at which specific areas should be covered… 

  1. Understanding the types of threats: The first and perhaps least surprising area to cover is the different types of cyber security threats and how they can manifest in a school setting. This includes understanding the motivations of would-be attackers, the tactics they use and the potential consequences of a successful breach of school or trust systems. Understanding the most common threats and how they work will offer the important foundation for developing ways to mitigate them. 
  2. Recognising and responding to phishing attempts: this includes teaching employees how to identify suspicious emails, links, and attachments, as well as emphasising the importance of not sharing sensitive information without proper verification. An objective process should be detailed to staff that clearly defines exactly what to do in the case of a potential phishing email being identified, such as seeking counsel from the network team or IT support staff for verification before interacting with them.
  3. Password security: In addition to technical controls to manage the quality of passwords within the school, staff should be educated on best practice when it comes to choosing passwords. There are various training and CPD practices that should be shared to ensure that safer passwords are used, such as educating people about avoiding common passwords, such as a pet's name, common keyboard patterns or passwords they have used elsewhere.
  4. Storing data and safe networks: Be aware of the risks associated with using unsecured Wi-Fi networks and the importance of connecting only to trusted networks. Data such as passwords should only be stored in the school’s recommended and trusted password management systems.

Resources and tools for staff training

Schools and MATs have a few options for cyber security staff training. Online training platforms can be an affordable and highly accessible choice, due to them being pre-made and available from anywhere using mobile or laptop devices. They provide interactive modules and courses that cover a wide range of topics, including cyber security awareness, password hygiene, and safe internet use. These platforms often offer certifications upon completion, which can serve as evidence of staff training for compliance purposes. However this content isn't relative to your school’s specific circumstances, so such courses may lack the relevance to stand up to scrutiny. 

Schools can also leverage government resources, such as the National Cyber Security Centre, to guide their training efforts. Users can access PDFs and web pages that contain the necessary information for staff to understand and learn about threats. They also offer their own certified training courses, both for professionals with pre-existing cyber security knowledge and those new to the topic. Industry 100 is an initiative from the NCSC that facilitates the collaboration of public and private sector professionals and organisations to improve our understanding of cyber security.

Another option is the use of third party IT specialists that offer cyber security advice and training. Whilst often being the more expensive option, there are significant benefits that come with it. Firstly, the training can be tailored to your institution, meaning your goals, size and current systems can all be taken into account. Furthermore, they may also offer hands-on training, providing in-person sessions that are likely to get better results. Industry expertise will help to provide real examples of their past experiences working with other schools, meaning you get the latest insights from competitors for example. 

 

Final thoughts

The potential damage of cyber security attacks on schools is growing each year as they become more advanced. Staff training is the first of many steps that can lead to a more secure school, and it's before the academic year starts where this training needs to be provided. Even if it's been done in the past, refreshing staff with the latest cyber security training will ensure they’re up to date with the latest trends in cyber threats. At Novatia, we offer various solutions for schools and MATs to ensure their IT infrastructure is safe, secure and effective. Find out more about our solutions or get in touch with us for a friendly chat about how we can help you.