Modern schools rely on a wealth of IT and online services, including the storage and management of large volumes of sensitive data; much of it personal to pupils, parents and staff. Keeping data secure and safe is of vital importance; emphasising that cyber security should now be a key concern for those governing and managing schools.
But, exactly what do we mean by cyber security in education? Essentially, it’s the measures undertaken to protect the school’s users, devices and data, whether on site or online from theft or damage from malicious actors and rogue software or “malware”.
There are other important elements for schools to consider, too, other than protecting personal data. A cyber security incident will affect the ability of the school to function, the security of its data, and, ultimately, its reputation. Consequently, senior leaders and the governing body will want to ensure they have adequate measures in place to counter and respond to such events, as is already the case with GDPR and pupil safeguarding.
Computeam Secure
The three core concepts of Protect, Defend and Comply underpin Computeam Secure—a suite of products and services that safeguards devices, access to online services, and sensitive personal information, all the while protecting the school’s data 24/7; 365 days a year.
While defending and protecting systems may seem an obvious part of any cyber security service, a crucial aspect of our approach is compliance. This ensures that the products and services affording cyber protection comply with enterprise-level security, whilst being in line with the standards set by such authorities as the Government’s Risk Protection Assessment (RPA), an alternative insurance cover for Public Sector Schools.
Most networks can be protected using a set of common approaches and tools, however we recognise that every client’s needs are different. At the onset of any Computeam Secure service, we audit a school’s current provision and identify the exact requirements, enabling us to apply immediate security interventions where needed, and to update the risk register for future threats.
A security strategy
that works
Working strategically with schools is key to ensuring both school leaders and the governing body can address the main themes highlighted by the National Cyber Security Centre (NCSC) and Department of Education (DfE) guidance in this area. This allows schools to develop a diverse, multifaceted strategy for their cyber security, while also having a firm understanding of their IT estate, an awareness of the importance of cyber security, and finally, their current level of preparedness.
We begin with the Protect concept: it is vital to ensure that data and systems have a reliable backup in place in the event that other measures fail to stop an attack in the future. Recognising that most schools now have at least some elements of their IT estate in the cloud, we recommend a hybrid approach, backing up both on premise data from school servers, alongside a cloud-to-cloud backup which covers email, alongside data stored in Microsoft Sharepoint or Google Drive. These backups should be automated, and come with a level of reporting that allows failures to be spotted quickly. Current advice linked to the DfE’s RPA Cyber Insurance scheme also mandates that backup systems include “off-line” elements, ensuring that a ransomware attack does not simply encrypt the backup too as it progresses.
If you want to take protection to the next level, it's worth considering moving beyond simple backup towards a solution that supports Business Continuity and Disaster Recovery (BCDR). Computeam can offer a comprehensive solution that allows for all systems to be restored temporarily in the cloud while servers and data are rebuilt from backup, meaning that in most cases downtime will be limited to a few minutes, even in the event of a serious attack.
Next, we think about how to Defend a school’s IT estate using concentric rings of security. This can be highly bespoke to each client, but in most cases will contain common elements such as endpoint antivirus and device encryption to protect user devices, perimeter security provided by firewalls, and access security such as two-factor authentication to key software systems.
The fastest growing threat and by far the largest cause of ransomware attacks is email (e.g. phishing emails asking your users to click an innocent looking attachment or link). We are therefore seeing more and more schools choose a level of email protection which helps isolate and quarantine suspicious emails, and can “sandbox” each link when a user clicks on it - running a high speed simulation to see if the link is in fact a route for malware to enter the network before allowing the user to proceed. These systems are not cheap, but when compared to the downtime, reputational damage and financial cost of a major ransomware attack, they are well worth the cost in our opinion.
Finally, the Comply element of our approach comes into play. The two main areas here are the GDPR regulations which came into force in 2018, and a growing number of compliance requirements placed on schools by their insurance providers, most notably, the RPA. Aside from ensuring that the solutions put in place to defend and protect systems meet the criteria, our main focus here is in helping to raise awareness and skills among school staff. Training in the NCSC basics of cybersecurity is now a requirement of the RPA insurance, but apart from that it's one of the best ways to prevent a future ransomware attack at a fraction of the cost of high-end anti-phishing software.
How safe is your school?
Cyber security is a complex area and many school leaders tell us that their biggest concern is a lack of certainty around where they stand or what to do next to make improvements. Computeam has developed a detailed audit that provides a simple visual guide to the level of security. We can check against compliance with the well-regarded Cyber Essentials scheme, but also go further and highlight the key strengths and weaknesses of a current network. Audits are available to Computeam clients and non-clients, and in our view they are the best way to start your journey to improved cyber security.
In addition to providing an overall score, Audits are reviewed in-depth by our Technical consultants and where appropriate comments and recommendations are offered, explaining recommended best practices.
Following our audit, we can also arrange to have a formal Cyber Essentials certification done by the UK accrediting body, IASME, to provide your school with an external validation of your status as a responsible steward of data.
How can we help?
At Computeam, we believe in consulting with each school to find a suitable cyber-security solution, balancing policy, risk and of course budget. To that end, our approach goes beyond a mere salve of products and services; we’re committed to starting the discussion and informing you of how to build cyber security into the fabric of your IT and its governance. So, if you’re not sure how safe your school is, then drop us a line and we can have that discussion with you.
Get in touch