The Academy Financial Handbook has been updated and renamed as the Academy Trust Handbook. The requirements and guidance within the handbook has been building over recent years, with the update this year emphasising three areas where greater clarity is provided.
The first area places an emphasis on reserving places in their governance structure for parents and other stakeholders. The second highlights the benefit of commissioning an external review of governance as a means for identifying improvements. And thirdly, the handbook emphasises cyber security. Baroness Berridge, Under Secretary of State for the School System states:
“Many of you will be aware of the increasing number of cyber-attacks involving ransomware which are affecting the education sector and others. I know that these events can have devastating effects on organisations and individuals, and the Department continues to work with crime prevention agencies to help trusts protect themselves. The handbook highlights the National Crime Agency’s advice not to pay ransoms, and to approach us if your trust finds itself in the very difficult position of contemplating such a payment.”
Parts 6.16 and 6.17 define the expectations further:
6.16 Academy trusts must also be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred.
6.17 Trusts must obtain permission from ESFA to pay any cyber ransom demands. ESFA supports the National Crime Agency’s recommendation not to encourage, endorse, or condone the payment of ransom demands. Payment of ransoms has no guarantee of restoring access or services and is likely to result in repeat incidents.
So what can your Trust do? Well first, you can prioritise understanding the threat context.
Cyber Threat Context
Recent research from Microsoft suggests that education providers across the world are increasingly falling victim to malware encounters. In June 2021, over 64% of all reported enterprise malware encounters across all industries involved organisations in the education sector. This isn’t just a blip though, the education sector has averaged this disproportionate volume of malware encounters for over nine months.
We already know some of the reasons why this increase in malware encounters is occuring. Schools have traditionally taught children in the classroom, at school. However, distance learning creates a larger attack surface, with people at home often having lower security protections than at school. Weaknesses in device and system security and management make it easier for attackers to compromise accounts, spread malware and potentially gain access to sensitive information.
These challenges have been widely reported. The National Cyber Security Centre in the UK, for example, notified all educational organisations in September 2020, March 2021 and June 2021 of the increasing cyber risks. In December 2020, the FBI and associated authorities published an urgent security notice communicating the risk of cyber threats to distance learning programmes. In April, John Gilbert, CIO DfE warned:
“It is important that as heads of multi-academy trusts you understand the nature of the threat and the potential for ransomware to cause considerable damage to your institutions in terms of lost data and access to critical services….. Part of this is identifying your ‘crown jewels’ and ensuring you have an incident action plan, along with your defences. Having the ability to restore the systems and recover data from backups is vital in the event of an incident.”
It’s not like Trust’s haven’t been warned!
This threat is becoming so severe that even schools that have not suffered from a malware encounter are starting to be impacted. The increased frequency of cyber attacks on schools has increased the number and severity of risks posed to schools’ information systems. For those schools who are insured, an additional consequence is that there is an increased likelihood of insurers having to cover consequential damages in the event of a successful attack.
Effective information and cyber security is about understanding the Trust’s susceptibility to vulnerabilities being compromised. Through identifying and managing those vulnerabilities, the Trust and its Academies will be protected to an extent that is reasonably possible.
Aside from the usual phishing attacks, the primary attack vector for schools at this time is remote services - RDP. This is a feature that allows external access for IT staff to manage systems and services remotely. If your school or Trust central services use RDP, cyber criminals can find this out by scanning the internet. Should they find it, they can easily hack into your systems. This is how many of the recently published school attacks have been compromised.