Due to the success of 9ine’s data protection research at the start of the year and the cyber findings uncovered during the analysis, we are currently conducting further global research specifically into the state of cyber security within schools. The objective being to collate results from a diverse range of schools around the globe and be able to provide an accurate profile of the data and security challenges schools face. The output will help schools and governing bodies benchmark what cyber security means for them and hopefully encourage collaboration and support for the common priority issues and risks identified.
Why Cyber Security Research - How Aware Are Schools of Cyber Security Risks?
As demonstrated by the numerous headline grabbing data breaches in recent times, data protection and cyber security are intrinsically linked. Our previous research into the application of the GDPR in schools led to some interesting findings around the limitations of cyber security expertise within education. There is an abject gap in schools between awareness of cyber security threats and the actions taken to reduce the threat of a successful attack. This may be consequential for the level of attacks we’re seeing within education. We found the number of schools that have suffered from a cyber attack to be quite high; a quarter of the schools that took part in our previous research identified a cyber security attack in their organisation, with 60% of these attacks arising from phishing.
This analysis, particularly the recurrence of falling foul to phishing attacks, is telling of organisations where appropriate levels of information security might not be common practice. We did find, however, a direct correlation between schools who do follow a cyber security code of conduct and the lower likelihood of suffering from cyber security incidents. We thought this variation in awareness of cyber security risks warrants further investigation through our research.
Benchmarking Cyber Security for Schools
9ine’s cyber security research will be providing an insight into what schools can improve on to protect against cyber security attacks. A common question we hear from school leaders is, "how secure is my school from cyber attacks?" Similar to the concerns of not knowing where to start with data protection in your school, questions like this demonstrate the uncertainties towards managing cyber security and the challenges for understanding what the appropriate best practice framework are.
Following a code of conduct such as the UK’s National Cyber Security Centre (NCSC) 10 Steps to Cyber Security, or the principles of the NCSC Cyber Essentials, will help baseline staff members’ understanding to an adequate level and raise awareness of common cyber and information security practices. Establishing basic security controls and processes, such as the practical measures advocated in the 10 Steps, will help reduce your organisation’s vulnerabilities to the more common types of cyber attack on systems that are exposed to the Internet.
To help benchmark what cyber security means for your school, the first phase of our research is supported by a survey which questions the levels of protection your organisation currently has in place against the guidance from the NCSC.
Questions similar to:
Are regular external scans performed on the network to discover vulnerabilities?
Are users required to authenticate to gain access to ALL systems / services including files, email, internet, devices?
Do you manage and apply critical and high category security updates to systems and devices within the recommended 14 days of being released?
The questions within our survey help generate a cyber security score for your organisation. The higher the score, the more secure your organisation is likely to be from common cyber threats and attacks. With the score provided at the end of the survey, you can also quantify your organisation's progress towards achieving the NCSC Cyber Essentials accreditation and be able to benchmark yourselves against other schools from around the world.
The impact That Cyber Security Can Have on an Organisation Requires Further Investigation
Having the right protections in place to withstand common cyber attacks is vital. Cyber security attacks on schools can result in a number of different problems, from financial loss, damage to reputation and loss of access to data to mention a few. Previous 9ine research determined that the most common impact in the event of an attack, was loss of confidentiality of data. Further evidencing the link between cyber security and data protection.
Cyber attacks are getting more and more sophisticated every day and also more and more common within schools. 9ine provided guidance in a recent BBC article reporting on an incident involving the malicious encryption of GCSE coursework at a school in the UK. We regularly field cyber security concerns from our schools, and in some cases, provide our support to assess the severity and manage the mitigating actions of a cyber attack. Looking at the results from our data protection research for UK schools, revealed that independent schools as a sector registered the highest number of cyber security attacks - the top of the pile of
9ine’s Research: Aiding Collaboration & Support From School Governing Bodies
Given the frequency of cyber security attacks reported in UK independent schools, it can be assumed they have not effectively considered the protections that are required for securing IT systems and services. The high numbers are also likely due to the identification of a wealthy customer base with limited cyber awareness as vulnerable targets - often an area that hackers may look to target. A lack of knowledge of your school’s vulnerabilities, or limited awareness towards recognising common threats such as phishing emails, pose various risks to both the school’s network and the data you are processing.
Schools should be ensuring the communication of cyber security risks is not just to singular staff members but also to wider communities, such as parents, about the risks of cyber security threats. They need help however. Our research aims to support school sectors, like the UK independent schools scene, by encouraging educational organisations and governing bodies to benchmark what compliance means and provide their schools with appropriate resources and training to reduce the likelihood of attack methods, such as social engineering, from being successful.
Through collaborating with a diverse population of schools from across the globe, 9ine’s research aims to quantify why and where there is limited internal expertise and understanding of cyber security within schools, in order to better comprehend where improvements can be made.
Take & Share 9ine's Cyber Security Survey
School taking part in our research can:
Use the questions within our survey to assess your school's current cyber security controls
Determine a cyber security score for your school
Benchmark your progress towards achieving the NCSC Cyber Essentials accreditation
Compare your level of cyber security against a global network of schools
In completing the survey, you will be supporting further research into the state of the market for schools’ compliance with data protection and cyber security law. In order to broaden our data population and improve the results, please share participation in our research with your colleagues from other schools.
This survey should be completed by a senior member of your IT team or an individual who has a good technical understanding of your organisation's IT practices and strategy. Click below to take part in our research, or share the following link around your school:
The results from our research will be made available in the coming weeks via a downloadable report on our website. For any attending the ECIS Annual Leadership Conference 2019 in Lisbon, 24-27 April, we will be presenting the results and providing insight into what cyber security means for ECIS affiliated schools. If you're coming along, make sure to take part in our survey beforehand!
For more information about 9ine's Cyber Defence Essentials service, or other security initiatives such as Data Loss Prevention, Advanced Threat Protection, End-User Email Digest Solutions, and our recommendations on configuring Office 365, please contact firstname.lastname@example.org.