Cyber Security Guidance from the Charity Commission
Trustees of fee-charging educational charities, including charitable independent schools, are required to follow the Charity Commission for England and Wales' guidance on protecting their organisation from cyber crime and fraud. The Charity Commission states:
"Cyber crimes can be quite complex and difficult to detect, often involving data breaches or identity fraud. It’s important that you consider how best to protect your charity’s valuable assets from harm online…Charity trustees have a duty to manage their charity’s resources responsibly and ensure that funds are protected, applied and accounted for."
Boards of Governors and Trustees are specifically named by the National Cyber Security Centre (NCSC) as having the same level of responsibility for protecting schools from cyber crime as any company Board of Directors would be expected to. In addition, the recent ‘Cyber Security Toolkit for Boards’ from the NCSC, specifically highlights ‘Board of Governors’ as those who are accountable for improving and governing cyber security risks to the same degree of importance as they would apply for other organisational risks, such child protection, or more recent obligations towards the UK Data Protection Act 2018.
In a recent report of cases handled by the Information Commissioner's Office (ICO) in relation to schools (May 2018 - May 2019), 24 per cent of cases were the result of a security incident e.g. when a school reported or were reported for cyber crime, or fraud-related data breaches. Nationally, there have been well-documented cases where schools have been victims of cyber crime. Back in March 2019, the BBC News reported on the unfortunate case of Bridport School who ended up losing GCSE coursework due to a cyber attack. Around the same time, Schools Week reported about data from the ICO showing that the number of cyber-attacks on schools has risen by 69 per cent in a year. Between July and September 2017, there were 26 such reports. In the same period in 2019, there were 44.
Within the state sector, the Education & Skills Funding Agency (ESFA) specifically highlights cyber security as a concern that must be managed. This requires academies and trusts to be vigilant and proactive in relation to cyber crime. Importantly, their audit committees must have sufficient ‘quality of evidence’ through the completion of the NCSC 10-Steps to Cyber Security to demonstrate compliance with their statutory obligations.
Whether it's the Charity Commission, the ESFA, or the NCSC, all the guidance points towards the responsibilities of an organisation's top management level to demonstrate and evidence that cyber security is being taken seriously. 9ine's Technical and Vulnerability Assessment reviews a school's IT systems and operations against the NCSC 10 Steps to Cyber Security, providing our independent recommendations and a risk-weighted action plan for improvements.
Five strategic questions for education providers
In providing a more high-level organisational overview than the NCSC 10 Steps to Cyber Security, the ESFA recommend a useful five step process which all school types can follow.
1. Information Held
Does the school have a clear and common understanding of the range of information assets it holds and those that are critical to the business?
Does the school have a clear understanding of cyber threats and vulnerabilities?
3. Risk Management
Is the school proactively managing cyber risks as an integrated facet of broader risk management including scrutiny of security policies, technical activity, user education and testing and monitoring regimes against an agreed risk appetite?
4. Aspects of Risk
Does the school have a balanced approach to managing cyber risk that considers people (culture, behaviours and skills), process, technology and governance to ensure a flexible and resilient cyber security response
5. Governance Oversight
Does the school have sound governance processes in place to ensure that actions to mitigate threats and maximise opportunities in the cyber environment are effective?
Complimentary Tech & Cyber Review - Welcome Back!
Cyber security is the responsibility of the entire Board. The NCSC guidance states that your Board of Governors are required to ‘provide direction on cyber security strategy and hold decisions to account’. In order to make informed decisions however, your board must first understand your current cyber security posture, both technically and operationally.
That is why we are welcoming schools back from the summer with a complimentary Tech & Cyber Review delivered by our expert in-house cyber security team. The reviews take the form of an infrastructure vulnerability assessment. In simulating a cyber attacker scanning for vulnerabilities from within the school's network and externally facing IP addresses, we will present back to you the identifiable vulnerabilities across the school network and systems that have a likelihood of being compromised. Click below to organise a review with a consultant from 9ine.
Training & support for your Governors
Having the right level of training is a key requirement for demonstrating best practice cyber security. Register for our 45 minute webinar on Friday 11th October at 2.00pm. "Cyber Security for School Leadership and Your Governing Body" will discuss the obligations placed upon school leadership and governing bodies to protect your organisation from cyber crime and fraud. The webinar is on-demand so if you cannot make the do not worry, just make sure to register below!
For any concerns about cyber security at your school, or for more information on our Tech & Cyber Review or webinar, please contact firstname.lastname@example.org.