Our digital ecosystem is under threat and has been for some time. The cybersecurity crisis facing organisations is two-pronged, involving both internal and external threats. Human error is a significant contributor, as the World Economic Forum states that 95% of data breaches result from human mistakes.
On the other hand, external threats from cybercriminals continue to escalate. A government-backed report in the UK reveals that 52% of primary schools, 71% of secondary schools experienced cyber incidents in the past year and 97% of higher education institutions are more likely to be affected. . There have been several reports in the past month alone, including one Essex-based school that was forced to close after a “critical incident” was declared following a ransomware attack. This is far from an isolated incident. In fact, there are reports that schools are being targeted at critical times in the academic calendar, such as when term is just about to start, or an exam season begins.
Schools, like businesses, have come to rely on connectivity, cloud storage, and digital infrastructure more in recent years. They store high volumes of sensitive information and rely on seamless communication channels with local councils, parents, and suppliers. Given this dependency on digital infrastructure, the UK government has issued education-focused guidelines as part of its National Cyber Strategy.
Cyber Vulnerabilities in Education
A critical aspect in education lies in how data is being transmitted. Email remains the most appropriate means of sharing sensitive information both within schools and across local authorities. This may include governing bodies, SEN provisions and social services. However, without proper security measures, email communications can expose institutions to significant risks.
For cybercriminals, data is like currency. The more they can steal, the higher the leverage they have to extort their target. A scenario might be an attacker intercepting an email in transit with specific details on a homework assignment. The email appears to be legitimate, asking students to submit their work via a fake portal. The student then enters their credentials, which the attacker can use to access the school’s network. All of a sudden, this harmless transmission of data from student to teacher has been weaponised, and the criminal can steal someone’s identity or extract data and hold it ransom.
Educational institutions house vast amounts of data by necessity, but often lack the cybersecurity capabilities, resources, or awareness that private institutions have. That makes them vulnerable. Not only that, but the theft or loss of this data can lead to significant disruption – the cyberattack on Billericay School, referenced above, led to a complete school closure when its IT systems were compromised, halting learning and interrupting exams.
The Human Factor: Building Cyber Resilience
While we must always be on alert for external threats, the truth is that human error is the leading cause of data loss events in the education sector. According to the ICO, of the 7,650 events reported since 2019, nearly 6,200 were unrelated to outside threats, and nearly 2,500 were simple errors such as emails sent to the wrong person or misuse of Bcc.
Educators are often working under pressure and to tight deadlines. Add to this that they are regularly handling large quantities of sensitive data, and emailing a wide variety of stakeholders (students, parents, colleagues, and third party agencies outside of the organisation), it is easy to see how mistakes occur. A common error is sharing a file without realising it holds sensitive information; a hidden tab in a spreadsheet, for example. A data loss event of this kind could be considered a significant safeguarding issue. Afterall, protecting people means protecting data in the public domain.
The fact is, limitations in our traditional email platforms often leave employees vulnerable to such incidents. We cannot recall emails quickly or easily, view when messages have been accessed, have limited access control, and it could be argued that autofill capabilities are more of a security hindrance than a help.
Proactive Steps for Mitigating Threats
There are a few fundamental steps that education institutions can take to help mitigate risk to students and faculty. First, implementing two-factor authentication (2FA) adds an extra layer of security for accessing and sharing sensitive data. 2FA requires users to provide two or more verification factors to gain access to a system, such as punching in a code from a text message or an authenticator app, making it significantly harder for unauthorised users to breach security defences – even with a password. By adopting 2FA, schools can protect against unauthorised access even if someone’s login credentials are compromised, massively reducing their exposure.
Next, encrypted communications further improve the integrity and confidentiality of data. Email systems that use encryption will ensure that any data transmitted between users or stored on devices is unreadable to unauthorised parties. This will help to safeguard sensitive information such as student records, financial details, and personal data, ensuring that even if data is intercepted, it remains secure and inaccessible to cybercriminals.
Reducing the platforms used to handle sensitive information can also prevent the chance of data loss incidents. Simply put, controlling data access points will limit the opportunity for mistakes or attacks to happen. For schools, sharing large files is often a challenge, with email often limiting file sizes to 20M
- Enhancing email to enable large file transfer will simplify workflows for staff by eliminating the need for third party file transfer sites – which often fail to meet compliance requirements.
Regularly updating and patching IT systems is also fundamental. Cyberattacks often use vulnerabilities in outdated software to gain access, making regular updates essential to protect against known threats. Schools should establish a routine schedule for system updates and patches, ensuring that all software, including operating systems and applications, is kept current, and fit to support compliance with data protection laws.
Finally, raising digital security awareness in staff and students is crucial for building a robust cybersecurity culture. Staff and students cannot be expected to become cybersecurity experts, but they can be made aware of the risks and be asked to follow guidelines and policies that lessen the chances of a breach taking place. However, as security fatigue becomes more prevalent, it is key to review the delivery of training; there is no one size fits all approach. Instead, educational establishments should seek out tools which embed security awareness and best practices into day to day workflows, rather than relying on twice annual training.
Cyberthreats are on the rise, and schools are firmly in the crosshairs of attackers. But, with the right blend of technology and training, the education sector can learn from previous mistakes, strengthen its security, and heavily mitigate the risk associated with the weakest link in any security chain – us humans.