Cyber risk and education

Cyber risk is a growing concern for many organisations, and we’ve conducted research that shows education establishments are no exception.

It’s clear that many establishments still feel uneasy about whether their school is fully prepared for a cyber attack. Our research revealed that over two-thirds of educational establishments are concerned with the impact of cybercrime, but it is not the only risk. Below are several examples of cyber risks to schools.

Independent school cyber attack

Insurance Times reported a phishing attack on an independent school. The target had been school fees, and the attacker had emailed parents asking them to pay the term's fees via a link. This link, however, had nothing to do with the school, and fees were paid to a rogue website.

It’s very difficult to defend against this type of attack, but creating awareness of how to recognise rogue communications may help prevent parents and teachers from becoming victims of the crime. You can find examples of phishing emails and what to look out for from HMRC.

The insider

Tech-savvy children can also pose a threat to schools. In cyber terms, ‘the insider’ is possibly the most difficult threat to defend against, as they already have access to your systems.

In 2014, several pupils used a keylogger to hack the system and change their grades. Keyloggers can come in the form of software or hardware and record input from the user’s keyboard. Passwords and other information can then be extracted and used, in this case, to change grades.

Data breach

All educational establishments will hold sensitive data about students and staff. Ensuring this data is stored safely is extremely important.

When we think of a data breach today, we often automatically think of cyber criminals gaining access to the data in the system. But a data breach may not be caused by criminal activity.

For example, a staff laptop could be lost or stolen - data may be stored on the desktop, or confidential paperwork downloaded, or there may be a USB stick which holds data records; in all cases, this would be considered a data breach.

Carelessness is sometimes a factor, too, and the accidental release of data can be as unintentional as sending an email correspondence to the wrong person.

An example of the latter took place when a school in East London accidentally revealed the names of seven primary school pupils feared to be at risk of radicalisation as they had received a Freedom of Information request from a parent. This would not necessarily be viewed as a cybercrime, but it is the unauthorised publication of data¹.

Ecclesiastical cyber insurance will also provide legal defence costs if you are sued for the accidental release of data.

Though it’s unlikely any organisation will be able to eliminate the risk of a cyber attack, basic cybersecurity measures are often the most effective and can be carried out without extra IT support.

You can find more information in our guide to cyber security, or visit the Cyber Essentials website for advice from the National Cyber Security Centre for advice and helpful checklists.

Cyber insurance acts as a safety net. As we mentioned, it’s impossible to eliminate cyber risks even with sophisticated cybersecurity controls in place.

Ecclesiastical cyber insurance for schools includes the following cover:

• Computer, data, and cyber risks, designed to meet the needs of small and medium-sized organisations.
• Costs of dealing with data breaches, excluding legal fines.
• Costs of dealing with cyber liability claims.
• Cover for business losses from a cyber event.
• Cover that helps organisations with the impact of cybercrime.

It also includes access to expert advice and support when an incident occurs to help mitigate the financial impact or reputational damage.

¹ www.bbc.co.uk/news/uk-england-london-34942431