Cyber risk and education

28 February 2019

We’ve put together some information to help schools protect themselves from cyber threats.

Lock icon shown on blue computer screen
Cyber risk is growing concern for many organisations and we’ve recently conducted research that shows education establishments are no exception. 
Cyber crime and education infographic

Examples of cyber risk in schools

It’s clear that many establishments still feel uneasy about whether their school is fully prepared for a cyber attack. Our research revealed that over two thirds of educational establishments are concerned with the impact of cyber crime but it is not the only risk. Below are several examples of cyber risks to school.
Independent school cyber attack
Independent school cyber attack
Last year, Insurance Times reported a phishing attack on an independent school. The target had been school fees and the attacker had emailed parents asking them to pay the terms fees via a link. This link however, had nothing to do with the school and fees were paid to a rogue website.  
 
It’s very difficult to defend against this type of attack but creating awareness of how to recognise rogue communications may help prevent parents and teachers becoming victims to the crime. You can find examples of phishing emails and what to look out for from HMRC.
The insider
Tech-savvy children can also pose a threat to schools. In cyber terms, ‘the insider’ is possibly the most difficult threat to defend against as they already have access to your systems.
 
Famously in 2014, several pupils used a keylogger to hack the system and change their grades. Keyloggers can come in the form of software or hardware and record input from the user’s keyboard. Passwords and other information can then be extracted and used, in this case, to change grades.
Data breach
All educational establishments will hold sensitive data about students and staff. Ensuring this data is stored safely is extremely important.  
 
When we think of a data breach, today we often automatically think of cyber criminals gaining access to the data in the system. But a data breach may not be caused by criminal activity.  
 
For example – a staff laptop could be lost or stolen - data may be stored to the desktop, or confidential paperwork downloaded or a there may be a USB stick which holds data records, in all cases this would be considered a data breach.  
 
Carelessness is sometimes a factor too and the accidental release of data can be as unintentional as sending an email correspondence to the wrong person. 
 
An example of the latter took place when a school in East London accidentally revealed the names of seven primary school pupils feared to be at risk of radicalisation as they had received a Freedom of Information request from a parent. This would not necessarily be viewed as a cyber crime, but it is the unauthorised publication of data1.
 
Ecclesiastical cyber insurance will also provide legal defence costs if you are sued for the accidental release of data. 

Defending against a cyber attack

Though it’s unlikely any organisation will be able to completely eliminate the risk of a cyber attack, basic cyber security measures are often the most effective and can be carried out without extra IT support.
 
You can find more information in our guide to cyber security or visit the Cyber Essentials website for advice from the National Cyber Security Centre for advice and helpful checklists.

Cyber insurance for schools

Cyber insurance acts as a safety net. As we mentioned, it’s impossible to completely eliminate cyber risks even with sophisticated cyber security controls in place. 

What does cyber insurance cover?

Ecclesiastical cyber insurance for schools includes the following cover:

  • Computer, data and cyber risks, designed to meet the needs of small and medium sized organisations.
  • Costs of dealing with data breaches excluding legal fines.
  • Costs of dealing with cyber liability claims. 
  • Cover for business losses from a cyber event. 
  • Cover that helps organisations with the impact of cyber crime.
It also includes access to expert advice and support when an incident occurs to help mitigate the financial impact or reputational damage.
1http://www.bbc.co.uk/news/uk-england-london-34942431