Managing cyber risk in further education

  • Organisations within the education sector suffered 52 major data breaches in the first three months of this year
  • The General Data Protection Regulation (GDPR), coming into force in 2018, will introduce new requirements for processing data and tougher penalties for breaches
  • Our new Data Security Tool can help customers identify weaknesses in their current arrangements and make improvements

According to recently released statistics from the Information Commissioner’s Office, education institutions suffered 52 significant data breaches in the first three months of this year.

Like many other bodies, further education institutions of all types are increasingly likely to be victims of a data breach or cyber attack.

In a recent high-profile incident, students at a college in Hove were sent home from an exam after a test paper was stolen in a possible hacking. In Norfolk, a group of sixth-form students were mistakenly emailed a spreadsheet containing personal information about their peers.

Given the particular sensitivity of data breaches involving young people, such incidents can make national news and have a damaging impact on an institution’s reputation. Regulators may be brought in if data security procedures are found to be inadequate.

The impact of GDPR

In May 2018, GDPR will come into force, introducing new requirements for those responsible for processing data and tougher penalties for data breaches. The maximum penalty will rise to 4% of turnover or £20m – whichever figure is higher.

For schools and colleges, the introduction of GDPR could mean:

  • Out-of-date IT equipment may have to be replaced
  • It will be illegal to employ third-party data processors that do not meet minimum industry accreditations
  • Parents will need to give consent for any data collected about children, and be given full disclosure about the purposes of collection
  • It will become mandatory to keep a record of personal data processing activities and the contact details of the data controller

Given these changes, it is more important than ever that further education institutions analyse their data resilience, and strengthen their procedures. This is an area where Zurich Municipal can help.

Zurich Municipal’s Data Security Tool

According to David Jones, Education Sales Manager at Zurich Municipal: “Our approach is that cyber liability is primarily a risk management consideration.

“For this reason, the new Data Security Tool has been developed specifically with further education institutions in mind. It is primarily designed to give customers awareness of where their risk management knowledge and preparation sits ahead of GDPR.”

The tool uses a questionnaire to calculate a score showing how well prepared institutions are for GDPR, as well as helping to identify potential weaknesses in their approach to data and cyber security.

David says: “The tool has been designed to take no longer than 30 minutes to complete, and provides a good idea of your level of resilience.

“Once the tool has been used, users contact Zurich and discuss the scoring and what action will need to be taken. In the event of a bad score, we can discuss additional support.”

The tool is a quick way for further education institutions to get an idea of where they stand ahead of the GDPR changes, providing peace of mind and helping improve procedures if necessary.

How further education institutions can manage cyber risk

As well as using our Data Security Tool, there are a number of steps that schools and colleges can undertake to minimise risks. Alongside technological solutions, staff and students have an important role to play in reducing the chances of data breaches occurring.

Education on safe and responsible behaviour is one of the most effective ways to reduce the chances of an incident. This includes developing robust processes for storing and processing data, and controlling who has access to this data.

Equally important is developing processes to limit the impact of a breach. This involves alerting IT departments about phishing emails and shutting systems down promptly in the aftermath of ransomware attacks. More information on managing cyber risk in schools and colleges can be found in previous Zurich Municipal articles.

While it may not be possible to completely eliminate the risk of cyber attacks and data breaches, it can be substantially reduced. With the introduction of GDPR next year, it is vital that further education institutions are prepared. Our new Data Security Tool is a great place to start.