Managing cyber risk in schools and colleges

  • Further Education institutions are offering students an increasing number of online learning resources
  • Technology can offer schools and colleges great benefits, but the cyber risks must be carefully managed
  • We look at how schools and colleges can reduce the risk of a cyber incident, and what you should do if a data breach occurs

Embracing technology can offer wide-ranging benefits, but it also introduces new risks to consider.

Online learning resources, for example, can help students gain access to a range of educational tools outside the classroom, while allowing staff to monitor their progress remotely.

Such resources can help to bring teachers and learners closer together, but it is important that the associated cyber risks are carefully managed.

Bringing teachers and students together

Cheryl Pennington is Assistant Principal for Teaching and Learning at Reading College, which offers a number of online resources for staff and students.

One resource, called Pass it On, includes more than 100 free or low-cost downloads, such as Padlet, an app that allows students to collaborate and share their ideas on a common topic.

“My advice would be that piloting this kind of new technology can enable a deeper understanding of what works for your college, enabling you to put experimentation and innovation at the heart of your approach,” says Pennington.

Cyber security concerns for schools and colleges

However, embracing technology, such as that used at Reading College, also requires a careful understanding of the risks involved.

The more information that FE institutions hold and share online, the greater the risk of a data breach, either accidental or malicious.

During the past academic year, the Information Commissioner’s Office (ICO) dealt with 66 reported breaches of the Data Protection Act at schools, ranging from unauthorised disclosures of information by staff, to incidents where data was lost, or stolen by hackers.

The ICO says that during the most recent period for which information is available – October to December 2015 – the biggest issues for the education sector were data being sent by email to an incorrect recipient, and insecure webpages (including hacking).

Introduce defences

It is important that your school or college has robust technological defences in place to reduce the threat from cyber attackers, including:

  • Installing firewalls and regularly updating antivirus software
  • Encrypting sensitive data
  • Password-protecting memory sticks and laptops
  • Encouraging users to choose strong passwords
  • Carefully managing user/admin access

Reducing the risk of human error

You should also do all you can to reduce the risk of an inadvertent data breach due to human error, which is a risk every education provider faces.

A number of schools and colleges have been investigated by the ICO in recent years after student details, including home addresses and phone numbers, were inadvertently made accessible to the public.

Organisations can face fines of up to £500,000 or even criminal charges for serious breaches of the Data Protection Act.

Your school or college should consider not just whether data protection training is available to staff, but whether it is mandatory, as the ICO has pointed out that take-up of such training programmes is often low.

FE institutions should also take steps to educate staff and students on other cyber dangers, such as phishing scams.

How to handle a cyber incident

Even with robust security measures, it is impossible to completely eliminate the risk of a cyber attack or other data breach.

You should therefore ensure that your school or college has established a robust response plan. This should include details for the prompt notification of any data breaches to the wider staff and student community, along with steps they can take to reduce the risk of further breaches. See boxout for details.