The sustained integration of technology into the schoolroom over the past two decades has undoubtedly changed the art of teaching for the better. Yet, technological innovation has also fostered the emergence of a new breed of criminals, who have schools set firmly in their sights. With sensitive pupil data on file, as well as the financial details of fee-paying parents and guardians, cybercrime is now one of the fastest growing risks to independent schools.

How then, can independent schools stay one step ahead of cyber criminals? And what procedures should be put in place to safeguard against security breaches, mitigate reputational damage, and assure parents that their child – and their data – is secure? No matter the history, size or reputation of a school, the nature of modern life has left all organisations at risk of cyber-attacks. Increasingly identified as easy pickings for cyber criminals, the number of attacks on independent schools has risen sharply in recent years. Crucially, the trend is showing no sign of abating and the sophistication of such attacks will only continue to increase.

One cyber security issue that comes up frequently in conversation with stakeholders across the independent education sector is that of ownership.Given the sensitive pupil information that schools are privy to, it goes without saying that the issues of cyber security and safeguarding are inextricably linked. Whilst safeguarding is a well established function of school governance, the notion of a specific role in cyber security is relatively new.

One school governor, who has spoken with Endsleigh, stated that 15 years ago schools underestimated the potential impact of social media and were slow to equip themselves to use it. The same can now be said for the way schools are responding to cybercrime and, for governors who are aware of the risks it poses, not prioritising highly enough is a big concern. School bursars are often given the task of procuring cyber security systems, but, without specialist knowledge or enough time to dedicate to investigating the market, it can easily be given lower priority.

"The sector has a lack of ready access to skills and expertise to provide a watertight security system."

One potential reason for the vulnerability of the sector to cyber threats is the lack of ready access to the skills and expertise, either in house or within easy reach, needed to provide a robust and watertight cyber security system. Yet, the problem will not go away and independent schools are likely to remain high on the list of targets for cyber criminals. It is critical, therefore, that the vulnerability is acknowledged, future responsibility is clearly appointed and appropriate resources are provided. Proactivity should be at the heart of a truly effective cyber resilience strategy.

What, then, are the major cyber security risks independent schools should be planning for, and what are the consequences? Phishing attacks are the most common, where hackers break into a school’s IT system and, for example, contact parents with false payment details when fees are due. Unsuspecting parents duly accept the new information, with the hackers quick to close down accounts once any payments have been made.

Ransomware is another popular tactic. Here, hackers gain access to sensitive data, such as pupil records, parents’ financial information, or even CCTV footage, and demand huge sums of money to relinquish the data, often with no guarantee of return once payments have been made. Alternatively, they can take over individual devices or entire networks and only relinquish control once a ‘ransom’ has been paid.

Other threats include the permanent deletion of digital files containing educational resources or sensitive data. Any of these occurrences can easily result in significant and long-term reputational damage for a school, not to mention the potential loss of income if worried parents decide to move children elsewhere.

"Staff should be trained in basic cyber security principals."

What steps can schools put in place to protect against cyber criminals? First and foremost, staff should be trained in basic cyber security principals to ensure that they understand why certain protocols must be undertaken when it comes to data protection, and how to spot potential breaches. Either a cyber security governor, or a senior member of staff should also be appointed to ensure best practice is maintained, with a clear reporting process identified to flag any concerns or potential breaches.

Protection software should be regularly updated and installed on all operating devices. Be sure to update all devices when prompted and regularly check for operating system upgrades. Wi-Fi networks should also be made secure, and adequate firewalls used for all internet connections. Passwords should be regularly changed.

Most importantly, ensure that your school has a dedicated cyber liability insurance policy. The introduction of GDPR promises much stricter penalties for inadequate security, and many schools’ data security has improved as a result, but this will not be impregnable, and the value of a strong cyber insurance policy will continue to grow.

Worryingly, initial research undertaken by Endsleigh revealed that just a quarter of all independent schools contacted were covered by cyber liability insurance. Not only does a policy typically cover loss of income related to a cyber-attack, but it can also cover the cost of third-party experts should they be required, such as a forensic investigator or ransom negotiator. This should be a fundamental part of a proactive cyber resilience strategy. Ultimately, the cyber threats facing independent schools are only set to increase.

Criminals are acutely aware of both the sector’s collective vulnerability and the potential assets they can capitalise on. While schools are waking up to the threat, it is not yet happening at the pace needed to get ahead of the perpetrators. Appointing a dedicated official for cyber security, be it at a senior management or even governor level, can kick-start an effective cyber resilience programme, underpinned by a comprehensive cyber liability insurance policy.