How to Improve Your School's Online Security

How to Improve Your School’s Online Security

The Information Commissioner’s office has announced that there has been a 43% rise in the number of data security incidents reported by the education sector after the introduction of General Data Protection Regulations.

The rise in reports primarily consist of disclosure issues and cyber-attacks during the summer in 2018. This includes accidentally sending information by email to the wrong address, the loss or theft of data or paperwork and unintentional verbal disclosure.

This doesn’t necessarily mean that schools are breaching data regulations more now that GDPR is in place. It is likely that we have seen a rise in reports due to schools becoming aware of the regulations, and therefore are reporting incidents that they would have previously ignored.

Although, the rise in cyber-attacks on schools is something that needs attention. Reports of cyber attacks have risen by 69% in the past year and not all schools have the expertise internally to protect themselves effectively. We’ve put together some tips for Safer Internet Day to help you to adhere to these new rules and keep your schools’ network secure.

How to Protect Your School From Cyber Attacks

Spam Emails

Viruses are often spread using mislabeled files - hidden inside downloads or attached to spam emails. You should make sure to verify the sender of the email and the trustworthiness of the attachments or downloads before clicking on anything included in the email.

Spam emails can appear to be from legitimate sources, however there are warning signs to look out for:

  • Cybercriminals will often imitate popular companies, using a similar logo and seemingly trustworthy email address. However these will usually be slightly different to the official brand.
  • Does the email include links to unfamiliar websites? Make sure you check where the link actually directs you to (by hovering over, do not click on the link) as the anchor text may seem like a trusted address.
  • Spam emails are likely to include threats or offers, such as suggesting your account has been compromised, you have been charged for something you never agreed to or offerings of large sums of money, if you click the link included.
  • You can always check with the company who supposedly sent the email if you are unsure, and they will confirm whether they are the sender or not.
  • If you receive any spam emails always report them to the company the spammer is imitating if possible.

    Secure Passwords

    When creating a new account a website will usually give you guidelines on how best to create a secure password, however this may not make the password genuinely secure.

    Here’s how to make sure your passwords are as secure as possible:

  • Try to use different passwords for each account you own. If a cybercriminal gets hold of one of your accounts secure information, then they can easily gain access to any other account with the same password.
  • It can be common for users to add in numbers or capitals in the place of a letter (e.g. 0 instead of o) however this doesn’t make your password more secure, software that can be used to try and gain access to your account can automatically try each variation on a word.
  • When creating a secure password we would recommend making a string of a few random words (or letters) and numbers, ensuring this is memorable without using personal information (birthdays, names etc)

    Security Software

    It’s important to make sure that your security software is up to date, keeping up with this will help protect you from new attacks and viruses.

    Firewalls are a major part of a security plan, as they prevent unauthorised access to a user’s network. This is why we offer Fortigate firewalls, for all of our customers.

    Content filtering services such as SurfProtect, block inappropriate websites which can contain malicious files, that can harm your system. This can also block certain file types from being downloaded by unauthorised staff, cutting out a major vulnerability.

    Have you assigned a Data Protection Officer (DPO)?

    Every state funded and private school or nursery, must have at least 1 named Data Protection Officer (the responsibility can be shared across multiple staff members). They are accountable for the privacy of all data systems you use and ensure the compliance of the regulations required.

    Choosing The Right People

    Choosing your DPO is not an easy job, as the responsibilities of a DPO include: educating the school and staff on importance compliance requirements, training staff involved in data processing, maintaining records of all data processing activities and much more.

    The new data regulations don’t specify any qualifications that the officer will need, but do request the officer to have expert knowledge of data protection law and practices. The DPO’s information must be released publicly. In addition to their expert knowledge, the DPO will be required to thoroughly understand the school’s IT infrastructure in terms of the technology, technical and organisational structure. Ideally the DPO will have the ability to work with staff at all levels and have excellent management/leadership skills - but it is the school’s choice whether they hire internally, externally or both.

    Hefty fines can come the school’s way for non-compliance, so it’s important that the DPO understands this - doing everything possible to ensure compliance yet alert the relevant authorities if such an event occurs.

    Points for The DPO to Consider

  • Are you storing personal data of students and parents securely? Are any third parties who may handle personal data GDPR compliant?
  • Are you disposing of past pupil photographs and information after they leave the school? Or when these are no longer required?
  • What are have you got in place to ensure you have relevant consent for any pictures of students?
  • Are you keeping your school up to date with any software (including apps) you download and use in the classroom?
  • When sending an email do you double check the email addresses included are correct?
  • Do you keep a secure backup of your computer? This means you can restore any encrypted information if you are affected by viruses and ransomware.

    For more information, you can take a look at the government and ICO guidance on GDPR.