Will Your School be Able to Positively Answer the Ofsted Briefing Questions Related to Cyber Security?

Introduction  

Schools hold countless of personal, highly sensitive data of students, staff, and parents and therefore, must be equipped to confidently answer potential questions aligned with the General Data Protection Regulations (GDPR). Certainly regarding the confidential personal data of students, schools must assure complete protection of the data due to it being a high security safeguarding issue. In order to achieve high Ofsted ratings and demonstrate your school’s dedication to the e-safety of its pupils and staff, the following steps need to be fulfilled. 

What my school needs to do to ensure cyber compliance   

1. Have a list of the different IT providers.   

To ensure the safety of the stored data, the school needs to be aware of its main IT providers. This includes the internet providers and those who manage the school’s website. This can also include IT support contracts from local authority of a managed service provider.  

2. Know who is responsible for IT management and coordination.  

This could be a teacher, a network manager, or an external provider. It is important for the headteacher and the school managers to know who is responsible for the IT implementation and management. Additionally, it is important to be aware that this person/team/company complies with the security practices summarized in the NCSC’s guidance 10 steps to Cyber Security, the Small Business Guide and General Data Protection Act.  

3. Assure the safety of the critical digital assets.  

Some digital services need to be secured depending on the critical nature of the services. For example, the school’s Management Information System (MIS) is a greatly critical asset as it contains the medical records, safeguarding information and parental and guardian contacts of the pupils. If IT access to MIS is compromised, it would be difficult for the school to resume operations. The IT services in a school could be managed internally or with a contract or both.  

If the school exercises best cyber security practices when employing IT teams, the assurance of effective cyber security is higher. The UK government has a suit named G-Cloud which enables schools to obtain cloud IT services and additional IT products.  

4. Have a backup plan and a restoration plan. 

 In case of loss of access to the stored critical data, stemming effects of this can be eased by having a good backup and restoration plan. Various incidents that are not related to cyber security need to be kept in mind also such as fire, floods, physical damage, and theft of devices to ensure a good backup and restoration plan for lost or compromised data. 

Backups need to be carried out on a separate system from the school’s network. These backups need to be practiced regularly.   

5. The IT policy should reflect good cyber security practices. 

Cyber related incidents should be treated as risk management simultaneously with IT and data compromise risks. The school’s cybersecurity practices should be referenced in relevant school policies such as data protection, acceptable uses, and business continuity. Cyber security should be a regular topic in board meetings in addition to physical security of the school.  

6. Staff should receive training regarding cyber security threats and incidents. 

Increased awareness of good cyber security practices will enable staff to alert other staff in case problems arise such as phishing emails or phone calls or recognising a service’s unusual slow pace which could be a sign of a cyber-attack. Staff can be asked to participate in cyber security training courses. 

7. The school will need to be able to resume its operations. 

In addition to the MIS service, further digital services such as telephones, access control systems and cashless payment systems would be affected, impacting the school’s operation. A continuity plan needs to be established such as having a paper copy of the register as well as further contact information of parents and those involved with the school such as IT suppliers. 

8. Following the occurrence of a cyber incident, the school needs to know who to contact. 

The key external IT provider must be contacted as well as the internal IT management team of the school. Furthermore, local authority, chair of the governing body and local law enforcement will need to be notified. Further information can be found under GDPR (General Data Protection Regulations) guidelines.  

By complying with these steps, school staff will be able to provide detailed answers regarding the following Ofsted requirements in assuring safe cyber security practice. Further information regarding the Ofsted requirements can be found here.   

For specific statistics including the highest likelihood of certain cyber-attacks, more information can be found here.   

Consequences for schools failing to properly implement cyber security  

Consequences that will follow in the case of improper implementation of cyber security will be potentially dangerous. The school could face a data breach which would result in the sensitive data of countless pupils and the staff could be stolen and sold on the dark web. Ransoms could be demanded.  

As a result of this, the school could be closed down and those who failed to enact effective cyber security practices such as the associated IT staff and senior staff who failed to ensure that regular staff have received appropriate cyber security training could face various legal consequences depending on the severity. 

How Securiwiser can help  

All of the outlined tasks are of high magnitude which can cause difficulties in assuring routine backups of sensitive data, routine scans to detect potential threats and further affirmations of effective practices.  The aim of Securiwiser is to provide effective cybersecurity consultation to support our clients in carrying out these large numbers of tasks with full confidence.   

By joining Securiwiser, we can provide our clients with daily scans to alert our clients and independent users of underlying compromises and provide advice on how to handle arising issues in the most cost effective and time saving manner.