A government cybersecurity survey has identified the education sector as one of the most statistically at-risk, with a considerably higher numbers of schools, colleges, and universities identifying breaches or attacks in the last 12 months than most other employers.
The survey conducted by the Department for Digital, Culture, Media, and Sport (DCMS) found that 70% of secondary schools, 88% of further education colleges, and 92% of higher education institutions polled had identified a breach or attack in the year to January 2022. These figures contrast strongly with 39% of UK businesses.
Phishing was the most typical form of attack on schools, colleges, and universities, suggests the survey responses. Emails impersonating others, viruses such as spyware and malware, and denial of service attacks were the second, third, and fourth most commonplace threats.
Although respondents noted far fewer cases of ransomware and the takeover of user accounts, as many as 18% and 26% of universities detected these breaches, respectively, underlining the multifaceted nature of the threat facing IT managers in HE.
Sixty-two percent of universities detected breaches or attacks at least weekly – considerably more than colleges or schools. According to the survey, 71% of universities experienced “a negative outcome”, like loss of data or money from an attack in the last 12 months.
Nearly nine in 10 universities had been negatively affected by an attack, even if there was no “material impact”: 76% had lost staff time to deal with the attack and diverted future resources to counter future threats.
Respondents included 198 primary schools, 221 secondary schools, 34 FE colleges, and 37 HE institutions.
The findings suggest that the education sector has recognised the heightened threat faced.
Every university and college and 98% of secondary schools that responded to the survey said that senior managers and governors were engaged with the challenge – compared to 82% of UK businesses.
Two-thirds of schools and nine in 10 universities have dedicated senior leaders responsible for managing cybersecurity. But primary schools lagged behind other areas of the education sector, the survey found, in almost every category of preparedness and awareness.
For example, while 95% of universities and 65% of secondary schools have specific tools for monitoring cybersecurity, this figure falls to just 41% of primary schools. Similarly, secondary schools were more than twice as likely to have commissioned a cybersecurity audit than primary schools.
According to the survey, schools, colleges, and universities were 10 to 20 percentage points more likely than businesses to have implemented the government’s five cornerstone cybersecurity practices. These include firewalls covering the entire IT network, restricting IT admin and access rights, and security controls on all devices.
The survey suggests primary schools were the most likely to have rules for securely storing and moving personal data – one of the few areas where they outperformed the rest of the education sector.
The government wants more education institutions to engage with its 10 Steps to Cyber Security guidance, a checklist that includes risk management, training, and data security. Although more than nine in 10 schools, colleges, and universities surveyed have engaged with the guidance, only 12% of primary and 19% of secondary schools have engaged with all aspects.
Nelson Ody, product manager for cybersecurity at RM, said the DCMS survey “reminds us all of the ongoing risks that schools face”.
“My advice for education institutions would be to focus on getting the basic approach right. This includes making Multi-factor authentication (MFA) a must for all staff, having the necessary email protections, such as Domain-based Message Authentication, implementing Reporting and Conformance (DMARC), having up to date and well-managed endpoint protections and software updates being done within two weeks of release,” he said. “Most importantly, this all needs to be in conjunction with awareness programs for staff and students, testing them through various simulations. After all, cyber-aware individuals will be yet another resource in keeping attacks at bay.”
Read more: UK government unveils new strategy for cybersecurity