“Thousands of pupils across the UK at risk of having their personal data stolen” warn tech experts, as up to 80% of education institutions identify cyber breaches or attacks within a 12-month period

Tech experts from Infuse Technology, a Midlands based IT Managed Service Provider and member of the Smith Cooper Group, have issued a stark reminder on the importance of protecting the sensitive data of pupils, particularly those in secondary and higher education settings, as the amount of data breaches and cyber-attacks multiply.

The Department for Digital, Culture, Media and Sport (DCMS) last year published the results of its Cyber Security Breaches Survey 2020 which shows 41% of primary schools reported a breach within a 12-month period, whilst 76% of secondary schools and 80% of further/higher education institutions also reported at least one breach.

Under General Data Protection Regulation guidelines (GDPR), schools must report breaches to the ICO (Information Commissioner’s Office) within 72 hours of their discovery. Examples of educational data breaches investigated by the ICO in recent years include:

• A former head teacher who obtained personal information about school children
• A primary school mistakenly sent a confidential letter discussing the redundancy of a member of staff to parents. The email included the staff member’s name and home address
• A primary school sent a list of children entitled to free Christmas lunches to all parents
• Tens of thousands of examiners had their personal details stolen after the exam board AQA was the victim of a cyber-attack

Even simple things like members of staff not having pin codes on their work phones in order to protect safeguarding information in the event of a lost phone puts student and staff’s sensitive information at risk.

Paul Howard, Managing Director of Infuse Technology warns “The figures published last year by DCMS are a sobering reminder that there is still a lot to be done when it comes to protecting the sensitive data of the youngest in our society. It should encourage all educational institutions to conduct a thorough and comprehensive audit of their existing cyber security policy and take the necessary action to ensure appropriate measures are in place to assure safeguarding.”

Paul adds “Since September 2020, the Department for Education established a continuity directive for mandatory remote education, so that pupils are able to continue learning despite the restrictions imposed to combat the spread of COVID-19. This in itself presents educational institutions with additional challenges when it comes to cyber security, which is why it is now more important than ever that organisations asses their existing cyber security measures, particularly for remote learning, in order to reach and maintain Cyber Essentials standards.”

“Having a water-tight IT infrastructure in place is just the beginning. It’s crucial that this is maintained and reviewed regularly, particularly given the speed at which digital threats continue to evolve” says Paul Howard.

“There are small, yet effective measures that all institutions can adopt in the immediate short-term to become more cyber aware and enhance existing security protocols. These include keeping security software up to date and enabling automatic updates to ensure you’re using the most recent version, using anti-virus protection and firewalls, making use of a password management tool and enable two-factor or multi-factor authentication and ensuring staff and pupils are aware of phishing scams, and how to identify them.”

“In order to ensure schools and academies are well equipped to protect and educate, we have developed a process which means they are able to establish and implement mechanisms to identify, intervene in and escalate any digital security threats, all of which is aligned with Government recommendations for security governance.”