Cybersecurity and sixth form colleges

Do you often think about cyber security?

Over the past few years, many further education establishments have been relying more on online technologies, making use of web services and tools to keep education running smoothly.

Technology brings great benefits to education but thinking about how we use it securely often comes as an afterthought. We know cyber security can be seen as too expensive or colleges may not have a dedicated team of cyber specialists on hand.

If this situation sounds familiar, this blog post is for you. 

At the National Cyber Security Centre, a part of GCHQ, we work closely with the education sector and have produced a raft of advice on how colleges and schools can improve their defences.

Below we set out why cyber security matters and how all staff can play a role in making your college more secure by following practical steps to get some ‘quick wins.’

Why cyber security matters

Cyber criminals pose an ongoing threat to the education sector, regardless of whether your establishment is large or small.

In the latest government cyber breaches survey, 88% of further education colleges said they had identified breaches or attacks within the last 12 months – and this does not include incidents that are unreported. 

Colleges hold a vast array of data including student and staff personal details, financial details (including payroll and budgets), supplier details, exam results and much more, and this can be of interest to criminals looking to sell data online.

Most cyber criminals are opportunists, looking for a vulnerability in a network that can be exposed for financial gain, but by addressing these weaknesses and raising your organisation’s level of resilience, colleges can make themselves a harder target. 

The impact of successful incidents should not be understated. Attacks can affect a college in the short term and longer term too, hitting finances, reputation and even disrupting key services, including teaching.

Could you cope without access to your entire network for days, weeks or even months?

Ransomware and other key threats

The number one cyber threat facing UK organisations – and probably one of the best-known types of cyber attack – is ransomware.

Ransomware is a type of malicious software that can be installed onto your computer, preventing you from accessing data, and even locking you out of your systems altogether. Victims are then asked to make a payment (the ransom) in order to regain access to their data (though occasionally you still may not have access after paying up).

Since 2020, the NCSC has issued three alerts to the education sector about spates of ransomware attacks, and as this threat continues, we urge colleges to ensure they have appropriate measures in place to protect themselves.

We have published guidance on how to mitigate ransomware attacks on our website, and it highlights the importance of making an offline backups of your data to lessen the harm.

Other types of attack include viruses (also known as malware) which can infect computers, laptops, smartphones and tablets and lead to data being stolen or erased. These are often hidden within email attachments or on removable devices, and you can even get infected by visiting a dodgy website.

Phishing is another common cyber threat facing colleges where a cyber criminal sends an email (or text message) enticing a user to click on a link to a dodgy website or into giving away sensitive information.

How do you prevent getting infected?

We know cyber security can seem daunting, but you don’t need very technical skills to play a part in boosting your college’s defences. The NCSC produces free guidance and tools, many of which are designed for anyone to use.

All staff members can help by staying vigilant to suspicious activity that might negatively impact your college’s cyber security, for example by reporting suspicious emails that might be phishing attacks to their internal or outsourced IT support team, by ensuring that updates are installed on all operating systems and applications, and by making sure anti-virus products are turned on (and ensuring these are up to date).

Everyone, including students, can also help secure systems by setting strong passwords on their accounts using three random words.

At a senior level, college leaders should be thinking more strategically about preparing for cyber incidents, and should be aware of the impact an attack could have both on everyday business and on individuals.

It’s crucial colleges have a response plan in place and that this is well-practised so staff know what to do if an incident happens; the NCSC’s free Exercise in a Box tool can help with this. And in the event of an attack, colleges should report this to Action Fraud and the NCSC for support.

Sign up for new defence tools

For colleges’ IT support staff, we recommend checking out our 10 Steps to Cyber Security guidance as a great starting point for improving cyber resilience.

The NCSC also offers further free tools to colleges -  Web Check and Mail Check – which are invaluable for supporting technical teams with boosting website and email security. Both tools are designed to be quick to set up, and thereafter run automatically.

While cyber security may be new to some staff, putting some fundamental security measures in place and encouraging open discussions among staff and students can significantly reduce the chances of falling victim to common cyber threats.

With technology so essential to how colleges run, improving cyber resilience should be considered a priority to help protect teaching, your community, and the wider business from disruption and harm.

This blog is from the Economy & Society Resilience team at the National Cyber Security Centre.