Sophisticated attacks targeted specifically at education institutions such as schools and colleges have in recent weeks seen several large education providers affected.
For detailed information on the NCSC's alert, visit their website.
The NCSC website has a lot of practical guidance on cyber-security. The NCSC's 10 Steps to Cyber Security is a good starting point. The 10 Steps focus on incident management, malware prevention and managing user privileges.
Additionally, the Department for Media, Culture and Sport has conducted an annual cyber security breaches survey, which contains an annex specifically about education institutions. This has found that the weakest areas for education respondents out of the 10 Steps are user education and awareness (eg staff training).
To reduce the risk of and safeguard against phishing and ransomware attacks, schools should consider raising staff awareness, particularly in light of the fact that training was the area where the schools surveyed appear to be the weakest.
If your school does not already provide cyber security training and guidance for staff then implementing this should be a high priority. Cyber security training should be provided as part of wider staff data protection training. If it has been a few years since your last staff training (and many schools may not have refreshed on this since the GDPR was implemented) then we suggest carrying out refresher training, as well as reviewing policies and procedures to support the training.
Another key safeguard schools can put in place is having a plan for an attack, including thinking about your procedures for detecting and responding in the event of attack. Identifying key members of staff to take ownership of the response process, and ensuring that all staff are aware of who they are, can assist in timely detection and action.
A resource which may be of assistance with this is the NCSC guidance on mitigating malware and ransomware. According to the NCSC, key areas which attackers regularly exploit are:
The key here is for your school to ensure that it has both organisational and technical measures in place to safeguard against cyber-attacks. Organisational measures will include the training (mentioned above) and ongoing guidance that staff can refer to. Technical measures are things such as having back-ups in place and secure firewalls which are up-to-date.
When assessing whether an organisation is in breach of the UK GDPR information security principles, as part of an investigation, the ICO will often have regard to the NCSC guidance.