Meeting the DfE's Cyber Security Standards
Cybersecurity is a major concern for all organisations, especially more recently, schools and colleges. Education establishments hold a lot of sensitive data, such as student records, financial information, and personal data, and this data is valuable to cybercriminals.
Cyber Security Standards: A Summary
In a nod to Cyber Awareness Month and to continue our series of summaries based on the Digital and Technology Standards published by the DfE, this week the spotlight is on the Cyber Security standards, which have been designed to help schools and colleges protect their data and systems from cyberattacks.
Protect all devices on every network with a properly configured firewall
Properly configured firewalls prevent many attacks. They also make scanning for suitable hacking targets much harder.
Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date
Attackers scan for and exploit devices where the security features are not enabled and recording network devices helps schools keep networks up-to-date and speeds up recovery.
Accounts should only have the access they require to perform their role and should be authenticated to access data and services
If you prevent and limit the compromise of these accounts, you prevent and limit successful cyber-attacks.
You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication
Multi-factor authentication only allows access to a service when you present 2 or more different forms of authentication. It reduces the possibility of an attacker compromising an account. This is especially important if an account has access to sensitive or personal data.
You should use anti-malware software to protect all devices in the network, including cloud-based networks
Up-to-date anti-malware and anti-virus software reduce the risk of many forms of cyber-attack.
An administrator should check the security of all applications downloaded onto a network
Applications can insert malware onto a network or have unintentional security weaknesses. This makes attacks easier to execute against a network.
All online devices and software must be licensed for use and should be patched with the latest security updates
Unsupported software does not receive security updates and over time it becomes:
- more vulnerable as methods of exploitation are discovered
- less compatible with the security measures integrated into the network operating system
You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be off-site
A backup is an additional copy of data, held in a different location, in case the original data is lost or damaged. If all copies were held in the same location, they would all be at risk from natural disasters and criminal damage.
Backups of important data are crucial for quick recovery in the event of disaster.
Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber-attack
Being unprepared for a cyber-attack can lead to poor decisions, slow recovery and expensive mistakes. A good response plan made ahead of time will speed up your response, reduce stress levels and confusion.
Serious cyber-attacks should be reported
This compromise of data might include:
- stealing the data
- copying the data
- tampering with the data
- damaging or disrupting the data, or similar
- unauthorised access
You should report any suspicious cyber incident to Action Fraud on 0300 123 2040 or on the Action Fraud website.
You must conduct a Data Protection Impact Assessment by statute for personal data you hold as required by General Data Protection Regulation
The protection of sensitive and personal data is vital to:
- the safety of staff and students
- the reputation of schools and colleges
- the confidence placed in schools and colleges
- avoid the legal liabilities which security breaches expose schools and colleges to
Train all staff with access to school IT networks in the basics of cybersecurity
The most common forms of cyber-attack rely on mistakes by staff members to be successful. Avoiding these mistakes prevents attacks. Basic cyber security knowledge amongst staff and governors is vital in promoting a more risk-aware school culture.
To help you meet the standards, Dataspire recommends…
- You develop a cybersecurity policy: The cybersecurity policy should outline your approach to cybersecurity. It should include things like the use of passwords, data protection, and security awareness training.
- You conduct a cybersecurity risk assessment: The cybersecurity risk assessment should identify all the potential risks to the school or college’s data and systems. It should also assess the likelihood and impact of each risk.
- You develop a cybersecurity incident response plan: The cybersecurity incident response plan should outline the steps that will be taken in the event of a cyberattack. It should include things like how to identify an attack, how to contain the attack, and how to recover from the attack.
- You provide cybersecurity training to staff and students: Cybersecurity training should be provided to all staff and students on a regular basis. The training should cover topics such as password security, phishing awareness, and social engineering.
- Use a layered security approach: A layered security approach involves using a combination of security measures to protect your data and systems. This could include things like firewalls, intrusion detection systems and anti-virus software.
- Use multi-factor authentication: Additionally, Multi-factor authentication adds an extra layer of security to accounts by requiring users to enter a code from their phone in addition to their password.
- Keep your software up-to-date: Software updates often include security patches that can help to protect your data and systems from known vulnerabilities.
- Backup your data regularly: In the event of a cyberattack, it is important to have a backup of your data so that you can restore it quickly.
- Test your cybersecurity measures regularly: It is important to test your cybersecurity measures regularly to ensure that they are working as expected.
- Use a password manager: A password manager can help staff and students to create and manage strong passwords.
Dataspire is already helping hundreds of schools to meet these standards so why don’t you get in touch to find out how we can help you to protect users and data at your establishment today.