Meeting the DfE's Cyber Security Standards

Cybersecurity is a major concern for all organisations, especially more recently, schools and colleges. Education establishments hold a lot of sensitive data, such as student records, financial information, and personal data, and this data is valuable to cybercriminals.

Cyber Security Standards: A Summary

In a nod to Cyber Awareness Month and to continue our series of summaries based on the Digital and Technology Standards published by the DfE, this week the spotlight is on the Cyber Security standards, which have been designed to help schools and colleges protect their data and systems from cyberattacks.


Protect all devices on every network with a properly configured firewall

Reasons why:

Properly configured firewalls prevent many attacks. They also make scanning for suitable hacking targets much harder.


Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date

Reasons why:

Attackers scan for and exploit devices where the security features are not enabled and recording network devices helps schools keep networks up-to-date and speeds up recovery.


Accounts should only have the access they require to perform their role and should be authenticated to access data and services

Reasons why:

If you prevent and limit the compromise of these accounts, you prevent and limit successful cyber-attacks.


You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication

Reasons why:

Multi-factor authentication only allows access to a service when you present 2 or more different forms of authentication. It reduces the possibility of an attacker compromising an account. This is especially important if an account has access to sensitive or personal data.


You should use anti-malware software to protect all devices in the network, including cloud-based networks

Reasons why:

Up-to-date anti-malware and anti-virus software reduce the risk of many forms of cyber-attack.


An administrator should check the security of all applications downloaded onto a network

Reasons why:

Applications can insert malware onto a network or have unintentional security weaknesses. This makes attacks easier to execute against a network.


All online devices and software must be licensed for use and should be patched with the latest security updates

Reasons why:

Unsupported software does not receive security updates and over time it becomes:

    • more vulnerable as methods of exploitation are discovered
    • less compatible with the security measures integrated into the network operating system


You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be off-site

Reasons why:

A backup is an additional copy of data, held in a different location, in case the original data is lost or damaged. If all copies were held in the same location, they would all be at risk from natural disasters and criminal damage.

Backups of important data are crucial for quick recovery in the event of disaster.


Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber-attack

Reasons why:

Being unprepared for a cyber-attack can lead to poor decisions, slow recovery and expensive mistakes. A good response plan made ahead of time will speed up your response, reduce stress levels and confusion.


Serious cyber-attacks should be reported

Reasons why:

This compromise of data might include:

    • stealing the data
    • copying the data
    • tampering with the data
    • damaging or disrupting the data, or similar
    • unauthorised access

You should report any suspicious cyber incident to Action Fraud on 0300 123 2040 or on the Action Fraud website.


You must conduct a Data Protection Impact Assessment by statute for personal data you hold as required by General Data Protection Regulation

Reasons why:

The protection of sensitive and personal data is vital to:

    • the safety of staff and students
    • the reputation of schools and colleges
    • the confidence placed in schools and colleges
    • avoid the legal liabilities which security breaches expose schools and colleges to


Train all staff with access to school IT networks in the basics of cybersecurity

Reasons why:

The most common forms of cyber-attack rely on mistakes by staff members to be successful. Avoiding these mistakes prevents attacks. Basic cyber security knowledge amongst staff and governors is vital in promoting a more risk-aware school culture.


To help you meet the standards, Dataspire recommends…


  • You develop a cybersecurity policy: The cybersecurity policy should outline your approach to cybersecurity. It should include things like the use of passwords, data protection, and security awareness training.
  • You conduct a cybersecurity risk assessment: The cybersecurity risk assessment should identify all the potential risks to the school or college’s data and systems. It should also assess the likelihood and impact of each risk.
  • You develop a cybersecurity incident response plan: The cybersecurity incident response plan should outline the steps that will be taken in the event of a cyberattack. It should include things like how to identify an attack, how to contain the attack, and how to recover from the attack.
  • You provide cybersecurity training to staff and students: Cybersecurity training should be provided to all staff and students on a regular basis. The training should cover topics such as password security, phishing awareness, and social engineering.


  • Use a layered security approach: A layered security approach involves using a combination of security measures to protect your data and systems. This could include things like firewalls, intrusion detection systems and anti-virus software.
  • Use multi-factor authentication: Additionally, Multi-factor authentication adds an extra layer of security to accounts by requiring users to enter a code from their phone in addition to their password.
  • Keep your software up-to-date: Software updates often include security patches that can help to protect your data and systems from known vulnerabilities. 
  • Backup your data regularly: In the event of a cyberattack, it is important to have a backup of your data so that you can restore it quickly. 
  • Test your cybersecurity measures regularly: It is important to test your cybersecurity measures regularly to ensure that they are working as expected. 
  • Use a password manager: A password manager can help staff and students to create and manage strong passwords.

Dataspire is already helping hundreds of schools to meet these standards so why don’t you get in touch to find out how we can help you to protect users and data at your establishment today.