Do Schools Need a Cyber Security Policy?

Facebook
Twitter
LinkedIn

As a school or other place of education, you might think that you’re relatively safe from cyber attacks. Afterall, why would someone attack a school? What would they get out of it? In reality, schools are considerably more at risk than you’d think due to the amount of sensitive information on their networks. So, with that in mind, do schools need a cyber security policy? 

Yes, schools and colleges definitely need effective cyber security policies as they hold a considerable amount of sensitive information and are responsible for the education and safeguarding of young people. Without an effective policy, schools risk data breaches, compromised safeguarding, financial loss, closures and reputational damage.

Read on to learn more about school cyber security policies and why they are so essential.

Are School Cyber Security Policies Needed?

The Department for Education (DfE) has released a set of cyber security standards that all schools and colleges should aim to meet. One part of these standards refers to Digital Leadership and Governance Standards, within which topics such as disaster recovery and business continuity plans are discussed. Such plans invariably touch on the need for cyber security policies, which are a vital part of the people, processes and technology driven approaches that constitute good holistic cyber security. .

Schools and colleges hold a considerable amount of sensitive information and in order to protect that information, good informational security policies can help firstly identify the presence of such data on schools systems, where it is held, how it is protected and how long it is kept for, being mindful of any legal obligations.

Risks of Not Implementing a School Cyber Security Policy

. Not implementing a specific policy could increase the likelihood of :

  • Safeguarding issues due to sensitive personal data being compromised 
  • Impact on student outcomes 
  • A significant data breach 
  • significant and lasting disruption, including the risk of repeated future cyber incidents and attacks, including school or college closure 
  • Financial loss 
  • Reputational damage

What Should a Cyber Security Policy For Schools Include?

  • Purpose and Scope: State why the policy exists, what is its purpose, e.g., in the case of a cyber security the policy raison d’etre is to protect the school from cyber-attacks, and minimise the impact of such attacks if they do occur. Scope refers to who the policy applies to eg., staff, students, third-party vendors, and anyone with access to the school’s network or data.
  • Roles and Responsibilities: A policy might have different meanings for different people in a school e.g., the IT staff will clearly have more of a ‘hands on’ role in cybersecurity policy than say the students/pupils. Policies should stipulate and differentiate such roles and responsibilities.
  • Data Protection and Privacy: Include guidelines for how different types of data will be handled, accessed and stored. E.g safeguarding data might be only accessible to certain staff, and have higher levels of protection vs other less sensitive data.
  • Access Control: Who has access to what data/systems and how is that access controlled via technical measures such as password policies, multi-factor authentication (MFA) least privilege principle. How is such access logged and monitored?
  • Acceptable Use Policy: Policy such define rules for how school issued IT is to be used, as well as internet usage.
  • Staff Training: Policies should consider how cybersecurity awareness training for staff and students is implemented and refreshed covering topics such as phishing, safe browsing, and data protection.
  • Incident Response Plan:  Define steps to follow in the event of a cyberattack, including communication protocols, containment, and recovery processes.
  • Backup and Recovery: Ensure critical data is regularly backed up, securely stored (with copies kept off-site or in the cloud), and regular restores showing that such backups actually work.
  • Supply Chain: Require that third-party vendors adhere to the school’s cybersecurity standards, such as Cyber Essentials, and include such clauses in contracts requiring compliance.
  • Reviews and Updates: Specify how often policies are reviewed and updated, and the consequences of any policy violations.

Get Help With Your School Cyber Security Policy From NEBRC

At NEBRC we offer comprehensive cyber security policy reviews to ensure that your policy is up to scratch and effective against the threats in your industry. The policy review includes a gap analysis and recommendations based on your current policy, risk management and your individual business circumstances. 

Learn more about our services online, or get in touch today for bespoke advice.