A governor’s guide to cybersecurity

As a school governor, you play an important role in helping your school’s learners stay safe, both online and offline. One key aspect of online safety is to develop effective cybersecurity skills – allowing learners to recognise and minimise the risks of cybercrime. But it’s not just about individual risk. Governors must also consider the risks of a cyberattack on the school. While we might believe that many cyberattacks target businesses or individual users, increasingly schools have been targeted, particularly by ransomware attacks. A cybersecurity incident can affect the school’s ability to function and its reputation, as well as the security of any data held.

This guide will provide information and advice on how you can fulfil your responsibilities to educate all learners on cybersecurity, as well as to ensure your school is aware of the risks of cybercrime and adequately prepared for any incident.

What is cybercrime?

The term ‘cybercrime’ is often used as an umbrella term to describe 2 types of criminal activity that involve technology:

• cyber-enabled crime – traditional crimes whose scale or effectiveness can be enhanced by technology (for example child sexual exploitation, blackmail, fraud, extortion and drug smuggling)
• cyber-dependent crime – crimes that can only occur using computers, networks, and information and communication technology (ICT) (for example hacking, cyber espionage, data theft, creating and distributing malware, and distributed denial of service (DDoS) attacks)

Cybercrime that directly targets schools typically falls into the latter category. It may be activity that seeks to disrupt the functioning of the school (such as disabling the school network and systems) or infiltration of school systems to encrypt (lock down) data and hold it to ransom.

What risks exist around cybercrime?

Cybercriminal activity poses risks to all online users. A 2021 academic study by the University of Birmingham and Avast revealed that 72% of adults in Wales have been affected by cybercrime.

Many apps and services rely on user data to drive their growth and development, which makes them attractive targets for cybercriminals. In particular, social media platforms encourage users to share their information through posts, images and videos. With this information, a cybercriminal can commit fraud or identity theft, resulting in a loss of money or property for the victim.

Criminals also employ several strategies to extract data from victims, from scams such as ‘phishing’ through to the use of malware to steal data from devices and accounts or to encrypt data and hold it to ransom against users. Some cybercriminal activity also results in the destruction or deletion of data.

For young people with advanced digital skills, there is also a risk that their expertise leads them unwittingly into criminal activity through acts such as hacking websites, or the creation or distribution of malware.

For schools, cyberattacks can lead to the loss or breach of personal data (which must be reported within 72 hours to the Information Commissioner’s Office (ICO)  under the Data Protection Act) and significant disruption to the functioning of the school. It can also have a negative effect on the school’s reputation.

What are the school’s responsibilities in protecting learners, staff and school systems from cybercrime?

Education

Providing regular learning opportunities for learners exploring issues around cybersecurity is key to helping learners develop their understanding. As a governor, you should have an awareness of how the school educates learners about this area, and how these measures may change or develop in response to learners’ needs.

Promote the positive

Depending on the age of your learners, there may be young people in your school with advanced digital and technical skills that might enable them to commit cybercrime if used inappropriately. It is important to encourage those learners to use their skills responsibly and lawfully. The National Cyber Security Centre’s (NCSC) CyberFirst scheme provides information and resources on how to nurture talented young people into a cyber security background.

Refer where required

Should you discover that a child or young person in your care may be behaving in a way that could be in breach of the Computer Misuse Act, such as by engaging in hacking, computer intrusion or a DDoS attack, then as part of a safeguarding response you may need to refer them to a police Cyber Choices team. Regional organised crime units in south and north Wales are there to support you and the learner, diverting them away from criminal activity and towards positive use of their skills.

Be prepared

The governing board plays a strategic role in ensuring the school has policies and procedures in place to protect ICT systems and keep data secure. This includes compliance with the Data Protection Act 2018. The ‘Cyber security in schools: questions for governing bodies and management committees’ guidance covers the themes of information-seeking, awareness and preparedness that are key to ensuring your school is prepared for cyber incidents.

The role of the governors is strategic and should aim to challenge and support senior leaders to adequately assess and mitigate against cyber risks. Governors should ensure that cyber and information security policies and procedures are in place at the school. This would include policies such as document retention, cybersecurity, backup, and business continuity and incident-management-and-response procedures.

Governors are able to take advantage of the phishing training module available on Hwb.

Where can I get help and support?

Concerns about a learner’s safety or wellbeing online should always be reported in line with your school’s safeguarding procedures. The designated safeguarding person (DSP) will then seek external support when required.

Governors requiring support with any online safety issues about learners, themselves or their organisation, can contact the Professionals Online Safety Helpline for more advice and suggested courses of action for managing online incidents.

The following resources provide further information and support for understanding cybersecurity.

• The National Cyber Security Centre (NCSC) has produced a number of practical tips to help school staff understand cybersecurity.
• For a range of resources, including learning and teaching resources and training about cybercrime, please visit the ‘Keeping safe online’ area on Hwb.