Cyber security in schools: questions for governing bodies and management committees

What is cyber security and why it matters to schools?

Schools rely heavily on IT and online services to function. They also hold large amounts of sensitive personal data on learners, parents and carers and education practitioners. All this needs to be kept safe and secure.

Cyber security’s main purpose is to ensure the devices we use, and the services we access are protected from the risk posed by a cyber security incident that could result in theft or damage It is also about preventing unauthorised access to the vast amounts of personal data we store on these devices, servers and in online accounts.

A cyber security incident can affect the school’s ability to function, the security of its data and its reputation. Both the school leaders and the governing body will want to ensure they are aware of cyber risks and adequately prepared in the event of a cyber-incident. Schools will already be following similar approaches when it comes to managing risks and responsibilities around GDPR and learner safeguarding more generally

Roles and responsibilities

The role of governing management committees is strategic and should be focused on ensuring that schools have IT policies and procedures in place that cover the use of ICT systems and data security, including compliance with the General Data Protection Regulations (GDPR).

8 questions for governors and school leaders, to start the cyber security conversation

These questions are not intended as a checklist. They have been written to start the cyber security conversation between the governing body and school leaders, with the governing body taking the lead.

The questions are set out across three themes: to seek out information, raise awareness, and improve preparedness in case of an incident.

Theme A: Information seeking

Factual questions for the governing body to give the school a good understanding of their IT services:

Does the school have a list of the different organisations that provide its IT services?

For a school to keep its data and systems safe, it should know who its main education technology partners are. This list might include who provides the school’s internet connection or who runs the school’s website. It might also cover IT support contracts from a Local Authority or a Managed Service Provider.

Does the school leader know who manages or coordinates the IT within the school?

Depending on the school, this may be a member of teaching staff, or a separate education technology partner such as their local authority.?It’s important that school leaders know who/what this is, and that this person/team/company follows key cyber security practices as outlined in the NCSC’s guidance 10 Steps to Cyber Security. 

Has the school identified the most critical parts of the school’s digital and technology services and sought assurance about their security?

Some IT services are critical to the day-to-day running of the school - these are the ones that will need securing the most. Think of them like the school’s “crown jewels”. For example, the school’s Management Information System (MIS) will contain learners’ medical records, safeguarding information and parents and carers contact information. Without access to this information (or hard copy backup), schools would find it difficult to remain operational if their IT systems went down in any way. The IT services in your school could be managed internally, in conjunction with an education technology partner or a mixture of both.

Does the school have a proper backup and restoration plan in place? ?

If a school loses access to its critical data, the effects can be softened by having a proper backup and restoration plan in place. Backups of important data can help when there are cyber incidents but also with other disaster scenarios like fire, floods, physical damage or theft of devices.

Theme B: Awareness

The degree to which both users and the governing body understand the importance of cyber security and their role in it:

Do the school’s governance and IT policies reflect the importance of good cyber security?

Does the school train staff on the common cyber security threats and incidents that schools experience?

Good cyber security is dependent on people. Education practitioners can alert schools to potential problems like spotting phishing emails or phone calls, or noticing when a service is running particularly slowly, which could be a sign of a cyber-attack.

This cyber security training module produced by the National Cyber Security Centre (NCSC) is designed to support school staff to help improve their school's cyber resilience.

Phishing is a common method of cyber-attack, this training module will help education practitioners understand phishing and how to protect themselves and their school.

There are other training resources like the NCSC’s Practical Tips guide which be downloaded from the Hwb .

Theme C: Preparedness

Being prepared for the potential impact of a cyber-security incident is crucial in helping schools minimise disruption should an incident occur:

If the school temporarily lost access to its data and/or internet connection would the school still be able to operate?

All types of schools can experience a cyber-incident. A cyber incident could result in a school’s network being unavailable for an unknown period of time, with limited or no access to important data and services. The importance of access to the MIS has been covered earlier in theme A, but there are other services like: telephones, access control systems, cashless payment systems. These will impact on the school’s operation if they are unavailable.

Does the school know who to contact if it becomes a victim of a cyber-incident?

A school’s business continuity plan should list its key IT support partners education technology partners, as well as those that may be responsible for the management of IT within the school. It is very important that up-to-date contact information sits alongside this.