The UK’s National Cyber Security Centre (NCSC) has released a free cyber security training package for teachers and other school staff, setting out steps to take to help mitigate cyber attacks and drawing on real-life case studies to demonstrate the impact of such incidents.
The resources are the newest addition to a widening package of support measures offered up by the NCSC as schools and universities across the UK reel from a spate of cyber attacks, which began to surge as Covid-19 lockdowns forced the education sector to transition to remote learning, and have not let up even with the return of face-to-face teaching.
Sarah Lyons, NCSC deputy director for economy and society engagement, said: “It’s absolutely vital for schools and their staff to understand their cyber risks and how to better protect themselves online. That’s why we’ve created an accessible, free training package offering practical steps on cyber security to help busy professionals boost their defences.
“By familiarising themselves with this resource, staff can help reduce the chances of children’s vital education being disrupted by cyber criminals,” she said.
Schools minister Nick Gibb added: “It is vital that schools have robust cyber security in place, and these new resources and training will help staff to increase protection from attacks.
“This training will boost support for schools, giving teachers the tools and skills they need to identify possible risks. I would strongly encourage all schools to adopt the resources and all staff to complete the training to make sure data is protected.”
The training package is designed to be accessible by any staff member, regardless of role or level of technical knowledge, and also comes as a scripted presentation. It can be accessed via the NCSC’s website and shines a light on the most dangerous threats schools face, and outlines the impact successful cyber attacks can have.
One of the case studies highlights an incident in which a successful voice phishing – or vishing – attack in which cyber criminals impersonated the Department for Education (DfE) to obtain the email details of the target’s head of finance and headteacher. This was then used to target the headteacher with a personalised phishing email that, when opened, downloaded ransomware that spread across the network, encrypting the school’s data. The ransomware gang demanded £8,000 for the decryption key.
In another example, cyber criminals targeted an independent school receptionist using phishing emails to steal the contact details of parents. The cyber criminals posed as an audit and compliance specialist. They then emailed the parents posing as the school itself, asking the parents to change the bank details to which they paid the school fees to those of an account controlled by the gang. Details of parents were also used in identity fraud scams.
However, the incidents that affect schools are not always the work of malicious cyber criminals. In another case highlighted in the training package, a teacher left their system password written down on a post-it note, from where a pupil stole it and used it to access their laptop and other systems, and change their grades. The school was sanctioned by the Information Commissioner’s Office (ICO) for a breach of the Data Protection Act.
The package highlights four key steps school staff should take:
- To defend themselves against phishing attempts by cutting down the amount of information on them publicly available on, for example, social media, being alert to suspicious emails, and seeking help if unsure of a request.
- To use strong passwords that differ between accounts, protected by two-factor authentication where possible.
- To secure devices, apply needed security updates, only download software from official sources, and lock screens when not in use.
- To report suspicions as soon as possible.