Education News: Robust email security: a ‘must’ for UK schools.

By Niall Mackey, Commercial Director of Topsec 

It would be easy to assume that education institutions are immune to cybercrime, with their lack of obvious commercial focus. But in fact, these organisations rely on precious and often sensitive data, which as we’ve come to learn, is gold.

survey done in 2022 by the National Cyber Security Centre (NCSC) of 805 UK educational organisations, showed that 78% had experienced at least one type of the cyber incidents listed with 7% resulting in significant disruption. An eye-watering statistic, no doubt, and six schools reported that they were aware of a parent losing money due to a cyber incident. In 2019, there had been no such claim.

The UK government’s cyber security breaches survey 2023 revealed that phishing remains the most common form of cyber attack on the education sector right now. Fraudsters send malicious links, generally via emails that are designed to look like they originate from trusted sources. This type of social engineering has proven time and again to be successful, with human fallibility as the weakest link.

It’s estimated that 3.4 billion phishing emails are sent out per day by criminals. This is over a trillion phishing emails a year. Human population on earth is around 8 billion, with 4.26 billion email users. That could be called a bombardment.

The findings revealed that 84% of primary schools, 86% of secondary schools, 92% of further education colleges, and 100% of higher education establishments, had experienced a phishing attack during the previous 12 months. And only 53% of schools feel they’re prepared for a cyber-attack.

Not all is doom and gloom however. In 2019, only 49% of schools felt they were ready for an attack and awareness of phishing in schools has increased from 69% to 73%. Staff training of non-IT employees has increased from 35% to 55%. The audit also found that all schools surveyed now use firewall protection, and 99% use antivirus protection.

Of concern was that of the 428 schools that feel prepared for an attack, 10 don’t know if they have data backup in place, and 19 don’t protect important accounts with multi-factor authentication.

Stop it before it gets there.

But attacks using email as the conduit are on the increase across all sectors and are still proving successful. The biggest issue is that us humans fall foul of social engineering. The sophistication of these criminals is improving and the use of AI is helping them along. We’re no longer laughingly exposed to poorly-phrased emails from dead presidents’ wives with a stash of cash to hand over. Often, phishing emails now come from our superiors, allegedly, requesting access to systems or data itself. Except they don’t really. But every indication is that they do. And who ignores a request from the boss? It’s becoming increasingly difficult not to be gullible. This exposes organisations, particularly resource-strapped education organisations, to significant risks including data breaches and loss of sensitive information, from medical records and exam results to payroll data, names and contact details of staff and students.

Email is undeniably the biggest conundrum for organisations.

On one hand, it’s the most effective business tool, on the other, it poses the greatest risk. The only way to curtail email cybercrime is to proactively check emails before they enter the organisation’s domain. The less they’re able to reach a user, the less chance there is of causing damage and destruction.

How to put robust protection in place.

Here are a few points to consider when securing an educational institution.

Multi-factor authentication: this type of login process requires more than one form of identification. For example, you might have a username and password. When that’s entered, you may receive a time-limited security token, like a one-time-pin (OTP), via text or email. There may be other factors that are taken into account, like location of login attempt, time, or biometrics. This means that if criminals get through one layer of security, there are more obstacles in their attempts to access data or systems.

Email compliance: Google and Yahoo have taken big steps in the world of email security. They have implemented DMARC rules to clean up inboxes. Additional email compliance policies include SPF and DKIM. As many parents would have a gmail email account, taking the precautions to keep their email safe is a smart move.

Email gateways: this is a security checkpoint for email entering and exiting an organisation and monitors for potential threats and stops them in their tracks before reaching a recipient.

Backup and recovery plans: schools are all familiar with fire drills, there’s a plan in place and drills are done regularly to ensure a calm, organised, and safe exit ensues. A cyber attack should be treated no differently. What would you do if all your IT systems were suddenly unavailable because of a ransomware attack? Do you have a plan, and a plan that would be accessible in the case of an attack? Is your data backed up, and more importantly, would you know how to access those backups? Are those backups encrypted and stored safely offsite or in the cloud? There is guidance from the DfE and the NCSC for these concerns that is available for educational institutions.

Staff education: this is a key part of securing any organisation’s technology assets. We’re all gullible when it comes to cybercrime, and we all need to be constantly refreshed on the newest tactics and threats. The better prepared we are, the more chance there is of keeping ourselves and our organisations safe. Anybody who accesses the internet in any form, is a target.

Sadly schools are no less likely to become victims to bad actors, and with limited resources and funds, they’re seen as easy pickings. A multipronged approach is crucial if we wish to stay ahead of criminals: technology systems and processes, as well as planning and education. A culture of awareness and forethought within every staff member will make the difference.


Author bio: Niall Mackey is the  Commercial Director of Topsec. His team excels in enhancing email security for firms, safeguarding sensitive data against cyber threats.

Previous post Changes to school year ‘should never have been a priority’ says NAHT
Next post Cwmfelin Primary School’s community food scheme grows from strength to strength