Cyber security for Academy Trusts
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks.
These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users via ransomware; or interrupting normal school processes
Trusts are becoming increasingly reliant on digital technology for a range of functions which leaves them vulnerable to cyber-attacks.
Is my Academy Trust vulnerable to a cyber attack?
With cyber-attacks continually on the rise, Trust’s must be aware of the risk of cybercrime and put in place proportionate controls to mitigate the risk. Not only this, but take appropriate action where a cyber security incident has occurred (ATH 6.14). The handbook also states that trust should take appropriate action to meet the DfE’s cyber security standards.
The Department for Science, Innovation & Technology published a report in 2023 which alarmingly reported that education institutions are more likely to have identified cyber security breaches or attacks in the last 12 months than the average UK business.
The report identifies that 1 in 3 secondary schools and 1 in 10 primary schools had experienced a cyber-crime in the preceding 12 months.
You can read further detail here.
In a BBC news article in June 2024, a school was described as suffering a critical incident after suffering a cyber-attack that potentially released names, addresses and medical notes of children at the school. The school was required to close as they worked to regain access to their IT systems.
What can Trusts do about it to avoid cyber-crime?
The Department for Education (Dfe) have helpfully provided guidance on how Trusts can address the risk of cyber-attacks as follows:
- Conduct a cyber risk assessment annually and review every term
- Create a cyber awareness plan for students and staff. Having an acceptable use policy and training in place will help to provide the foundations for a good cyber awareness plan
- Secure digital technology and data with antimalware and a firewall
- Control and secure user accounts and access privileges
- Keep all digital licences up to date
- Develop and implement a backup plan and review this every year
- Report cyber attacks
Will our insurance cover a cyber-attack?
A large proportion of Trusts take advantage of the RPA insurance scheme. Under this scheme there are 4 conditions which a Trust must meet before a claim will be considered:
- Have offline backups
- Make sure all employees or Governors who have access to the school’s information technology system undertake NCSC Cyber Security Training
- Register with Police CyberAlarm
- Have a Cyber Response Plan in place
Trusts under the RPA should consider how they would evidence the criteria above should a claim be necessary.
For Trusts that are not under the RPA scheme a review of your insurance policy should identify any cover and conditions necessary for a claim.
Cyber security for Academy Trusts
Cyber-attacks in the education sector are more common than the average UK business. Trusts should look at their mitigation strategies for this risk as well understand the conditions and limitations of any insurance cover.
Share this article
Email Kelly
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Related people
Email Simon
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Peter Manser FCA DChA
- Head of Audit and Assurance, and Academies and Education Partner
- +44 (0)330 124 1399
- Email Peter
Email Peter
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Kimberley Foulkes FCCA
- Audit Manager
- +44 (0)330 124 1399
- Email Kimberley
Email Kimberley
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Subscribe to our newsletters
Our complimentary newsletters and event invitations are designed to provide you with regular updates, insight and guidance.
You can unsubscribe from our email communications at any time by emailing [email protected] or by clicking the 'unsubscribe' link found on all our email newsletters and event invitations.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.