What's all the fuss about data protection in schools?

Andrew Williams, Information Security and Online Safety Consultant for SWGfL (South West Grid for Learning, partner in the UK Safer Internet Centre (SIC)), shares some perspectives on data protection in schools.

Date 2017-06-29 Author UK Safer Internet Centre
picture

In tackling cyber-risk, resilience is a key word.

Many of you may recall the recent WannaCry attack which affected many organisations across the globe, including the National Health Service (NHS) in the UK. And while the NHS recovered, for a period, services were seriously impacted. Imagine if this happened to your school.

Data is at the centre of our world, we rely on technology and internet connections to deliver services and information. If something goes wrong, how long will it take you to resolve the issue?

What are the threats?

Broadly speaking, threats fall under one of these categories:

  • Non-malicious – user error, being careless or poor training.
  • Malicious – a wide range of threats… fraud, sabotage, cyber-crime, phishing, and so on.
  • Natural threats – earthquakes, floods, fire, and so on.
  • Man-made threats – civil disorder, wars, terrorist attacks.
  • Technology-specific vulnerabilities – software, hardware, networking equipment.

In the case of the WannaCry attack, the software (Windows XP) had a security "flaw" (vulnerability) which the attack exploited to gain access to the system and encrypt users' data.

General Data Protection Regulation (GDPR)

By May 2018 the UK (and the rest of the EU) will have stricter new data protection regulations which will apply to schools, so it's vital that schools have robust data protection procedures in place.

What can I do about it?

All schools have a variety of technology, policies, infrastructure and contractual relationships to help secure their data. You may have disaster recovery plans, but these can overlook your data and may never have been tested. If your system goes down and you discover a problem with your back-up, you have no way of accessing your school's core information. That's a big deal.

However, there are some things everyone can do to improve data protection.

  • Training
    A 2016 report by SWGfL and Plymouth University showed that schools recorded staff training as a consistently weak area of online safety. Your staff have access to some of the most sensitive data about children and need regular training to re-enforce the importance of good data protection procedures.
  • Auditing
    Make sure you know where your data is stored. Ask your staff if they know. If you know what data goes where, then you can begin to control the threats.
  • A clear data protection policy
    Staff need to know what their obligations are and how to perform them. This can be invaluable in securely protecting your data. Ask yourself these questions:
    • Do we have a data protection policy?
    • When was it last reviewed?
    • Have all staff been trained on it?
    • Have all staff read it?
  • Involve your governors
    Governors can be a great source of support and expertise. Not only that, but as part of the senior leadership team, they too have a responsibility for school data.
  • Technological solutions
    Things like passwords, anti-virus/malware protection, monitoring of hacking attempts, asset management and encryption are vital.
    Make sure you have a good technology partner that is supportive and responsive. If you don't, perhaps you need to rethink how much budget goes towards this.
  • Get back-up
    The importance of a carefully considered back-up routine cannot be over-emphasised.
  • Incident management
    Developing an incident management plan and a response process can avoid a lot of stress and headaches. Make sure this includes data loss scenarios.
  • Cyber-risk insurance
    Check your cyber risk insurance policy works for you. Check the policy provides sufficient cover to meet your requirements. Using a large, reputable firm is a good idea.

Moving on

It's only really possible to scratch the surface of a topic as broad and complicated as data protection here.

Developing an action plan is a good first step towards protecting your school from a costly cyber-attack. To help, SWGfL has developed 360Data - a new tool to help schools and SMEs review their data protection and information security.

Find out more about the work of the UK Safer Internet Centre, including its awareness raising, helpline, hotline and youth participation services.

Alternatively, find the contact details for your national Safer Internet Centre here.

Related news