Bursar’s Review Summer 2019.

IT The sophistication of cyber-attacks will only continue to increase. Summer 2019 www.theisba.org.uk 14 Whilst safeguarding is a well-established function of school governance, the notion of a specific role in cyber security is relatively new. One school governor stated that 15 years ago, schools underestimated the potential impact of social media and were slow to equip themselves to use it. The same can now be said for the way schools are responding to cybercrime and, for governors who are aware of the risks it poses, not prioritising highly enough is a big concern. School bursars are often given the task of procuring cyber security systems, however, without specialist knowledge or enough time to dedicate to investigating the market, it can easily be given lower priority. One potential reason for the vulnerability of the sector to cyber threats is the lack of ready access to the skills and expertise – either in house or within easy reach – needed to provide a robust and watertight cyber security system. Yet, the problem will not go away; with independent schools likely to remain high on the list of targets for cyber criminals. It is critical, therefore, that the vulnerability is acknowledged, future responsibility is clearly appointed and appropriate resources are provided. Proactivity should be at the heart of a truly effective cyber resilience strategy. Facing the facts What, then, are the major cyber security risks independent schools should be planning for, and what are the consequences? Phishing attacks are the most common, where hackers break into a school’s IT system and, for example, contact parents with false payment details when fees are due. Unsuspecting parents duly accept the new information, with the hackers quick to close down accounts once any payments have been made. Ransomware is another popular tactic. Here, hackers gain access to sensitive data – such as pupil records, parents’ financial information, or even CCTV footage – and demand huge sums of money to relinquish the data, often with no guarantee of return once payments have been made. Alternatively, they can take over individual devices or entire networks and only relinquish control once a ‘ransom’ has been paid. Other threats include the permanent deletion of digital files , ranging from educational resources through to the aforementioned sensitive data. Any of these occurrences can easily result in significant – and long-term – reputational damage for a school, not to mention the potential loss of income if worried parents decide to move children elsewhere. Staying one step ahead What steps can schools put in place to protect against cyber criminals? First and foremost, staff should be trained in basic cyber security principals to ensure they understand why certain protocols must be undertaken when it comes to data protection, and how to spot potential breaches. Either a cyber security governor, or a senior member of staff should also be appointed to ensure best practice is maintained going forward, with a clear reporting process identified to flag any concerns or potential breaches. Protection software should be regularly updated, and installed on all operating devices. Be sure to update all devices when prompted, and regularly check for operating system upgrades. Wi- Fi networks should also be made secure, and adequate firewalls used for all internet connections. Passwords should be regularly changed. Most importantly, ensure your school has a dedicated cyber liability insurance policy. While the introduction of GDPR promises much stricter penalties for inadequate security, and many schools’ data security has improved as a result, it is by no means impregnable. As such, the value of a strong cyber insurance policy will continue to grow. Worryingly, initial research undertaken by Endsleigh has revealed that just a quarter of all independent schools contacted were covered by cyber liability insurance. Not only does a policy typically cover loss of income related to a cyber-attack, but it can also cover the cost of third- party experts should they be required, such as a forensic investigator or ransom negotiator. As such, it should be a fundamental part of a proactive cyber resilience strategy. Final thoughts Ultimately, the cyber threats facing independent schools are only set to increase. Criminals are acutely aware of both the sector’s collective vulnerability and the potential assets they can capitalise on. While schools are waking up to the threat, it is not yet happening at the pace needed to get ahead of the perpetrators. Appointing a dedicated official for cyber security, be it at a senior management or even governor level, can kick-start an effective cyber resilience programme. However, any short or long-term strategy should be underpinned by a comprehensive cyber liability insurance policy. To quickly assess your school’s vulnerability to a cyber-attack, visit Endlseigh’s cyber risk exposure calculator: www.endsleigheducation.co.uk/cyber-risk-calculator ■ 61 percent of independent schools have had a cyber-attack in the past five years ■ However, less than 40 percent feel they are vulnerable to an attack ■ Only 38 percent monitor their cyber security on at least a monthly basis