DfE Cyber Security Standards

Protect all devices on every network with a properly configured boundary or software firewall

Having a properly configured boundary or software firewall protecting every device, is vital for preventing cyber-attacks - they make scanning for suitable hacking targets much harder too. It is important to ensure that all firewall firmware is up to date and monitoring logs are checked regularly, as they can help detect suspicious activity. 

Protect accounts with access to personal or sensitive operational data by using multi-factor authentication

Multi-factor authentication only allows access to a service when you present 2 or more different forms of authentication. It reduces the possibility of an attacker compromising an account. This is especially important if an account has access to sensitive or personal data.

Conduct a Data Protection Impact Assessment for the personal data you hold, as required by GDPR

The protection of sensitive and personal data is vital to the safety of students and staff, the reputation of your school or college and to avoid the legal liabilities that security breaches expose schools and colleges to. Limit access by specific content area and don’t use blanket permissions.

Network devices should be known and recorded with security features enabled, correctly configured and kept up to date

Security systems are sometimes disabled to make marginal improvements to user experience. This is an unjustifiable risk in most circumstances as attackers scan for and exploit devices where security features are not enabled. Attackers who gain access to a network device can exploit an entire system very easily, so this should be prevented. Keeping a record of network devices (routers, switches, access points, servers) will help your school or college ensure networks are up to date and speed up recovery times.

Accounts should only have access to what is required to perform their role and should be authenticated to access data and services

Successful cyber-attacks target user accounts with the widest access and highest privileges on a network. By limiting the numbers and access of network and global administrative accounts, you prevent and limit successful cyber-attacks. It is important to have a user account creation, approval, and removal process as part of your school or college’s joining and leaving protocols. All unused accounts, whether from people who have left their employment, or ones that haven’t been used in a prolonged period, should be removed or disabled. Each user should be authenticated with unique credentials before they are given access to devices or services.

Use anti-malware software to protect all devices in your network, including cloud-based networks

Up-to-date anti-malware and anti-virus software reduces the risk of many forms of cyber-attack. Some applications protect against both viruses and general malware, some against only one. You need to protect against both.

Effective anti-malware software should be set up to scan files upon access, when downloaded, opened, or accessed via a network folder, it should scan web pages as they are accessed, and prevent access to potentially malicious websites, unless it has been risk-assessed, authorised, and documented for a specific business requirement. Do not run applications or access data that has been identified as malware.

Administrators should check the security of all applications downloaded onto a network

Some applications may contain unintentional security flaws or introduce malware onto a network, making it simpler for hackers to carry out an attack. Applications should not be downloaded by users; they should always be examined first. Best practice is to maintain a current list of approved applications, any with invalid or no digital signatures should not be installed or used.

All online devices and software must be licensed for use and should be patched with the latest security updates

Hackers try to identify and exploit the vulnerability that each new security update addresses. They try to do this before users can update their systems. In the last year, several attacks on education establishments have taken advantage of this. All devices and software should be currently licensed, supported and set up to meet technical requirements.

Serious cyber-attacks should be reported

Cyber-attacks are crimes against a school that need to be investigated, so perpetrators can be found, and countermeasures identified. A cyber-attack is defined as an intentional and unauthorised attempt to access or compromise data, hardware or software on a computer network or system and could be made by a person outside or inside the school.

You should report any suspicious cyber incident to Action Fraud on 0300 123 2040 or via the Action Fraud website. Police investigations may find out if any compromised data has been published or sold and identify the perpetrator.

Have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be off site

A backup is an additional copy of data, held at a different location, in case the original data is lost or damaged. This is essential for timely disaster recovery, if all copies are held in the same location, they would all be at risk. The safest way to achieve this is to have a pattern of backing up data on a rolling schedule. How often you need to create backups depends on how often the data changes and how difficult the information would be to replace if backups failed. You should have at least 3 backup copies on at least two separate devices. At least 1 of these copies should be off-site.

Business continuity and disaster recovery plans should include a regularly tested contingency plan in response to a cyber-attack

Being unprepared for a cyber-attack can lead to poor decisions, slow recovery, and expensive mistakes. A good response plan made ahead of time will speed up your response, reducing the material, reputational and safeguarding damage that ransomware attacks can cause. All schools and colleges must have a contingency plan for the loss of some or all IT systems included in their business continuity and disaster recovery plan. This is required by the Schools Financial Value Standard.

Train all staff with access to your IT networks in the basics of cyber security

The most common forms of cyber-attack rely on the mistakes of staff members to be successful. Attacks ca be stopped by avoiding these mistakes. Basic cyber security knowledge amongst staff and governors is vital in promoting a more risk-aware school culture. Staff who require access to your IT network should take basic cyber security training every year. This training should be part of the induction for all new staff as well, focusing on phishing, password security, social engineering, and the dangers of removable storage media.