top of page

Preventing Data Breaches in Schools: Why Vulnerability Assessments are Critical

Updated: Jun 19, 2023

Cyber-attacks against schools continue to be a concern across the Eastern region.

a picture of school chairs on tables

The reasons for this are fairly simple

  • Schools possess large quantities of high value and sensitive data that they may have to pay for to get back.

  • Schools’ networks and processes offer a lot of vulnerabilities through either underinvestment or weaknesses in their underlying processes. In many cases these vulnerabilities are caused by the necessity of having so many people and devices to attach to the network

The National Cyber Security Centre has issued several alerts regarding ransomware attacks in the education sector over the past few years and more anticipated in the coming year.


Over the past few years, thousands of schools have fallen victim to attacks, resulting in long-term repercussions for the affected organizations, including staff, students, and parents. While the increase in attacks can be partly attributed to the pandemic and the rise of remote learning, the risk to schools will persist until they are equipped with the necessary tools to combat these threats. And these attacks are happening right now in our region. In the summer of 2021, a ransomware attack against schools in Kent actually caused several of them to close for several days whilst the data breach was resolved.

What is a Vulnerability Assessment?

A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.


Here at the ECRC, we offer affordable Cyber Security and Resilience Services through our free core membership, including three types of vulnerability assessments:

  • Web Application Vulnerability Assessment – This service assesses your website and web services for weaknesses. The service reporting will describe in plain language, what each weakness means to your business and the risks associated with each. Service reporting will include plans and guidance on how to fix those weaknesses.

  • Remote Vulnerability Assessment - Remote vulnerability assessments are focussed on identifying weaknesses in the way your organisation connects to the internet. Service reporting will provide a plain language interpretation of the results and how any vulnerabilities might be used by an attacker, as well as simple instructions on how any vulnerabilities might be fixed.

  • Internal Vulnerability Assessment - The service will scan and review your internal networks and systems looking for weaknesses such as poorly maintained or designed systems, insecure Wi-Fi networks, insecure access controls, or opportunities to access and steal sensitive data.

By regularly carrying out vulnerability assessments, you are ensuring no virtual back door is left open for a hacker to sneak through.


What’s next?

The impact of a successful attack against your network can be catastrophic and lead to a full blow system breach, loss of data and a permanent loss of reputation. But all is not lost.


Here at the centre, there are three things that we would recommend for you to consider:

  • Join our community as one of our growing number of free core members. You will be supported through implementing the changes you need to make to protect your organisation. Core members receive regular updates which include the latest guidance, news, and security updates. Plus, you will get access to our brilliant Cyber Security and Resilience services.

  • Contact us to arrange a meeting to discuss providing a Vulnerability Assessment for your company.

  • For all businesses across the Eastern region, we would recommend that you look at improving your overall cyber resilience and work towards achieving Cyber Essentials accreditation – the basic government backed kite mark standard for cyber security. Remember, a company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks. Our free Little Steps course can help you understand what you need to do.

We are already working closely with hundreds of organisations across the seven counties to help them tackle the continually changing cyber threats that they face. So come and join our community as free members and let us help you protect your organisations from the ever presents threats out there in the cyber-verse.


Reporting a live cyber-attack 24/7

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.


Reporting a cyber-attack which isn't ongoing.

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.


Policing led - business focused



Comments


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page