The rise of data breaches in our schools
In our review of the ICO Security Report, we discovered that the education and childcare sector is the second worst offender for data breaches in the UK, accounting for almost 1 in 7 cases since 2019, making up 14 percent of data breaches since the start of the ICO’s records. The scale of the issue is rather alarming; in 2020 alone, the education sector was responsible for 884 million leaked records. Back then, it was the third-worst affected sector, and since, the severity of the problem has only increased.
For the educational sector, data breaches have many adverse consequences. Schools may find themselves facing legal action, amounting to financial issues along with reputational losses.
One of the biggest concerns is that the loss of pupils’ sensitive data could compromise safeguarding initiatives, putting pupils at risk, or potentially leaving their families vulnerable to phishing scams and or identity theft.
The education sector is likely to experience data breaches because these institutions handle sensitive information that other industries might not. This includes educational records, addresses, email addresses, and phone numbers.
The handling of sensitive information impacts the volume of data breaches in two ways. The most common reason behind data breaches within the education sector was data being emailed to the wrong person. Incorrectly sent emails are common in many industries, however, in sectors that often deal with sensitive data, like education, a mis-sent email may be more likely to cause a GDPR data breach.
Secondly, hackers are more likely to target educational and childcare settings over other institutions. Other industries, such as the financial sector, also store plenty of sensitive information, which could be incredibly valuable to a cyber-criminal. However, these institutions tend to have more robust security measures to protect their data.
Since the GDPR was introduced in 2018, schools and childcare settings have increased accountability in terms of how they collect, store, handle, protect, and share data. This increased accountability, combined with a lack of experience and understanding of data protection laws, can often amount to unintentional data breaches.
How to avoid data breaches
There are a number of steps a school can take to help prevent data breaches. No one solution exists to stop all data breaches for good; instead, it’s important to take a variety of actions and consistently evaluate and update any cybersecurity measures taken, as well as maintaining up-to-date training for both pupils and staff. Here are a few effective ways you can improve your school’s cybersecurity:
Don’t lose data
- There is a lot of information about your pupils and staff on the net. Some they’ve provided themselves – like an email address or full name when they sign up for a social media account, for example – so they already know they’re there, but there are many more they probably don’t even know to exist. It’s important for users to keep track of where they are leaving this data.
Training, training, training
- User error, such as clicking on a suspicious link in an email or sending an email to the wrong person is the biggest cause of data breaches. Invest time in ongoing training for your users and ensure you have suitable policies in place.
Set a Google alert in your email accounts
- While you can’t do anything to ensure that the services and websites your students use are always secure, you can be on guard to react when these breaches happen, which is unavoidable. A good way to do this is to set up a ‘data breach’ or ‘data leak’ Google alert – users will get lots of news and links on the subject, but they’ll also find out within 24 hours if any new services or websites have suffered a leak.
Secure your infrastructure
Consider a multi-layered security strategy. These strategies are not single, catch-all wizardry that will prevent and restore any data breach, but rather a comprehensive plan to deploy against these attacks ahead of time. These strategies can include:
- Multi-factor authentication solutions strengthen identity management, prevent identity theft, and reduce risks related to lost or stolen devices or weak passwords.
- Endpoint threat detection and response tools to automatically identify and mitigate malware, phishing, ransomware, and other malicious activities.
- Using a VPN and an anti-tracking service disables many (but not all) of the tools these websites and companies use to track you and collect your data.
- Least privilege management practices should be used to closely align access rights with roles and responsibilities, so no one has more access than they need to do their job.
Act Fast
If a data breach has occurred and vital information such as users’ passwords has been leaked, don’t panic. Instead, start making calls to administrators and IT professionals who may have a better handle on the situation. Additionally, make any necessary changes as soon as possible, such as instructing users to update passwords. Finally, ensure you report the breach (if appropriate) to the ICO within 72 hours.
One Education offers a wide range of cybersecurity products, services, and training. If you are interested in a free cybersecurity review for your school, contact us on 0844 967 1113 or email ictsupport@oneeducation.co.uk