The second quarter of 2024 saw a reported 2,507 attempted cyberattacks per week on the education sector, making it the third most frequently targeted industry during that time.

This is a sector that is suffering at the hands of attackers, with data showing that 52 percent of primary schools, and 71 percent of secondary schools, identifying a breach or attack in the past year. In that government survey, there was positive news that the educational institutions in its sample typically reported a higher level of senior engagement with cybersecurity than the average UK business.

The survey found that cybersecurity was a high priority for their governors or senior management at 98 percent of primary schools, and 96 percent of secondary schools, and the majority of education institutions updated their governors or senior management on cyber security at least quarterly.

Any Solution?

After we looked at the case of repeated attacks on schools last month, it led me to consider if there is a solution in the role of the governor being the cyber leader for these under-prepared schools? 

I spoke with Andy Nisbet Friel, corporate partnerships officer at Governors for Schools, said the purpose of the organisation is to work with employers and help them realise the benefits of engaging their staff to become school governors.

“For example, a couple of years ago, we launched a STEM governor program, the concept of which was that you have this core responsibility of the school governor, but with a laser focus on stem education, and helping schools develop effective STEM engagement strategies, and then tie it with their employers to deliver bespoke STEM outreach activities,” he said.

Nisbet Friel explains that the Department for Education made some changes to its cybersecurity standards earlier this year, which were not obligations “but standards that they are expected to adhere to,” this led to the development of the Cyber Governor programme, where governors would be appointed “but with an added emphasis on working with the school leadership to develop an effective cybersecurity strategy.”

Good Response

Nisbet Friel says so far there has been a good response from the cybersecurity sector in particular, highlighting the unique concept of what is being offered here. Therefore it is looking for partners and funders to help it achieve its needs.

The role of the governor is essentially hands off from day-to-day work, and operate on three pillars: they set the strategic direction of the school, they are responsible for overseeing financial management, and hold the headteacher to account. He also said there is a presumption that governors have to be a parent, or older and possibly in retirement - Nisbet Friel says there are more governors over 80 than there are under 30.

I asked if the concept here is to try attract more people who have cybersecurity experience and knowledge to participate? Nisbet Friel agreed, saying there is a need for around 4000 new governors, and there is a need for people from all skillsets to apply, and if they are more specific too.

“We want to engage with industry as if we get a few volunteers coming through, it can be a bit of a drop in the ocean,” he says. “It’s with the outward support comes from across the country that you really start to create encouragement.” 

 =======================

The Governors

SC UK spoke with two people who have stepped into governor roles: Simon Holden, founder and CEO of CyBur, and Simon Newman, former CEO of the Cyber Resilience Center. Asked what can be expected from a school governor, and what can they give back to the school, both said a school governor is there to provide oversight, strategic direction and ensure financial best practice, and while they do not get involved in the day to day running of the school, they are expected to challenge head teachers on aspects such as the performance and progress against national targets. 

Holden said: “They are best placed to help advise on where to look or things to consider due to their experience outside of education,” while Newman commented that “governors bring a wealth of experience and expertise from their own backgrounds which provides a different perspective.”

Spread Too Thin?

What about being a governor of more than school, for example, or where they asked to contribute to more than one in an area? Holden says from experience, it is a pretty time-consuming role if you take on more than one organisation, so people need to be realistic with the time they can offer.

Also Newman says governors don't have to be specialists, and while there are many governors who are what we might describe as generalists who take an active interest in many different parts of the school, in most governing bodies, governors are expected to lead on a specific area.

Solve the Challenge

Finally, after we looked at the problems of schools being targeted, is this is a way to better solve that challenge? Holden doesn’t believe it will resolve the level of attacks, but it will provide knowledge on the board which can then permeate through the school in the delivery of cyber strategy.

“I would also stress that these are volunteer roles and anyone considering applying should be going in with their eyes open: there may be times the school needs extra support on issues above the termly meetings and will require input,” Holden says.

“In terms of the person who should consider applying for a governor/trustee role, I would suggest they need to have had some experience at senior decision making levels, and most certainly, understand how business’s work, and the role of strategy in enabling.”

Extra pairs of hands in these vulnerable establishments are not going to resolve the problem, but could offer better levels of response and bring necessary experience on board to allow for better recovery. If the right people are involved, it could be a great assist for those in need.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.