Over the past few months, it seems that there has been a surge in the number of cyber-attacks on schools. 

We’ve covered reports of schools in Essex, Kent and London all being impacted, with stories varying from pupils being told to stay away until the attack is contained and services are brought back online. It seems that this is a fairly recent series of events, and people with expertise in the sector were quick to offer their opinion on why this is happening. 

Looking at the 2024 cybersecurity breaches survey, and the numbers are clear: 52 percent of primary schools, and 71 percent of secondary schools, identified a breach or attack in the past year, and awareness of the likes of 10 Steps to Cybersecurity and Cyber Essentials is low.

Sweet Spot for Attackers

So why are we seeing so many attacks at this time? One person who chose to speak anonymously, and previously acted as a chief operating officer for two independent schools, said the time of year was apparent, as it is the start of the term and “this is a sweet spot for a lot of financial movement.”

This is a period where bills and fees are paid, and contracts for the upcoming year are agreed. As attackers follow the money and use social engineering tactics to distract busy administrators.

Consistent Problems

Many of the conversations SC UK had around this trend pointed to a lack of budget, knowledge, and of in-house IT teams for the consistent problems.

The primary reasons that schools are repeated victims of cyber-attacks, were summarised by Heimdal Security as the following points:

• Small budgets that determine usage of legacy software and devices

• Low support for employing highly trained personnel

• Large attack surface due to extended infrastructure and intensive online exposure

• Public institutions manage huge sensitive information databases that they don’t also have the expertise or means to protect from advanced threats

• Hackers count on blocking critical public services to obtain profit from their extortion and ransomware activities

Considering these factors, it shouldn’t be a surprise that these attacks have become so prevalent. According to research by Jumpsec, education is the fourth most targeted sector for ransomware this year - behind manufacturing, healthcare and finance. All sectors with money, personally identifiable information and intellectual property - so what makes a school stand out?

One of the main factors from the conversations SC UK had about the successful hits on schools is a lack of budget and personnel to deal with the incidents.

Lisa Ventura, founder of Cybersecurity Unity said from a recent conversation with a teacher, she found out they have little to no budget to get tools/defences in place to detect cyber-attacks; they don’t have a dedicated IT team at the school and sometimes they have to defer to the local authority; and they don’t have any training for staff on how to be more cyber aware and spot potential cyber-attacks, and often the children are more knowledgeable about IT than the staff!

“This is where I offered to go to the school and do a talk/workshop for staff free of charge as it is very local to me and a way for me to pay it forward,” Ventura said. “This was the biggest one for me, she said they still use Windows XP and have very outdated systems.”

John Moss, head of cyber assurance at Redcentric, said his first IT job was working in a school, where he did have a budget and his school managed IT for a number of primary schools too, while other schools had Local Education Authorities (LEA) managing their budgets.

“Unfortunately, the attacks are likely to be a symptom of both a limited budget and it just not being a priority,” Moss said. “If a network manager came to me today and asked what they should do? I would suggest they look to align their school(s) with Cyber Essentials which requires implementation of many controls that are known to reduce the likelihood of a successful attack (i.e MFA, timely patching, user controls, etc).

“If having done that they still have time/budget available, I would suggest both looking at disaster recovery processes (i.e can you reimage all machines from offline backups) and looking at their external attack surface in respect to regular vulnerability scanning.”

Budget Cuts Hit Hard

As well as a lack of direct budget to spend on IT and cyber tools, there is the overall budget question - in schools budgets are also divided and priority is in keeping the lights on, staff and teachers paid, pupils fed and with materials such as text books and stationery - so cybersecurity spending is further down the food chain.

Simon Newman, co-founder of Cyber London and chair of Governors for two schools, said “budget cuts have hit really hard” and this had left schools and LEAs “incredibly vulnerable.”

He said: “Where all schools are particularly vulnerable is in relation to the technology they have to use. There are very few checks (lack of process, experience and knowledge) about the security of such devices or online portals. You also get the odd student who tries their hand at hacking and causes problems.”

Finding a Solution

It’s very clear where the problems are, so where are the solutions? SC UK reached out to a number of government agencies, and a spokesperson for the Department for Education, said: “We provide a range of support for schools who are victims of cybercrime, including a dedicated team who are on hand to provide advice in response to incident reports from the sector.

“Our new cybersecurity standards provide guidance on how schools and colleges can improve and maintain their cyber resilience, helping them to minimise the risk of a breach."

Also, a spokesperson for the Information Commissioner’s Office said it is “crucial that schools contain and minimise any damage to their networks in the event of a cyber-attack.”

They said: “Attacks often increase at the start of the new academic year and all schools should be actively monitoring their systems for suspicious activity and ensuring staff have suitable training.

“It is of critical importance during a cyber incident to continue to protect unaffected systems and information and prevent further spread,” they said.

“If a school suffers a data breach as a result of a cyber-attack, they should report this to the ICO within 72 hours of becoming aware of it. You don’t have to wait for 72 hours – the sooner you contact us with information the better, even if you are not yet sure of all the details.”

There are resources available too, such as the NCSC’s Guidance for schools, and the government’s cybersecurity standards, but the divide may be in having the people to do this for the schools.

Shankar Haridas, UK head of business development at ManageEngine, said: #“To meet the ever-evolving landscape of cybersecurity threats, fostering collaboration between educational institutions, cybersecurity experts, and industry partners would be a common-sense step, helping schools to share best practices, threat intelligence, and collective defence strategies.”

If schools are limited to what they can spend on and are facing consistent cyber-attacks, then there needs to be some way of sharing support and expertise. This was done some years ago with the Give01Day to support the charity sector, so is it time we did the same for the schools our children attend?

One concept is the Cyber Governor initiative, which Newman called “a great initiative to get cyber knowledgeable people to become school governors.”

Maybe rather than worry about what state the children’s education is in, it’s time to give some time and assistance to better aid them.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.