There is poor cyber hygiene in UK schools and colleges, a government report has found. 

According to the Office of Qualifications and Examinations Regulation (Ofqual), which regulates qualifications, examinations and assessments in England, a poll found that 34 percent of schools and colleges in England experienced a cyber incident during the last academic year.

Also, 20 percent were not able to recover immediately, with four percent saying it took a whole term to recover from an incident. Meanwhile a third of teachers say they have not received any cybersecurity training this year.

Amanda Swann, executive director of general qualifications at Ofqual, said many schools and colleges take cybersecurity seriously, “but this poll highlights that there is more to be done. I would encourage schools and colleges to visit the National Cyber Security Centre’s school resource guide to learn how to defend against cyber-attacks.”

Human Risk Management

In a recent article, we looked at multiple instances of cyber-attacks on schools, and concluded that there is a distinct lack of cybersecurity knowledge and capability for schools to work with.

Suzan Sakarya, senior manager for EMEIA security strategy at Jamf, said: "Poor cyber hygiene found in schools by Ofqual is no shock at all. On account of continually squeezed budgets, schools lack the means to upgrade devices or systems that contain unpatched vulnerabilities, let alone purchase the latest technology.

The education sector is increasingly susceptible to attacks as more devices enter schools, more services move to the cloud, and more time is spent online. There is a dire need for security awareness education and support for both staff and students.”

Andrew Rose, CSO at SoSafe, said more of a focus on human risk management can be a step forward here, “through awareness, behaviour, and culture change.”

He said: “The rapidly developing digital world poses threats to our organisations, and even our societal structure, putting the assets, reputation, and services of industries such as schools and education, healthcare, and transport in the firing line. It’s vital that go-to technology upgrades such as firewall refreshes should not overshadow, or be seen as a substitute, for the human element of cybersecurity.

“By focusing on human risk, organisations can achieve a more substantial and cost-effective reduction in cyber risk, fostering a resilient and proactive security posture that technology alone cannot achieve.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.