Schools better than businesses at cybersecurity but suffer more attacks, new report shows

More than a third of primary schools (36%), over half of secondary schools (58%) and three-quarters of further education colleges (75%) have suffered a cyber breach in the past 12 months, according to new government figures.

The figures from the government’s Cyber Security Breaches Survey 2021 show that overall, schools and colleges are more affected by cybercrime than businesses, of which 39% suffered a breach during the same period. However educational institutions also take cybercrime more seriously and have more defences in place.

The report reveals that the number of primary and secondary schools suffering breaches was down on last year, when it was 41% and 76% respectively, but warns this may reflect less monitoring and reporting of breaches given the move to remote working, rather than fewer attacks. (There were no comparable figures for colleges in 2020.)

Ruth Schofield, UK Country Manager for Heimdal™ Security which provides security products for education institutions, says:

“We are in the midst of a cybercrime epidemic and sadly, schools have become the latest victims. The figures make it clear that secondary schools and colleges in particular are far more likely to be victims of attacks and suffer more serious consequences.

“It could be that as businesses have been strengthening their defences, schools have become soft targets. Criminals are also aware that the rapid switch to remote learning has made schools more dependent on IT systems, and the critical nature of their work means attacks are more disruptive – so faced with a ransom demand, they are more likely to pay up.”

Of institutions which were attacked, three-quarters (74%) of colleges, 48% of secondary school and 41% of primaries reported a negative impact, such as having to divert staff or being prevented from working, compared to 35% of businesses. Meanwhile a third (33%) of secondary schools and colleges and 24% of primary schools also reported a ‘material outcome’ such as a loss of control, data or money, compared to 21% of businesses.

However the report also revealed that education institutions had a higher level of senior engagement with cybersecurity than businesses. Around two-thirds of schools and 77% of colleges have a governor or senior manager with responsibility for cybersecurity compared to 38% of businesses. They were also more likely to have sought external cybersecurity advice in the last 12 months.

The report did uncover some weaknesses though, in particular patch management, with just half (47%) of primary schools having a policy to apply software updates within 14 days, and in user education and remote working policies.

Ruth Schofield adds: “A year into the pandemic, cyberattacks are the last thing the education sector needs need right now. Clearly schools and colleges take cybersecurity seriously and outperform businesses in terms of having safeguards in place, despite generally having more limited budgets.

“However the impact these attacks are having suggests that institutions do need greater support to improve cybersecurity, for example replacing traditional endpoint security products with next generation solutions that detect and prevent a wider range of threats. The good news is that even a small amount of investment can make a big impact in terms of safeguarding our education system.”

The report was based on findings from 135 primary schools, 158 secondary schools and 57 further education colleges.