School Cybersecurity Checklist for IT Teams

What Good School Cybersecurity Actually Looks Like

Many schools assume cybersecurity means spending tons of money on specialist software and consultants. When, in reality, schools can begin to protect themselves online by utilizing free guidance and tools provided by the National Cyber Security Centre (NCSC) which are designed specifically for schools. Additionally, the NCSC’s Cyber Assessment Framework gives IT teams a baseline for Cybersecurity to work towards and compare their current security standards to.

The Checklist – 6 Things Every School IT System Should Have In Place

• Multi-Factor Authentication (MFA): MFA is one of the single most effective defences against unauthorised access to staff accounts, Every single staff account, MIS system and cloud service system should require a second form of verification to be able to access them. Hardware MFA is the single most secure method which can be built into pre-existing school infrastructure such as student and staff badges.
• Regularly Tested Cold Data Backups: Cold Backups – also known as offline backups – are the best practice for protecting school data from data breaches as they cannot be accessed from the internet. This setup should be tested on a regular schedule to ensure the backup process is functional and reliable.
• Software And Operating System Updates: Outdated software and operating systems are often the most common entry point for attackers due to the possible vulnerability which are exploitable on those outdated versions. Ensuring all staff laptops, classroom computers and network hardware and their respective installed software should receive updates immediately as the updates are published. Automate this where possible.
• An Acceptable Use Policy: Most cyber incidents in schools are caused by human error. A written policy is often not enough as most staff will either not read this or will forget about the core instructions of the policy. Staff need to know what the policy is and follow it at all times. Weekly or monthly reminders should be sent out to staff to inform them of the do’s and don’ts of cybersecurity.
• Controlled Access: Staff should only have permissions they need, not every staff members needs administrator access. Review user permissions on school systems regularly and change permission where they are no longer needed, including removing permissions for staff who have left. This practice limits the damage someone can do if a staff account is compromised.
• An Incident Response Plan If something goes wrong, staff need to know who to contact first and what to do in this instance. Schools with written incident plans often respond faster and recover better. This Response plan does not need to be long, just one or two pages covering key contacts and immediate mitigation steps is enough.

What to Do If Your School Has Gaps

If you have worked through that checklist and identified areas that your schools has not yet covered, the good news is that you do not need to tackle everything at once. Prioritise MFAs and Software And Operating System Updates first as they are the most important cybersecurity protection that you can introduce into your cybersecurity system as they will address the most common attack methods used. From there, CyberSafeSchools’ free dashboard, built on NCSC tools, gives IT teams a real time view of where their school stands and what to focus on next.

This post was written by Luke Gardner, a student on the CyberSafeSchools Academy virtual work experience programme. The Academy provides secondary school and college students with structured, hands-on experience in cybersecurity and digital marketing. Find out more about the Academy → https://academy.cybersafe.school/

You May Also Like…