How do you keep abreast of changing threats and security measures? How often should you run anti-virus software and how do you choose one? Are the security measures you take to protect the personal data held on students and staff robust?

All schools rely heavily on their computer systems, and data security in schools is about keeping information safe from damage, loss or theft. It is considered to be best practice for any organisation to exercise the same degree of rigour in assessing the risks to its information assets as it would to legal, regulatory, financial or operational risk. Cyber security is about protecting your computer-based equipment and information from unintended or unauthorised access, change or destruction. You can never be totally safe, but most online attacks can be prevented or detected with basic security practices for your staff, processes and IT systems. There is a risk to your IT services and information wherever they are stored, whether held on your own systems and devices, or on third-party hosted systems (the cloud).

Threats could be posed by people with criminal intent, by accident or through negligence. Current or former employees, or people you do business with could have malicious intent. Threats to data security in schools could specifically be posed by or arise from:

  • Faulty disks, disk drives, or power failures

  • Accidental deletion or alteration of files, eg by staff

  • Computer viruses

  • Unauthorised deletion or alteration of files, eg by disgruntled staff

  • Hacking

  • Destruction by natural disasters such as fire and flood

  • Theft of or unauthorised access to computers, laptops, tablets and mobile devices

  • Remote attack on your IT systems or website

  • Attacks to information held in third party systems, eg your hosted services or school bank account

  • Gaining access to information through school staff

An attack could result in financial losses from theft of information, financial and bank details or money; costs from cleaning up affected systems and getting them up and running again; cost of fines if personal data is lost or compromised, or possible damage to other organisations and suppliers.

School leaders need to gain an understanding of the importance of protecting database systems, the growing internal and external threats to an organisation’s information and the impact of government regulations on the protection of data. Schools should adopt database security best practices to prevent sensitive student and corporate information being compromised. To understand the threats posed to their information and how best to secure systems and hardware, the school either needs in-house expertise or to buy it in. Up to-date advice is necessary on risks to data in relation to potential internal and external database threats.

Database security:

  • Use a password policy

  • Enforce password changes on a set period

  • Make sure no default passwords are left set

  • Use strong passwords

  • Admin accounts should change password more often than general users

  • Use the least privilege security model

  • Only provide the privileges an account needs to do the work required

  • When user’s roles change the privileges must match the role

  • All access must be through an authenticated login

  • Rename, lock and expire default accounts

  • Apply all security patches for the host operating system and the database system.; if possible harden the operating systems (OS)

  • Restrict anonymous access as much as possible; where possible do not allow at all

  • Any batch jobs must not have user ID or passwords within then

  • If possible encrypt the network traffic using certificates

Schools need effective risk management and governance, and policies and procedures to protect the personal data held in emails, faxes; staff training and through actions such as shredding all confidential paper waste and checking the physical security of school premises. Measures that can be taken to keep data secure include:

Promote a risk management culture:

  • Take regular backups of files (backup copies should be stored in fireproof safes or offsite). Every users can set this up as an activity for the IT Manager, so that an audit trail of such backups is created and so that it is not forgotten.

  • Protect against viruses by running anti-virus software.

  • Use a system of passwords so that access to data is restricted.

  • Safely store important files on removable disks, eg locked away in a fireproof and waterproof safe or off-site. Of course Every users have unlimited off-site secure document storage, too.

  • Allow only authorised staff into certain computer areas, eg by controlling entry to these areas by means of ID cards, magnetic swipe cards or other devices

  • Always log off or turn terminals off or lock them.

  • Avoid accidental deletion of files by write-protecting disks or files.

  • Use data encryption techniques to code data.

  • Ensure third-party managed IT services have security controls in place – check contracts and service level agreements.

  • Remove any software or equipment that you no longer need

  • Delete data before disposing or re-allocating equipment. Asset Management users can set up check boxes for this, so that this is prompted on disposal or re-allocation of IT assets, and so that audit trails are created.

  • Review and manage any change in user access, such as the creation of accounts when staff arrive and deletion of accounts when they leave.

  • If your school system is disrupted or attacked, ensure that the response includes removing any ongoing threat such as malware, understand the cause and review security.

Portable Devices and staff / student policies:

When staff and students either work from home or elsewhere on mobile devices, ensure that suitable measures are taken to protect laptops and tablets and the systems on which the data is stored.

Write and publish a written policy so that all staff or students are clear on their responsibilities, e.g.

  • If possible mobile device should be encrypted.

  • Do not leave devices visible when away from the car

  • Do not allow non-employees to access devices

  • Do not connect to public Wi-Fi

  • Use encrypted Wi-Fi traffic eg WPA2

  • Do not use third party USB devices

  • Secure home routers

  • Change default passwords

  • User higher WIFI security level

  • Change the default SSID

  • If possible assign static IP addresses

  • Install and keep up to-date antivirus, firewall and malware software

  • Have an automatic partial antivirus sweep of the device on start up or daily

  • Have a full antivirus sweep of the device weekly

  • Keep device patches up to date

Anti-virus software:

How often should you run anti-virus software and how do you choose one?

  • Antivirus, firewall and malware software should be running all the time; this is known as “Real Time Protection”

  • An antivirus and malware sweep should happen daily; usually at or just after start up.; this would be a partial sweep

  • A full sweep should take place at least once a week

  • Antivirus, firewall and malware software can usually be bought as a single product e.g. Sophos, MacAfee, Symantec, Microsoft

  • If possible the product should be centrally managed by the school or a supplier

Keep up to-date with advice:

  • Have a support contract with the vendor of the system/application.

  • Read the vendor advisory notices for your system/application.

  • Apply all patches relevant to your system/application.

  • Relevant staff should keep their training up to-date as possible for the systems/applications they support.

Data Protection Act

If you handle and store information about identifiable, living people –school pupils, students and staff – you are legally obliged to protect that information under the Data Protection Act 1998. As an employer the school is obliged to protect employees’ personal information. Your pupils and students have a right to see their personal information. They can make a subject access request to see the personal information you hold about them. Students and parents have the right to see their educational records. If the school intends to publish examination results in the media, pupils and students must be informed first.

The Protection of Freedoms Act 2012 places controls on the use of biometric systems in schools, such as cashless catering, access security or borrowing library books. The provisions in the act took effect from 1 September 2013. The DfE has produced guidance on the requirements of the act, such as notification and obtaining parental consent.

The Data Protection Act does not prevent parents and teachers from taking photos of events such as the Christmas play or sports day – asking permission to take photos is normally enough to ensure compliance. If the educational establishment you work in is a public authority, the Freedom of Information Act means you must produce a publication scheme, which outlines the information you will routinely make available to the public – such as minutes of meetings, annual reports or financial information. The Information Commissioner’s Office (IOC) publish guides for schools appropriate for different parts of the UK on what information they need to publish. The act also means you must disclose official information when people ask for it (unless there is a good legal reason for you not to) and you must reply within 20 working days.

Schools must notify the ICO that they are processing personal data. Refer to a useful ICO questionnaire “Protecting Personal Information” published in 2013. Their website provides guidance on:

  • Notification of purposes for processing of personal data

  • Fair processing – let pupils and staff know what you do with the personal information you record about them. Make sure you restrict access to personal information to those who need it

  • Security – keep confidential information secure when storing it, using it and sharing it with others

  • Disposal – when disposing of records and equipment, make sure personal information cannot be retrieved from them

  • Policies – have clear, practical policies and procedures on information governance for staff and governors to follow, and monitor their operation

  • Subject access requests – recognise, log and monitor subject access requests

  • Data sharing – be sure you are allowed to share information with others and make sure it is kept secure when shared

  • Websites – control access to any restricted area. Make sure you are allowed to publish any personal information (including images) on your website

  • Installing CCTV for security purposes – inform people what it is being used for and review retention periods – capturing and/or recording images

  • Images of identifiable individuals is processing personal information

  • Photographs – if your school takes photos for publication, mention your intentions in your fair processing/privacy notice

  • Processing by others – recognise when others are processing personal information for you and make sure they do it securely

  • Training – train staff and governors in the basics of information governance; recognise where the law and good practice need to be considered

  • Freedom of information – after consultation, notify staff what personal information you would provide about them when answering FOI requests

Social media:

Facebook, Twitter and other social networks make it easy to communicate and share personal information.

They can, however, represent a minefield for schools with bullying and the publishing of information that the school would rather not want shared (eg photos of horrible school dinners!). Excluding devices would be counter productive. It is in the interest of suppliers that these products are available in schools and they should co-operative in providing the support needed to keep them there. 

Every and Data Security:

Over 1,000 schools use Every to store and access key documents and data, including:

  • Contracts

  • Asset registers

  • Certificates

  • Management reports

If you are a subscribing school (prices depend on your school size and include unlimited secure storage) then you should be aware:

  • All data is stored in the UK, and remains your property

  • The system is securely hosted and certificated

  • Data can be accessed by those school users (unlimited in number) who you assign permissions to, wherever they are located, and so in the event of fire, flood or other disasters, your key documents will remain safe

  • Access is password protected

  • Alerts and flags can be set up to remind users to: change passwords regularly, delete data from IT equipment due for disposal, run virus scans, run software updates, etc

  • Audit trails are automatically created, allowing you to demonstrate compliance in schools with legislation