If you work in education and are applying for funding, you’ve probably heard the phrase ‘Cyber Essentials’ mentioned. Cyber Essentials are a set of security guidelines laid out by the UK government to help organisations address the basics of cyber hygiene.
It’s important to education providers because Cyber Essentials certification is now part of the security requirements for Education and Skills Funding Agreements (ESFA).
For the 2020-21 funding year, all recipients must meet the requirements for the UK’s Cyber Essentials scheme. And next year, achieving Cyber Essentials Plus certification will also be mandatory.
However, cybersecurity and funding requirements can be confusing. So, we’ve put together a guide to help you get certified and meet the EFSA funding deadline. The guide covers everything you need to know, including:
What the Cyber Essentials scheme is
The difference between Cyber Essentials Standard and Plus certifications
Why cybersecurity is important to the education sector
How to get certified immediately and meet the EFSA deadline
How to move beyond certification and keep your organisation protected
To find out more and get prepared for the EFSA deadline, download your free copy here or follow the link below.
Back to School: Free tips and tricks to protect your business from cyber threats
All through September, we will be sharing the free tips and tricks, that you can implement straight away to ensure your organisation protects itself from cybersecurity threats.
Currently in the UK, 32% of SMEs experience cyber-attacks every year, a figure that is increasing, with costs running into the thousands of pounds. With a few preventive measures, it is actually possible for you to fight these threats. By implementing various techniques, strategies, using free tools and being aware of the main ways your business might be targeted, you can take protect your business today.
Come back throughout September as we add more tips. It’s time to become CyberSmart.
1. Use Two Factor Authentication (2FA)
Adding an extra layer of security to your accounts can never be a bad idea. With a lot of platforms these days, 2FA is available, where you either: receive an SMS (least safe), Email (medium level safety) or authenticate via an app (recommended). There are free and premium solutions available, such as 1Password, allowing you to enable higher levels of security and 2FA across all your personal and business accounts.
2. Time to have an app clear out
Do you know all those apps you have installed but you never use, they should go. If you have apps that have been installed for months, not been updated, they could be full of vulnerabilities, waiting for a cybercriminal to exploit. When you delete these apps make sure to delete your account and unlink any credentials.
3. Are your email details available on the internet already?
This can be a scary thought but more than likely, your email has been compromised before. With the introduction of GDPR, more and more companies are openly admitting cyber breaches. We recommend using haveibeenpwned.com to check if your email has been compromised in a data breach before. Simply enter your email, check for breaches and address the situation.
4. Are you really going to plug that USB in?
You should be extremely careful with USB devices. Even after formatting, malware can still be present so ensure you completely trust the source of the device or go one better, do away with using USB full stop.
5. Update, Update, Update
Updating your apps and software can prevent 85% of targeted attacks. Make your business safer by allowing all updates to be automated, you don’t even need to think about it.
Make sure your operating system (on all your devices) and all applications are updated, at all times, updates are free after all.
6. Always lock your devices
It’s often funny when you walk away from your computer to come back and find a funny background picture, right? During the time you allowed for that to happen your business could have experienced a catastrophic and business impacting data breach (and many other potential risks).
Always lock your screens, and make them only accessible by you.
7. Might be 2019, but that doesn’t mean Antivirus is out of fashion
Antivirus is a necessity for all your devices, desktop and mobile. Without an antivirus, you are putting your business at risk of those pesky viruses but also of Malware, lurking in the background, dormant or actively damaging your device. There are many antivirus options out there, some may even come pre-installed with your device, others with free and premium versions. There’s no excuse not to be using an antivirus.
8. Turn on your firewall
Most operating systems come with a firewall and there’s a very good reason for this. Ensure all your business devices have this on, as it’ll create a buffer zone between your network and the internet, a highly valuable preventive measure for cyber attacks.
9. Ransomware, sounds scary but what is it?
Ransomware is one of the biggest cyber threats your business faces as it encrypts ALL YOUR DATA and locks you out of your device. Then normally it requests a ransom payment of a few hundreds of pounds in order to give you a decryption key.
How do you protect yourself?
Backup all your data (often and in different locations)
Vital business information shouldn’t be only on your computer
Don’t click on emails from unknown senders (and NEVER access .zip files in emails from these senders)
Like we mentioned earlier, UPDATE your OS and apps
Have an antivirus installed
10. Do you know how to spot a phishing email?
Firstly, a phishing email’s intention is an attempt to collect your personal data, and more than likely you have come across it one (or many) before.
Serious businesses will never display your email address in the subject line
Check out the sender and their email, try to spot how valid it is
You don’t have to open an email just because it instils some sort of urgency (the more urgent it may look, the higher the likelihood of a breach)
Always check links before you click.
11. Check back tomorrow
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
Time for the UK education sector to prioritise cybersecurity
As you probably know already, schools and universities are not immune to attacks from disgruntled employees or other insiders. However, there is another key issue for school leadership teams that is unique to the education sector: students!
Students are often more digitally aware than most teachers and other school employees. This can lead to new digital platforms being introduced into the school environment without staff being made aware.This insider threat to schools from students is not malicious; instead, it’s an issue of negligence in some cases or lack of awareness in other.
While students and teenagers may be tech savvy, they’re not often very security conscious. The consequences of exposing the school network to a data breach or cyber attack is often not properly understood. They are also not legally culpable for any actions that might result in a breach, so there is less of an incentive to take responsibility.
Adults are also potential insider threats; a teacher may bring a corrupted USB stick into school with their learning resources, or school admin staff may open and respond to a phishing email without understanding what it is. This is why schools must keep on top of their security policies and enforce them across the whole school community.
Awareness Of The Threat Landscape
The general lack of awareness about the types of attack a school network may be subjected to, what they look like, and where they come from is a major problem for the school as a whole.
All parties – IT departments, network managers, teachers, school employees and students – must be made aware of the threat landscape with relevance to their internet and network usage. Regular training should be part of the schools’ IT policy, raising awareness of the consequences of cyber attack to the school and individuals personally – which could include disciplinary actions.
Network Protection
School networks need robust defences in place to protect from threats such as malware or DDoS attacks. Antivirus, web filtering, firewall, device encryption, mobile data management and penetration testing should all be updated regularly and reviewed to keep pace with new threats and technologies.
Managing User Privileges
An effective way of limiting the potential damage an insider threat poses is to rigorously manage who has access to the network, and what they can and can’t do.
Both staff and students should only have limited access to the school’s network based on their requirements, reducing the opportunity for malicious or accidental misuse of the network. Managing user accounts should also include regularly reviewing what access individuals require, blocking access to some systems if individuals no longer need them, and deleting users when they leave the school.
If you have any questions about Cyber Security in general or just want to have a chat, drop us a line at hello@cybersmart.co.uk
Protecting your data and organisation is hard work — let us help you make it easier.
