Just how big of a risk does cybercrime pose to the education sector? We speak to experts about some of the steps schools can take to protect themselves
We’ve known for a while now that schools are increasingly falling victim to cybercrime.
The latest statistics published by the Department for Education in July 2022 found that in the 12 months prior, 41 per cent of primary schools and 70 per cent of secondary schools had identified attacks or breaches.
This is concerning, but even more worrying are the findings that suggest some of this threat is coming from within 14 per cent of secondary schools and 1 per cent of primary schools that reported unauthorised accessing of files or networks by students.
‘Necessary checks and balances’
This adds to data collected by the National Crime Agency’s National Cyber Crime Unit (NCCU) in 2022, which found a significant increase in reports of attacks made to the Police Cyber Prevent Network. Some identified children of primary-school age deploying DDoS (distributed denial of service) and using basic social engineering skills to gain passwords.
Alan Merrett is an officer within the NCCU. He says: “The challenge is that there are many avenues through which young people can gain knowledge, skills and experience, using tools that can enable cyber offending without the necessary checks and balances being in place.”
Merrett has spent years working closely with the education sector, to understand the impact of cyber offending. He has also consulted with network, broadband and security providers and found that attacks will often run from Monday to Friday, with negligible activity over the weekend or during school holidays. Providers will also often observe and mitigate an increase in attacks during key exam times.
Put simply, it’s becoming more likely that when a school is victim to a cybercrime, the perpetrator is a student. And schools need to know what to do about it.
Recognise the problem
Heather Toomey is a cybersecurity specialist at the Department for Education, she says the first thing schools need to do is recognise that this is a problem.
“In schools, often even if pupils are found having accessed the information, there tends to be an unwillingness to report or escalate because there is this desire to protect the young people,” she says.
“However, this could be the first step on a criminal path that we need to divert. I’ve seen Year 5s get around proxy settings. I’ve seen Year 6s get into computers they shouldn’t have gotten into. Shoulder surfing [where pupils watch over the shoulder of an adult while they access computers] doesn’t take anything other than a decent memory. We would be selling them short if we thought they couldn’t commit cybercrime. They absolutely can and it’s getting younger.”
Once schools have acknowledged this, they need to build strong cyber defences. Again, this is tough for schools, Toomey says.
“This is a challenge for the education sector because of the limits to their budget and because of their operational functions,” she continues. “Schools are designed to deliver teaching and learning. Their focus is on pedagogy and in keeping children safe in their environment, cybersecurity knowledge is not something that we anticipate they would readily have access to.”
To help schools in this, Toomey refers to the Department for Education’s cybersecurity standards, which are updated regularly, alongside support and advice for schools. But ultimately, she says, schools need to engage with the basics.
“Often you hear that cybersecurity is expensive. Well, I’ve never heard of a password charge per character. Passwords need to be complex; use three random words adding numbers if you can. Make sure your devices update; most will do it automatically but if they’re not connected to the network, they may not do,” she says.
“The National Cyber Security Centre training for staff is an absolute must, and you need to foster a supportive environment.They need to feel that if they have clicked on something, and put the school at risk, that they feel supported enough to tell someone.”
Keep the right records
When it comes to dealing with a pupil who has conducted a cyberattack, unknowingly or not, the first thing a school needs to do is to record it, as they would any safeguarding incident. Too often, says Toomey, this doesn’t happen, and a student can go from primary to secondary without ever having it on their record.
Schools should then consider referring the child to Cyber Choices. This is a national programme, supported by the Home Office and led by the National Crime Agency (NCA), which works with regional and local policing to help young people use their cyber skills in a legal and responsible way. It also introduces them to the Computer Misuse Act 1990 (CMA 1990), educating them on what constitutes a criminal offence in cyberspace.
In addition, the NCA will be launching their national virtual Cyber Choices Challenge, in collaboration with the Cyber Security Challenge UK, in January 2023. The challenge takes the form of a gaming platform and is aimed at secondary school students. Merrett says: “This will help improve participants’ knowledge of the Computer Misuse Act and how to be a cyber responsible citizen in a fun and engaging way, with the opportunity to win some great prizes.”
A referral to the Cyber Choices programme is the recommended next step in the latest update of the Keeping Children Safe in Education guidance, and making this referral doesn’t mean schools are criminalising children, stresses Toomey.
Individual engagement
Steph Phillips is an experienced Cyber Choices officer working in Bedfordshire, and she has worked with lots of pupils who are on the cusp of committing cybercrime. While she and her fellow officers go into schools and deliver talks to both groups of staff and students, it’s the work with individuals that tends to have the most impact.
The time spent with the pupils referred to her depends on the level of engagement from the student, and the seriousness of their action, she says. This time can be spent in schools, virtually, or in their homes. The initial session lasts up to an hour and involves explaining the consequences of their actions, the law around cybercrime and how they could use their skills in a legal way.
“Sometimes it takes just one session, but I’ve worked with students for around two years. It could be a visit every couple of months, it could be more or less than that. It depends on the individual, how much support they require, and how much intervention they need,” she explains.
Phillips and her colleagues also encourage these young people to think about how they could use their skills for good in a future career, and signpost them towards free initiatives like the Immersive Labs; Digital Cyber Academy, which can help to hone them.
There is also a lot of work taking place to develop the relationship with the cybersecurity industry, and Phillips is hoping that she will be able to secure work experience and mentoring for these young people to really open their eyes to the possibilities within industry.
“Ultimately, if we do continue to do our job right, then eventually cybercrime would be no more because we’re stopping it at the source rather than down the road once it’s already happened,” she says.
There are also other national initiatives that teachers can turn to for support. The National Cyber Security Centre has the CyberFirst programme, which identifies and nurtures a diverse range of talented young people into a cybersecurity career.They offer a bursary scheme for undergraduates, as well as providing a range of resources to help schools build their defences.
As part of the CyberFirst programme, the Department for Digital, Culture, Media and Sport has created Cyber Explorers. An online learning platform to teach cyber skills to thousands of students across the UK. The programme, designed for 11- to 14-year-olds,demystifies what a career in digital or cybersecurity could be.
So, while the threat of a cyberattack from one of your pupils is daunting, there is lots of support for these pupils, and for teachers, just a couple of clicks away.
Further details can be found on the Cyber Choices page, which also has teaching resources for multiple student age groups. Should teachers require further information or support, they can contact cyberchoices@nca.gov.uk and the NCCU will put them in contact with their local Cyber Choices engagement team. If you believe your school or college is a victim of cyber crime please report it to Action Fraud, the UK’s fraud and cyber crime reporting centre.
