DfE Cyber Security Standards
Implement robust cyber security, user accounts and data protection for your school or college.
Implement robust cyber security, user accounts and data protection for your school or college.
In January 2024, the Department for Education (DfE) updated their guidance on digital and technology standards for schools and colleges. These guidelines included the minimum requirements for cyber security, user accounts and data protection. When cyber security incidents occur, they can impact the day-to-day running of schools and colleges, lead to sensitive data loss and even cause reputational damage. The DfE’s Cyber Security Standards aim to protect your school or college from threats and ensure you’re prepared, should a cyber security incident occur.
Wavenet has been a leading education technology specialist for over 30 years. We are passionate about implementing digital strategies, tailored to individual school requirements that promote a safe, engaging learning environment. With our range of robust cyber security solutions, we can help you achieve the DfE standards.
Find out how we can assist you in leveraging technology to both meet the DfE digital standards, as well as drive positive learning outcomes for your students. Contact us today on 0333 234 0011 or use the form opposite:
All these standards should be met as soon as possible, and you should already be meeting those in relation to Data Protection Regulations.
Having a properly configured boundary or software firewall protecting every device, is vital for preventing cyber-attacks - they make scanning for suitable hacking targets much harder too. It is important to ensure that all firewall firmware is up to date and monitoring logs are checked regularly, as they can help detect suspicious activity.
Multi-factor authentication only allows access to a service when you present 2 or more different forms of authentication. It reduces the possibility of an attacker compromising an account. This is especially important if an account has access to sensitive or personal data.
The protection of sensitive and personal data is vital to the safety of students and staff, the reputation of your school or college and to avoid the legal liabilities that security breaches expose schools and colleges to. Limit access by specific content area and don’t use blanket permissions.
Security systems are sometimes disabled to make marginal improvements to user experience. This is an unjustifiable risk in most circumstances as attackers scan for and exploit devices where security features are not enabled. Attackers who gain access to a network device can exploit an entire system very easily, so this should be prevented. Keeping a record of network devices (routers, switches, access points, servers) will help your school or college ensure networks are up to date and speed up recovery times.
Successful cyber-attacks target user accounts with the widest access and highest privileges on a network. By limiting the numbers and access of network and global administrative accounts, you prevent and limit successful cyber-attacks. It is important to have a user account creation, approval, and removal process as part of your school or college’s joining and leaving protocols. All unused accounts, whether from people who have left their employment, or ones that haven’t been used in a prolonged period, should be removed or disabled. Each user should be authenticated with unique credentials before they are given access to devices or services.
Up-to-date anti-malware and anti-virus software reduces the risk of many forms of cyber-attack. Some applications protect against both viruses and general malware, some against only one. You need to protect against both.
Effective anti-malware software should be set up to scan files upon access, when downloaded, opened, or accessed via a network folder, it should scan web pages as they are accessed, and prevent access to potentially malicious websites, unless it has been risk-assessed, authorised, and documented for a specific business requirement. Do not run applications or access data that has been identified as malware.
Some applications may contain unintentional security flaws or introduce malware onto a network, making it simpler for hackers to carry out an attack. Applications should not be downloaded by users; they should always be examined first. Best practice is to maintain a current list of approved applications, any with invalid or no digital signatures should not be installed or used.
Hackers try to identify and exploit the vulnerability that each new security update addresses. They try to do this before users can update their systems. In the last year, several attacks on education establishments have taken advantage of this. All devices and software should be currently licensed, supported and set up to meet technical requirements.
Cyber-attacks are crimes against a school that need to be investigated, so perpetrators can be found, and countermeasures identified. A cyber-attack is defined as an intentional and unauthorised attempt to access or compromise data, hardware or software on a computer network or system and could be made by a person outside or inside the school.
You should report any suspicious cyber incident to Action Fraud on 0300 123 2040 or via the Action Fraud website. Police investigations may find out if any compromised data has been published or sold and identify the perpetrator.
A backup is an additional copy of data, held at a different location, in case the original data is lost or damaged. This is essential for timely disaster recovery, if all copies are held in the same location, they would all be at risk. The safest way to achieve this is to have a pattern of backing up data on a rolling schedule. How often you need to create backups depends on how often the data changes and how difficult the information would be to replace if backups failed. You should have at least 3 backup copies on at least two separate devices. At least 1 of these copies should be off-site.
Being unprepared for a cyber-attack can lead to poor decisions, slow recovery, and expensive mistakes. A good response plan made ahead of time will speed up your response, reducing the material, reputational and safeguarding damage that ransomware attacks can cause. All schools and colleges must have a contingency plan for the loss of some or all IT systems included in their business continuity and disaster recovery plan. This is required by the Schools Financial Value Standard.
The most common forms of cyber-attack rely on the mistakes of staff members to be successful. Attacks ca be stopped by avoiding these mistakes. Basic cyber security knowledge amongst staff and governors is vital in promoting a more risk-aware school culture. Staff who require access to your IT network should take basic cyber security training every year. This training should be part of the induction for all new staff as well, focusing on phishing, password security, social engineering, and the dangers of removable storage media.
Here at Wavenet, we can assess your school’s cyber resilience, prioritise critical risks, backup your data, provide assurance and achieve network security. Tailoring our solutions to your school or college’s individual needs, we can ensure that your cyber security meets both the DfE standards, and the demands of your education environment.
Get all the latest news and insights straight to your inbox.