Human error is the most common cause of security breaches, with research showing that a range of between 52% and 85% of data breaches were caused by human error. On the DfE’s cyber security standards for schools and colleges they state that “the most common forms of cyber attack rely on mistakes by staff members” and that “basic cyber security knowledge amongst staff and governors is vital in promoting a more risk aware school culture.”
As discussed in our post featuring 10 cyber security tips, security awareness training should be delivered on a regular basis to help staff become familiar with recognising suspicious emails, along with improving their knowledge of cyber risk.
DfE cyber security standards for schools and colleges
The DfE recommend all schools and colleges should implement the cyber security standard as soon as possible. A summary of the guidance is shown below:
- Staff must take basic cyber security training every year
- New staff members should have cyber security training as part of their induction
- At least one current governor must complete the same basic cyber security training
The DfE recommend training should focus on:
- Phishing, spear phishing, smishing and other targeted cyber attacks
- Password security and multifactor authentication
- Social engineering
- The dangers of removable storage media
How to achieve compliance with the DfE cyber security standards
Step 1: Deliver the NCSC’s training materials to staff. Either using the NCSC’s presentation (for groups) or the self-learn video (for individuals), both of which are available on the Cyber security training for school staff resources page
Step 2: Ensure new starters complete the NCSC’s training session as a self-learn video, from their Cyber security training for school staff resources page.
Step 3: Ensure at least one governor reads and understands the NCSC’s school governor questions.
Step 4: repeat these steps annually
Additional steps you can take
- In place of step 1 and 2 above, you could hire a cyber security training specialist to deliver a session on cyber security
- You could purchase security awareness training packages from a third-party vendor. These packages contain multiple modules of training with centralised progress tracking
- You could implement phishing simulation training for all staff. These simulations send spam to your users and generate warnings for those staff that require further training
RPA cyber cover requirements
Following the steps above will meet point 2 of the requirements for the DfE’s RPA insurance program. For the full list of requirements, see our post relating to the DfE’s risk protection arrangement.
Resources
We have listed some key resources below where you can find further guidance from the DfE and resources from the NCSC.
DfE’s cyber security standards
NCSC – cyber security – all resources
NCSC – cyber security – training resources
NCSC – resources to print
How we can help
We work with a range of schools, MATs and colleges, implementing projects and processes that meet and exceed the DfE’s cyber security standards across all the requirements, including network security, endpoint protection, business continuity, disaster recovery and multifactor authentication. You can contact us today to see how we can help.