Cyber security standards for schools and colleges

Cyber security overview 

This post is part of our series on the DfE’s Technology Standards and covers the standards for cyber security and data protection in schools and colleges. 

Cyber security is related to protecting against theft, damage, unauthorised access and data loss in relation to the devices and online services used by staff and students. 

Cyber security incidents can impact the day-to-day running of schools as well as cause reputational damage and data loss.  Implementing the DfE’s standards helps to protect against threats and allows schools to be prepared should a cyber security incident occur. 

Summary of recommended standards from the DfE 

• Protect all devices on every network with a properly configured boundary or software firewall 
• Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date 
• Accounts should only have the access they require to perform their role and should be authenticated to access data and services 
• You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication 
• You should use anti-malware software to protect all devices in the network, including cloud-based networks 
• An administrator should check the security of all applications downloaded onto a network 
• All online devices and software must be licensed for use and should be patched with the latest security updates 
• You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be off-site 
• Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack 
• Serious cyber-attacks should be reported 
• You must conduct a Data Protection Impact Assessment by statute for personal data you hold as required by General Data Protection Regulation 
• Train all staff with access to school IT networks in the basics of cyber security 

When should you meet the standards? 

All standards should be implemented as soon as possible and you should already be meeting a number of the standards, especially in relation to the data protection regulations.  

How should you meet the standards? 

Your IT service provider or in-house team should be able to help ensure you are meeting the standards. The implementation of the standards can include third-party IT service providers, such as cloud backup providers that can help to meet the requirements for data backup. 

Further technical details 

Given the depth and complexity of implementation, you should review each of the recommendations in detail. 

Related standards 

The implementation of cyber security standards will rely on some features provided by your Internet provider, wireless network and switches. In addition, some of the recommendations in the other DfE standards directly relate to cyber security. 

See our related posts in this series: 

• Broadband internet standards in schools 
• Wireless network standards in schools 
• Network switch standards in schools 

Read the standards in detail 

You can find the DfE’s standards in full by following the link: Cyber security standards for schools and colleges.

How we can help 

We understand that every school and Trust is different, meaning the path to upgrade and improve your cyber security standards will be based on a number of factors. We help review your existing cyber security standards, with design and deployment services. Our team also provide oversight of your existing strategic plans to ensure they will meet the cyber security requirements.