© Crown copyright 2019
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: firstname.lastname@example.org.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/indicators-of-potential-fraud-learning-institutions/guide-on-cyber-crime-and-cyber-security-for-education-providers
This guide aims to help raise education provider’s awareness of cyber crime and cyber security.
Academy trusts, colleges and independent training providers (ITPs) retain responsibility to be aware of the risk of fraud, theft and irregularity and address it by putting in place proportionate controls.
Cyber crime is criminal activity committed using computers and/or the internet. It can involve malicious attacks on computer software, including:
Email hackers try to gain access to email accounts by tricking people to:
- open and respond to spam emails
- open emails with a virus
- open phishing emails
Phishing messages look authentic with corporate logos and a similar format to official emails.
Sometimes phishing emails use the title of a genuine email that the victim has recently replied to in order to trick the victim into believing the communication is authentic. Phishing emails can appear to have originated from within or outside your organisation.
Unlike official communications, phishing emails ask for verification of personal information, such as account numbers, passwords or date of birth.
Sometimes the emails suggest the request is time sensitive to pressure the recipient to respond when they might not otherwise have done so.
Unsuspecting victims who respond may suffer stolen accounts, financial loss and identify theft.
Malvertising can compromise computers by downloading malicious code when people hover on or click on what looks like an advert. Some will even download malicious code to your computer while the website is still loading in the background. Cyber criminals can use advertisements as a way to hack into computers.
Cyber crime: what education providers can do
To address the risk of fraud, theft and/or irregularity, education providers should as a minimum:
- use firewalls, antivirus software and strong passwords
- routinely back up data and restrict devices that are used to access
Education providers should also train staff to ensure that they:
- check the sender of an email is genuine before, for example, sending payment, data or passwords
- make direct contact with the sender (without using the reply function) where the email, for example, requests a payment or change of bank details
- if telephoning the sender to confirm authenticity, do not use the contact number within the email without first checking it is genuine
- understand the risks of using public Wi-Fi
- understand the risks of not following payment checks and measures
This is not an exhaustive list.
Cyber security: checklist for providers
Cyber security is the way in which organisations can:
- protect their computer systems, including: hardware, software and data, from unintended or unauthorised access, change or destruction
- reduce the risk of becoming victims of cyber attack
Five strategic questions for education providers
Academy/college audit committees and the management of independent training providers (ITPs) should use the following high-level questions, based on government guidelines and industry standards, as a starting point to consider cyber risk in their organisation.
As part of its assessment, the audit committee or ITP management should also consider the quality of the evidence underpinning any assurances provided.
1. Information held
Does the organisation have a clear and common understanding of the range of information assets it holds and those that are critical to the business?
Does the organisation have a clear understanding of cyber threats and their vulnerabilities?
3. Risk management
Is the organisation proactively managing cyber risks as an integrated part of broader risk management including scrutiny of security policies, technical activity, user education/testing and monitoring regimes against an agreed risk appetite?
4. Aspects of risk
Does the organisation have a balanced approach to managing cyber risk that considers people (culture, behaviours and skills), process, technology and governance to ensure a flexible and resilient cyber security response?
5. Governance oversight
Does the education provider have sound governance processes in place to ensure that actions to mitigate threats and maximise opportunities in the cyber environment are effective?
Ten cyber security tests for the wider business
Academy/college audit committees and ITP management should ask detailed questions to assess and gain assurance that cyber security good practice is in place.
The following questions are based on the National Cyber Security Centre’s 10 steps to cyber security.
Again, as part of its assessment, the audit committee or ITP management should consider the quality of the evidence underpinning the assurances provided, including whether there is evidence that the policies and procedures are well designed, consistently implemented and operating effectively in all relevant areas of the provider.
1. Home and mobile working:
- is there a clear policy on mobile working, with all associated training?
- is a secure baseline build applied to all devices?
- is data protected outside formal work environments, including in transit?
2. User education and awareness:
- are there security policies in place covering acceptable and secure use of systems?
- is there a staff training programme covering secure use of systems and awareness of cyber risks – for example strengthening passwords, risk from public Wi-Fi hotspots, risks from use of removable media such as USB sticks, avoiding use of personal accounts for business purposes and maintaining backups?
- do staff know how to report issues and incidents?
3. Incident management:
- does the organisation have an incident management/response plan and are these tested?
- are criminal incidents reported to law enforcement bodies?
4. Information risk management regime:
- is there a governance structure for managing information risk?
- do information professionals liaise with central government, stakeholders and suppliers to understand the threat?
- does senior management understand and engage with risk mitigation processes?
5. Managing user data access rights / privileges:
- are there effective account management processes, with limits on privileged accounts?
- are use privileges controlled and monitored?
- is access to activity and audit logs controlled?
- are these logs reviewed for unusual behaviour?
6. Removable media controls:
- is there a policy on the use of removable media (for example, CDs, flash/pen drives, mobile phones, wireless printers) and is this implemented?
- are media scanned for malicious software (malware) before being linked to the system?
- is there a monitoring strategy in place for all information communications technology (ICT) systems and networks?
- are logs and other monitoring activities able to identify unusual activity that could indicate an attack?
8. Secure configuration:
- does a system inventory exist?
- is unnecessary functionality removed or disabled from systems?
- are security patches applied regularly?
- is there a minimum defined baseline for all devices?
9. Malware protection:
- are there effective anti-malware defences in place across all business areas?
- is there regular scanning for malware?
10. Network security:
- is the network perimeter managed?
- do information professionals understand where the highest risk information assets are, and how they are protected?
- are security controls monitored, tested and where appropriate updated?
The National Audit Office report The UK cyber security strategy: landscape review describes government’s evolving approach to cyber security.