Schools in the UK have a lot to do to ensure compliance with GDPR, prevent cyber-attacks and avoid heavy fines under the new legislation.
A large number of schools still use outdated systems to store data on pupils and have no cyber-security protocols in place.
Stephen Morales, chief executive officer of the National Association of School Business Management, recently said that schools in the UK are highly vulnerable to cyber-attacks but budget pressures stop them from implementing clear checks and reviews or processes to deal with such attacks.
“School business professionals need to be prepared for cyber-attacks and to have clear checks and reviews, as well as processes in place if an attack happens. However, the pressure on school budgets means that it is likely there will be less, rather than more, capacity to ensure schools are prepared and protected from attack," he said.
His comments came after a number of NHS trusts were hit by WannaCry ransomware attacks in the middle of May. In some cases, the attacks were so severe that some hospitals had to shut down all of their systems. A number of trusts stayed out of operation for around a week.
According to Toks Oladuti, the director of information systems at a an independent girls’ schools trust in London, British schools escaped the WannaCry ransomware attacks through pure luck. This is because systems being used by schools were no better than the ones used by NHS trusts when the ransomware arrived.
“There is no reason why in the future there wouldn’t be a targeted attack on a large number of schools. And the likelihood is that some will click on a [risky] link.
"Good systems and staff training are both as important as each other. You can have all the systems in place but the gatekeeper is the end user. If people are busy then they have a tendency to click on something without thinking. I mitigate this as much as possible through regular training and reminders,” he added.
In order to be fully compliant with GDPR, schools will not only have to ward off hackers but will also need to have strict controls over personal data of pupils. Not only will schools need to take parental consent before collecting personal information on pupils, but will also edit or delete such data as per the wishes of the parents.
Schools will also be required under the GDPR to employ qualified data processing officers (DPOs), who will offer independent advice. Before collecting personal data, schools will also be required to conduct data privacy impact assessments to identify risks and mitigations. Failure to protect confidential data from breaches will result in fines of either 4% of a school's annual worldwide turnover or €20 million, whichever will be higher.
Considering that a lot of schools are presently using outdated systems and have poor cyber-security practices in place, their vulnerability to hackers as well as their chances of facing heavy fines under GDPR are very high.
“Lots of schools currently use IT equipment until it falls over and dies – with GDPR it’s a high-risk approach to continue using equipment that is out of warranty or doesn’t have up-to-date software,” said Mark Orchison, managing director of 9ine Consulting.
As per the GDPR, schools will need to “ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services” and will thus have to ensure that the systems they use are always updated with the latest security patches and that data is always encrypted or stored securely.
According to the UK's Action Fraud department, schools have already been targeted by hackers posing as the 'Department of Education' and trying to trick employees into clicking on links or installing ransomware which the hackers can then use to take control of systems and demand money.
"This kind of attack can certainly affect schools, and the indiscriminate nature of these attacks puts everyone at risk. Across the education sector, there will be organisations on top of good practice, and there will be ones that struggle. Our aim is to ensure that every organisation has access to the right skills and a cadre of professionals they can rely upon to know they are safe. We have a long way to go," said David Evans, director of community and policy at the BCS to TES.