Facing the threat of cyber security breaches
Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.
Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.
Internal fraud can be demoralising. Staff exploiting weaknesses in internal processes to set up false suppliers, abuse the company credit card or claim additional expenses appear minor, but all amount to fraud and could have serious repercussions for the individuals concerned.
A recent decision in the Supreme Court in R v Andrews [2022] UKSC 24 has highlighted that anyone falsely claiming qualifications on their CV can be stripped of the profits of their deception. The Supreme Court permitted a Proceeds of Crime Act 2002 (POCA) confiscation order on the basis of the pre-appointment earnings. Ensuring that validation in recruitment processes is properly and diligently carried out would avoid the worst excesses of CV fraud, but would also deter appointments of people who may see education as a soft target.
But what of the external actors who target education and charities, who rely on volunteers, community support, co-operation and public goodwill to operate effectively and generate additional income? The sophistication and variety of modes of the attack has certainly evolved over the past two years, as has the frequency of experience and level of disruption caused.
“92% of HEIs identified a breach”
The Department for Digital Culture Media and Sport has surveyed the education sector as part of its aim to inform government policy on cyber security in its annual Cyber Security Breaches Survey 2022 . The results show 92% of higher education institutions identified a breach, while the education sector as a whole, experienced some of the highest levels of the most dominant form of attack in phishing emails, outstripping even the business sector.
But one concern is the survey identified that most education establishments experienced some form of attack or breach on a weekly basis. Spoof emails or impersonation attacks, and attempts at gaining unauthorised access through malware, were also a common occurrence.
The high levels of reporting could point to increased security, senior management engagement and staff vigilance underlining their preparedness to invest in approaches to prevent attacks – such as security monitoring or penetration testing, as well as maintaining risk assessment and disaster plans to trigger appropriate responses.
In reality, where these attacks were effective, a significant proportion of the institutions experienced a negative outcome, with loss of data for illicit purposes or financial losses or accounts systems being compromised. As a consequence, they reported significant disruption with increased manpower and staff time to deal with the reporting and stakeholder engagement, post event.
Kudos to the education sector
One key feature of the report is the kudos given to the education sector as a result of its cyber security planning and policies, the level of knowledge of directors and trustees and how they dealt with breaches – including external reporting (with stakeholders, insurers, regulators) and implementation of additional controls (passwords and two factor authentication). In fact, it was regarded as the equivalent of large businesses, who are considered to be the most well-equipped to deal with these issues.
It is perhaps testament to the education sector’s reported high levels of compliance with the 10 Steps to Cyber Security and its proactivity in seeking guidance and enhanced security that has led to its overall rating which, in some instances, outperforms businesses. Despite the concerning levels of attacks which target educational institutions, these efforts go a long way to block potential disruption. Regrettably, in the digital and online times in which we live, it does not eradicate the risk, but it mitigates the harm and allows educators to focus on what they do best, which is heartening news.
Contact
Paul Wainwright
Partner
paul.wainwright@brownejacobson.com
+44 (0)121 237 4577
Related expertise
You may be interested in...
Online Event
Wellbeing and financial considerations – practical solutions for challenging times
Legal Update
be connected - Spring 2023
Legal Update
Teacher strikes – lessons learnt so far
Opinion
Can toilet facilities amount to sex discrimination?
Legal Update
New support launched to manage school complaints
Legal Update
Cyber security and data breaches
Legal Update
#EdCon2023 virtual event hailed a success
Online Event
Flexible working in schools webinar
Legal Update
What does the new Provider Access Legislation mean for schools?
Legal Update
High Court dismisses Welsh RSE right to withdraw claim
Opinion
Term-time school worker entitled to national minimum wage for unworked basic hours
On-Demand
Industrial action essentials: what you need to know
Legal Update
Education Software Solutions Limited breaks against the CMA’s intervention: A victory for freedom and flexibility in contracting for MIS services
On-Demand
The Subsidy Control Act 2022. Putting the new regime into practice
Legal Update
Safeguarding at scale report published
Legal Update
Trade unions announce plans to re-ballot members
Legal Update
Widespread industrial action now confirmed for schools
Legal Update
Industrial action and minimum service levels within education
Opinion
Consultation on holiday entitlement – part-year and irregular workers
Guide
FAQs - converting to academy status
Guide
FAQs - becoming a sponsored academy
Guide
FAQs - becoming an academy sponsor
Guide
FAQs – single academy joining a MAT
Legal Update
EdCon2023 launch: Thursday 12 January
Legal Update
The importance of understanding the transitional provisions under the Electronic Communications Code
Legal Update
Biodiversity Net Gain: positive for nature and an opportunity for landowners
Legal Update
Discrimination comes of age
Guide
#EdCon2023: Access a range of expert guidance and resources at our FREE virtual conference
Legal Update
be prepared for the 2022-23 academic year
Legal Update
Teacher Pay Survey 2022
Legal Update
The Schools Bill – law no more
In July, we published an update on the Schools Bill with the news that the proposed legislation relating to new academy standards and extended intervention powers for academy trusts would be removed. Last week, we received broader news of the dropping of the Bill, with education secretary Gillian Keegan announcing that it will not reach its third reading in the House of Lords.Legal Update
be connected newsletter for schools - Winter 2022
Guide
Good governance essential to avoid falling foul of the ESFA
There’s been little evidence of interventions or financial management reviews this year and it appears the Education and Skills Funding Agency (ESFA) has re-focussed on financial delivery. It’s also telling that there were no discernible changes to the reporting of financial irregularities in the Academies Trust Handbook 2022.
Legal Update
Children's commissioner recommendations for SEND reform
The Children’s Commissioner, Rachel De Souza, has recently published a report “Beyond the labels: a SEND system which works for every child, every time”, which she intends to sit alongside the DfE’s SEND Review (2019) and SEND Green Paper (2022) and which she hopes will put children’s voices at the heart of the government’s review of SEND system.
Legal Update
School complaint management - exploring a new way forward
There’s greater opportunity than ever for parents, carers and guardians to voice any concerns they have relating to their child’s education and for their concerns to be heard and to be taken seriously. While most staff in schools and academies are conscious of their legal duties relating to complaints management, many are struggling to cope with such a significant increase in the volume of complaints they must manage.
On-Demand
The UK's green agenda - the outcomes of COP27 and actions since COP26
Guide
Setting up a trading subsidiary – a guide for academy trusts
We’re pleased to collaborate with Lloyds Bank, who recently asked us and audit and risk specialists Crowe UK to offer guidance that academy trusts would find helpful when considering setting up a trading subsidiary.
Legal Update
DfE Trust Capacity Fund
The DfE has published new guidance and opened the application process for window two of the Trust Capacity Fund (TCaF) for 2022/2023, with a fund of £86m in trust capacity funding focused particularly on education investment areas.
Guide
The Independent Inquiry into Child Sexual Abuse - A guide for schools and trusts
The Independent Inquiry into Child Sexual Abuse was established in March 2015. We now have its report. As you would expect with such a broad scope, the report is long and makes a number of far-reaching recommendations. In this article, Dai Durbridge highlights seven of the 20 recommendations, sets out how they could impact on schools and suggests what steps to take now.
Press Release
Law firm picks up record breaking sixth Education Investor Award
Browne Jacobson’s education team has been named as winner of the ‘Legal Advisors to Education Institutions’ category at the Education Investor Awards 2022 for a record sixth time.