Education settings

Education settings provide a vital service. To do so, they employ thousands of staff, and hold a lot data on children and families.

Nurseries, schools and college may hold:

• financial information including bank details, or details of parents’ income.
• contact details including home addresses, phone numbers and email addresses
• personal information including medical information, ethnicity, nationality, or social security numbers

A cyber criminal could access information about thousands of people if they successfully attack one education setting. This means that schools, colleges, and nurseries are an attractive target.

Education settings may also be targeted because of the scale of their work. These settings employ thousands of people, many of whom will use personal devices to do their work. Each of these devices could act as a point of entry into the system.

Because of these risks, it’s vital that all nurseries, schools, and colleges have appropriate cyber security measures in place.

We’re here to offer information, advice and support. For more information, contact us, or check our Advice and Guidance page for the latest information.

If you have any questions, you can contact us:

• by phone on 01534 500050
• via email (hello@jcsc.je)
• or by booking a meeting with the team

How a cyber attack could affect education settings

A cyber attack could affect your nursery, school, or college in several ways. How it affects you will depend on the type of attack, and what the attackers have managed to access.

This page gives examples of some of the issues you might face.

Safeguarding

A successful cyber attack might make it harder to carry out your safeguarding duties. For example, if you use an electronic register, this might not be available after an attack. A paper alternative will make it harder to confirm where students are, and if they’re safe.

The attack might mean you can’t access your usual case management system. This will make it harder to share – and act on – information about vulnerable children and young people.

Learning and teaching

It is likely that your staff use some online resources to support teaching and learning. This could include:

• watching educational videos online
• accessing paid-for learning programmes
• using online platforms to share course information and allow students to submit work (for example, via Moodle)

If you can’t access the internet after an attack, you will lose access to these services and platforms. In some cases, this might cause a minor change to a lesson plan. In other cases, it might mean completely changing how you teach.

Communicating with parents and carers

Contact between staff and parents is an important part of learning and teaching. Some nurseries, schools and colleges use third-party platforms to contact parents. Other may use regular emails to stay in contact.

A successful cyber attack will limit how you can contact parents and could affect children’s progress.

Staff impacts 

A successful cyber attack will mean that staff will have to adapt and change how they do their job.  This is likely to lead to a short-term fall in productivity.

But it could also have a financial effect. If the attack targets your HR or payroll systems, you may be unable to pay staff salaries in good time. This could have a knock-on effect on the children and young people you support.

Financial transactions

A successful cyber attack could affect even the most basic financial tasks. If you use online ordering or payment systems, these might be unavailable. You might no longer be able to take payments from parents and carers. It would not take long for this to have a serious effect on your education setting.

Who is responsible for cyber security in education settings?

Everyone in your nursery, school or college has a different role to play in cyber security. What this means will vary depending on the type of setting, and your size.

IT staff 

This team provide day-to-day support for the nursery, school or college. They may work in your setting, for an external company, or for the Government of Jersey.

Your IT team are unlikely to be cyber security experts. But they are experts in your networks, devices and processes. This means that they should be your first contact if you suspect a cyber attack. You can also contact the JCSC team for information and advice.

Board of Governors

In schools and colleges, the Board of Governors sets strategic guidance and direction. This includes making sure that the school has the right IT policies and procedures. These policies and procedures should cover the use of ICT systems and data security.

The Board of Governors should understand the cyber security risks their setting faces. They should also make sure that the school or college has developed a plan for how it will respond.

Finally, the Board of Governors must also make sure that the school or college follows all relevant laws. This includes the Data Protection (Jersey) Law 2018. They should understand how a cyber attack could lead to data loss, and how to report this.

Leaders

Leaders should be aware of cyber security risks that could affect their nursery, school or college. They should ensure that staff understand IT policies and procedures, and follow them.

All staff

Every member of staff in the school, college, or nursery should understand its IT policies. They should also follow any relevant procedures: this includes protecting their devices.

How to protect your education setting

Potential cybercriminals are always developing new techniques and approaches. This means that there’s no way to guarantee that your setting is safe from every cyber attack.

However, there are several steps you can take to reduce how likely you are to be victim of a cyber threat.

Backup your important information

• Identify which information is critical and make sure that you have a segregated backup. This backup can be online, for example, through a cloud-based service. It can also be offline: on a USB stick, an external hard drive, or a computer which is not connected to the internet. You can also use cloud-based services to backup your information.
• Schedule regular backups of your data. This will mean that you have access to the most recent version of your critical information.
• Test your backups regularly. This will mean you know if the backups are working. It will also mean that you understand how to recover the information if you need to.

Use strong password protection

• Turn on password protection wherever it is available: this includes across your devices and the services you use.
• Make sure that all staff are using strong passwords. The National Cyber Security Centre (NCSC) suggest using a combination of three random words.
• Use extra security protections, including 2 step verification, wherever possible. You can find more guidance on this via the National Cyber Security Centre (NCSC).

Protect yourself from viruses and malware

• Make sure that all your computers have antivirus software installed.
• Update all your IT devices regularly: this process is called patching. It means that the developer of your device has identified security issues and fixed them. Your staff should also patch any personal devices they use for work.
• We recommend that you aim to install patches no more than 14 days after they’re released by the developer.

Be wary of phishing attacks

• Cyber attackers use phishing as a way into a system or network. They will often send an email to trick a user into clicking a link or downloading an attachment. The attachment or link will allow the attackers to steal the user’s information.
• Ensure that staff are aware of this risk, and that they remain vigilant.

For more information, visit our information, advice and guidance page.

Cyber Essentials

Cyber Essentials aims to protect organisations against a range of cyber attacks. The scheme is backed by the UK Government and is available in Jersey.

Cyber Essentials is a certification scheme. To be certified, you need to have basic cyber security measures in place. This scheme focuses on preventing the most common types of cyber attacks. These attacks are usually targeted at organisations that have no basic protections.

Once you’ve introduced these measures, then you can become certified. There are two different levels of certification.

Cyber Essentials (CE). To reach this level, you take part in a self-assessment. This process is easy-to-follow so that even small organisations can take part. This level of certification costs from £320 (from 2nd April 2024).

Cyber Essentials Plus (CE+). This level builds on the CE accreditation. We recommend this certification if your organisation uses technology to deliver your service. We also recommend this for organisations that process confidential data. What you pay for CE+ will depend on how big your organisation is.

Find out more about on-Island providers of Cyber Essentials.

Jersey Cyber Shield

Jersey Cyber Shield is a free service offered by JCSC for organisations. We have designed it to give you extra protection by working with the security measures you already have in place.

We use four methods to find security weaknesses which an attacker could target. If we find weaknesses, we tell you what they are so that you can address them.

Jersey Cyber Shield is suitable for different sizes of organisation and is free to join. (There are some optional elements which are more complex. Because of this, we may need to request a contribution if you want access to these services.)

You can find out more about Jersey Cyber Shield on this page.

Useful resources

If you need more information about cyber security, your IT provider should be your first contact.

The UK’s National Cyber Security Centre (NCSC) has advice, guidance, and training for education settings. This includes:

For schools and colleges

• Questions that governors and leaders can use to understand their cyber security risk. These questions act as a starting point for a conversation about cyber security. They will help you understand what your risks are, and how prepared you are for a cyber security incident.

• Practical tips for all staff working in education settings. This includes tips on setting secure passwords and how to detect phishing emails.

• Cyber security training for school staff. This is available as a presentation pack, or as a self-learn video. If you work in a Government of Jersey setting, you have access to training via Virtual College.

• A guide on how to securely use video conferencing

For Early Years

• As well as the tools above, you can also find tailored information for Early Years settings.

• This advice is also available in a printable format, so you can share it with staff.

Reporting an incident

If you experience a major cyber security incident and report it to us, we can help you in several ways. We can provide technical advice and guidance to help you respond. We can also use our access to intelligence and expertise to help inform how you respond.

In some circumstances, we can provide direct technical support, and help you communicate.

You can also report an incident by phone on 01534 500050, via email (incidentreports@jcsc.je) or online via this form.

Find out more about how we can help.

Who you need to contact will depend on the type of attack, and the organisation.

The States of Jersey Police (SoJP). You should contact the SoJP where a crime has taken place, or if you suspect that a crime has taken place. They have the ability to handle digital forensic investigations. More information on how to report a crime is available via the SoJP website.

Jersey Office of the Information Commissioner (JOIC). You should report the incident to JOIC if the cyber attack has led to a personal data breach. You can find more information on when and how to report a breach via the JOIC website.

Action Fraud. Action Fraud is the UK reporting centre for fraud and cybercrime. You can make a report via the Action Fraud website.