Cybercrime is a criminal activity committed using the computers it can involve malicious attacks on computer software, the most common forms are:
- fraud
- loss of systems and data from ransomware
- loss of data from hacking.
Academy trusts retain responsibility to be aware of the risk of fraud, theft and irregularity and address it by putting in place robust controls, such as:
- routinely back up data and restrict devices that are used to access the data
- use firewalls, antivirus software and ensure strong passwords are used
- ensure staff have adequate training to ensure they are checking emails are from genuine senders and understand the risks of using of public Wi-Fi.
Cyber security checklist
The audit committees should ask detailed questions to assess and gain assurance that good practices are in place. The following questions are based on the National Cyber Security Centre’s 10 steps to cyber security:
- Home and mobile working
- is there a clear policy on mobile working, with all associated training?
- is a secure baseline build applied to all devices?
- is data protected outside formal work environments, including in transit?
- User education and awareness
- does the trust have security policies covering acceptable and secure use of systems?
- is there a staff training programme covering secure use of systems, including awareness of cyber risks – for example strengthening passwords, risk from public Wi-Fi hotspots, risks from use of removable media such as USB sticks, avoiding use of personal accounts for business purposes, and maintaining backups?
- do staff know how to report issues and incidents?
- Incident management
- does the trust have an incident response and disaster recovery capability, with suitably trained staff?
- are there incident management plans and are these tested?
- are criminal incidents reported to law enforcement bodies?
- Information risk management regime
- is there a governance structure for managing information risk?
- do information professionals liaise with central government, stakeholders and suppliers to understand the threat?
- does senior management understand and engage with risk mitigation processes?
- Managing user privileges
- are there effective account management processes, with limits on privileged accounts?
- are use privileges controlled and monitored?
- is access to activity and audit logs controlled? Are these logs reviewed for unusual behaviour?
- Removable media controls
- is there a policy on the use of removable media (eg CDs, flash/pen drives, mobile phones, wireless printers)?
- are media scanned for malicious software (malware) before being linked to the system?
- Monitoring
- is there a monitoring strategy in place for all ICT systems and networks?
- do logs and other monitoring activities enable the identification of unusual activity that could indicate an attack?
- Secure configuration
- does a system inventory exist?
- are security patches applied regularly?
- is there a minimum defined baseline for all devices?
- Malware protection
- are there effective anti-malware defences in place across all business areas?
- is there regular scanning for malware?
- what changes have been made as a result of monitoring results
- Network Security
- is the network perimeter managed?
- do information professionals understand where the highest risk information assets are and how they are protected?
- are security controls monitored and tested?
It is worthwhile reviewing where potential system weaknesses are that could leave the trust susceptible to attack, and our experts are happy to advise on the subject.
We are here to help
If you would like more information, or have any academy school-related questions, please contact Kimberly Simmons on k.simmons@uhy-uk.com or your local UHY academy expert. Alternatively, to read more academy schools blogs please click here.
