Earlier this year, we invited clients and other academy trust contacts to take part in a survey to establish the approach to cyber security across the sector.
The survey was created in response to a rise in cyber-attacks targeting educational establishments in recent years, and, with it being more important than ever to ensure that your trust is protected, we thought it would be useful to gain an understanding of the current landscape in terms of cyber security awareness and insurance practices.
We were delighted by the response rate, and the results of the survey, which come from trusts spread around the country, make interesting reading.
Survey overview
The survey attracted responses from trust of various sizes.
Size of academy trust (by number of schools)
Prevalence of cyber attacks in the academy sector
Around one in four trusts have been hit by a cyber-attack, highlighting just how prevalent these are across the sector.
Have you been hit by a cyber attack?
Larger trusts are generally more likely to be targeted
Size of trust | Have had a cyber attack | No cyber attack |
Single academies | 15% | 85% |
2 – 5 academies | 10% | 90% |
5 – 10 academies | 50% | 50% |
10+ academies | 57% | 43% |
This may be because the number of schools in the larger trusts means, by law of average, they are more likely to receive an attack at one of their schools, but it could also be an indicator that fraudsters are targeting larger trusts in the hope of causing greater problems.
Real life examples
The impact of attacks on a trust can be severe. Here are some of the responses:
- “Loss of data was curtailed as hack was identified early into process. Took around three days to recover and then a further 3 weeks to restore data.”
- “The actors infiltrated both our live databases and our back-ups (we were in the process of upgrading our backup processes to cloud based). We could not recover any data and had to rebuild the majority of our systems over a 2 month period.”
- “A £50k payment was sent to an incorrect bank account”
- “The attacks were directed through a generic email address at a school. One related to a change of bank details for a staff member which resulted in their salary being paid to the hacker. The other was an extraction of an invoice sent to an email address, the bank details and telephone number changed and when the school called the 'supplier' they were talking to the hacker. The combined value of both hacks was around £22k."
- “A ransomware attack resulting in the school's network being offline for a period of two weeks whilst services and data were restored from backup.”
The ESFA RPA scheme
Most respondents to the survey are members of the ESFA RPA scheme, which does include cyber cover as part of its package:
Large MATs were more likely to be members of the RPA, with 85% of the 10+ academy MATs in the scheme. At the opposite end of the spectrum only 46% of single academies were in the RPA.
The importance of the ESFA RPA scheme
Whilst it is good that the RPA scheme includes cyber cover, and more affordable than commercial insurance because the cyber cover is provided at no extra premium beyond the standard RPA membership fee, it is important that trusts understand the limitations of the cover. The RPA covers incidents like data breaches, cyber extortion and system recovery losses up to a specific limit. The RPA also provide access to incident response services, which can guide academies in managing and mitigating a cyber event. However the cover may be more limited than standalone commercial insurance.
Mandatory cyber security conditions for RPA cyber cover
For the RPA cyber cover to be effective, it is mandatory for trusts to comply with 4 cyber security conditions. Whilst the great majority of respondents were aware of these, slightly worryingly 15% were not. This was more likely to be the case in a single academy trust, and all respondents who answered ‘no’ were in a trust of 5 or less academies.
Aware of cyber security conditions?
The four conditions of the RPA cyber cover are:
- Your data must be safely backed up offline
- Your must complete the NCSC’s cyber security training for school staff
- Your trust or school must be registered with the Police CyberAlarm tool, which detects and provides regular reports of suspicious cyber activity and vulnerabilities.
- You must implement a cyber response plan, a plan for contingency and recovery in the event of a cyber-attack.
Most respondents were happy that their trust met these 4 conditions, although some, despite being aware of the requirements, were not fully confident that the conditions were met.
Confident trust is compliant with RPA's 4 cyber security conditions?
The 79% of respondents that answered ‘no’ were then asked which of the 4 conditions would concern them. Each of the conditions was given by at least one respondent, but the most common answer was the Police CyberAlarm, followed by the cyber response plan.
Why some trusts choose additional cyber cover
Around 1 in 4 trusts have separate or additional cyber cover, and of these 3 trusts are in the RPA and so have taken the decision to purchase additional cover to supplement what the RPA offers.
Separate cyber cover?
Various reasons were provided to explain the decision to purchase the separate or additional cover:
- “It is part of our commercial insurance arrangement and also in line with Digital Standards from the DfE.”
- “Covered automatically through the Local Authority, Solihull County Council”
- “Being aware of the increased risk”
- “The risk of an attack is too concerning to not have the additional cover.”
- “Knowing how devastating an attack could be.”
The trusts that named who their separate cyber cover is with are using Endsleigh or Zurich.
Of the 76% of trusts that do not currently have specialist cyber insurance cover, outside the RPA offering, just over 1 in 10 are considering taking out some specific cover.
Considering separate cyber cover where this is not already held
Conclusions
It is clear from the results that most trusts are very aware of the threat posed by cyber-attacks and fraudsters. Most trusts seem comfortable with the RPA cover at the moment, but it will be interesting to see whether further trusts take out additional, specific cover in the next few years, particularly as trusts expand and become more sophisticated.
If your trust is a member of the RPA scheme it is important that you check that you meet the four conditions, to give confidence that the cover will be available should you need it. Any trustees reading this should raise this at the next Audit Committee, Finance Committee or Full Board meeting. If your trust’s cyber response plan has not been reviewed recently, then this too should be appraised.
Cyber and data security can make an excellent internal scrutiny topic, so if this is not an area that you have had reviewed recently, we would urge you to consider adding this topic to your programme for the coming year.
Finally, a huge thank you to all respondents to the survey. Without you sparing your time, we would have no results to analyse and share!