23rd May 2022

Cybersecurity Schools Audit 2022

The London Grid for Learning (LGfL) is working with the National Cyber Security Centre (NCSC, part of GCHQ) to take a snapshot of the state of cybersecurity in all UK schools. Schools are being asked to complete a short survey which will help the DfE to target resources better to help schools combat the growing threat of cyber-attacks.

This audit builds on the 2019 cybersecurity schools audit, which examined the challenges that schools face and the strength of their defences against those challenges.

The Survey

The survey should take less than five minutes to complete requires only one response per school, so if you aren't the headteacher please check s/he has not already asked someone else to complete this audit. Audits should be completed before Tuesday 31 May 2022.

Schools Audit 2019

The 2019 audit revealed that;

  • Nearly all schools (97 percent) said that losing access to network-connected IT services would cause considerable disruption.
  • Only around a third of schools (35 percent) train non-IT staff in cyber security.
  • A focus on support for non-IT staff is a clear need, and it looks like this would be well received, with 92 percent of schools telling us they would welcome more cyber security awareness training for staff.
  • The vast majority of schools (83 percent) had experienced at least one of the types of cyber security incidents we asked about. For example, 69 percent of schools had suffered a phishing attack and 35 percent had experienced periods with no access to important information
  • All schools had at least some of the protective technologies or systems in place that we asked about.
  • 98 and 99 percent of schools, respectively, had antivirus and firewall protections.
  • There was relatively low use of strong cyber security practices such as mobile-device management and two-factor authentication.
  • 85 percent of schools had a cyber security policy or plan, but only 45 percent included core IT services in their risk register and only 41 percent had a business continuity plan.
  • Less than half of schools (49 percent) were confident that they are adequately prepared in the event of a cyber-attack.