Your school keeps all kinds of personal and financial data that scammers would love to get their hands on. That’s why it’s important to protect your data with all the tools at your disposal. This guidance document explains the best ways to keep your data safe through responsible cyber security.


Backing up your data


Make sure you back up your data – it allows you to continue to function should the worst happen and disaster strike. What’s more, if you have a back-up in place, you can’t be blackmailed by cyber attackers.

Use these good practice tips to achieve back-up peace of mind:


Find the data you need to back up

Identify and record the data your school couldn’t function without. This is your essential data and it must be backed up ASAP.


Keep your back-up offsite

Your back-up should not be connected (physically or over a local network) to the computer holding the original data. Neither should it be accessible by staff. Keep your back-up away from the school to ensure its safety should a disaster cause the original records to be destroyed.


Use the cloud

Consider using the cloud for your back-ups. It might seem risky using a back-up connected to the wider world, but in fact cloud storage keeps your data safe in any eventuality and makes it available at any time and place. When choosing a cloud storage supplier, do your due diligence and make sure they comply with the GDPR.


Let the tech take care of it

Backing up data is boring. But there’s good news, most networks and storage solutions allow you to back up data automatically. Backing up data automatically saves time and prevents human error. Speak to your ICT team to make sure you are backing up data automatically wherever possible.


Stopping malware infiltration


Malware (malicious software) can infiltrate your software and cause all kinds of damage. These good practice recommendations can help you prevent malware damaging your school:


Use antivirus software

Most computers and laptops come with antivirus software. Often, people disable the software due to frustrations with inconvenient popups, long scanning times, etc. Don’t let staff turn off antivirus software, no matter how frustrating it may be. Keeping antivirus software turned on lets you spot problems early and hand the findings to the ICT team – allowing them to tackle the problem before it causes damage. Some computers are marketed as not requiring antivirus software, but this is not a guarantee and they are not impenetrable. No matter the make and model, play it safe and install antivirus software.


Only download apps you trust

Don’t download apps from unknown sources. Go through manufacturer approved stores, such as Google Play or the Apple App Store, to make sure your apps are safe.


Set your permissions sensibly

Staff permissions should be set to allow each staff member to carry out their role uninhibited, but with the lowest level of permission required. This prevents misuse or accidental damage occurring through downloading and using unsafe software.


Stay up-to-date

Keep all electronic equipment up-to-date with the latest versions of software (this is sometimes known as patching). All operating systems, programmes, phones and apps should be set to ‘automatically update’ where possible. At the end of its supported life, equipment should be replaced.


Use USB drives safely

Don’t share USBs if possible – it makes it difficult to know what they’ve been used for and what they contain. Try transferring files using alternative means (email or cloud storage) wherever possible, but remember to make sure the method is GDPR compliant.

If you need to use USBs, use antivirus tools and only allow the use of school-approved USBs.


Use a firewall

Make sure your firewall is switched on. Most operating systems have them and they prevent all kinds of potential damage. Speak to your ICT team if you aren’t sure whether your firewall is active.


Keeping mobile data safe


Always use a password

Make sure all school mobiles use passwords. Most phones don’t have passwords enabled “out the box,” so make sure they are enabled when given to staff.


Make sure they can be traced, locked or wiped

Mobiles can, and inevitably will, be lost, so make sure you can:

  • Track their location.
  • Remotely lock them.
  • Remotely erase the data.
  • Retrieve back-up data.

If you don’t know how to set up your phones to allow the functionality listed above, speak to your ICT team who should be able to set you up in minutes.


Keep phones and apps up-to-date

Make sure staff know how to spot pending software updates and install them, and make sure they know it’s important to do so right away. Any apps installed on phones should also be updated regularly to patch any security risks that have been discovered.


Don’t connect to unknown Wi-Fi hotspots

Public Wi-Fi is not always safe. When using public Wi-Fi, it’s possible for someone to access whatever you’re working on and even login details. Avoid using public Wi-Fi networks on mobiles where possible.

An alternative option is your 3G/4G network. This can easily be used for ‘tethering’ your laptop to the internet, or you could opt for a wireless ‘dongle’.

Where possible, use a virtual private network (VPN) that encrypts your data before it is sent over the internet.

Your ICT team will be able to advise you on the options available to you and provide you with the necessary equipment and access.


Protecting data with passwords


Always use unlock protection

Every computer, laptop and smartphone needs a password, pin or other unlock method. Make sure all staff have unlock protection enabled on all devices. 


Encrypt data where possible

Laptops and computers should have encryption turned on and configured. If the asset doesn’t have encryption built-in, use an encryption product. This will make your data useless for scammers if stolen.


Use password protection for important accounts

Important accounts, whether emails, services or folders, should have password protection in place.


Set up two-factor authentication (2FA) on the really big stuff

For your most important accounts, use 2FA. This requires two different methods to confirm your identity before you’re granted access – generally a password plus another method. This can be a pin number or, for online banking, a card reader.


Don’t use predictable passwords

Never use a default password, it’s far too predictable. In addition, never use the following popular passwords:

  • Password
  • Pa55word
  • Qwerty
  • 123456
  • 12345678
  • ABC123

For added security, choose a password that contains letters, numbers and symbols.


Prevent password overload

It’s important to make sure your important devices and accounts are password protected, but not everything requires a password. If it isn’t necessary, don’t use a password. Giving staff members too many passwords to remember is a problem they don’t need. Also, don’t force staff to change their passwords at regular intervals, it doesn’t make things any safer. Instead, only change passwords where foul play is suspected.

You may want to introduce a password manager tool that can store passwords via a ‘master password’. The master password can be an extra-complicated one, because it is the only one you need to remember.


Spotting phishing attacks


Be pro-active to ensure damage limitation

A successful phishing attack can cause significant damage, but you can put procedures in place to limit the damage an attack can do. Only provide staff with the minimum level of user rights required to do their job. Administrator accounts should not be used to check emails or browse the web; this way, even successful attackers cannot install software, access security settings or acquire important files.


Empower staff with knowledge and the confidence to ask questions

Phishing attacks commonly involve fake invoices containing malware sent via email, or confidence scams where staff are tricked into transferring money or information by sending emails pretending to be important individuals. Email filters attempt to send phishing emails to junk folders, but they cannot catch all of them. If you set your filter to be overly strict, it may start filtering out important emails that you really do need to be aware of. So, it’s important to arm yourself with the knowledge to spot the few that slip through the net.

To prevent attacks causing damage, make sure staff know what to look out for and who to talk to if they think an email is suspicious. Listed below are some common signs that something may be awry:

  • Is the email address legitimate? Scammers often present themselves as well-known entities such as banks and big businesses. Teach staff to check the full email address of senders, these normally contain long streams of nonsensical letters and numbers that you would never find in a legitimate email address.
  • Is it addressed to an individual or a ‘valued customer’ or ‘friend’? The use of generic addressees can be a sign that something isn’t right.
  • Does it urge you to act immediately? Again, this is a sign that the email could be fraudulent.
  • Is the spelling and grammar poor? This is another tell-tale sign that there may be a problem.

Most importantly, make sure staff feel they can ask questions whenever they arise without fear of feeling silly or worrying they are wasting time. Taking the time to ask a question can be the difference between staying safe and a data disaster.


Audit your digital footprint

Your school is required to publish certain information on your website, but could you be publishing too much? Too much information in the hands of a potential fraudster is a dangerous thing, as it allows them to appear genuine by mentioning real names, addresses, phone numbers, etc.

Encourage staff to think about their digital footprint. Don’t discourage creating an online presence, simply encourage them to consider whether the information they are publishing could be stripped of some of the more personal elements that are attractive to fraudsters.


Report all attacks

Staff should report all attacks, especially if they think an attack has been successful. Staff should not be punished for getting caught out, it will prevent them speaking up in future. The time spent scrutinising every email from there on in is likely to be more detrimental to your school than the attack itself.

If your school has been the victim of online fraud, scams or extortion, you should report it through the Action Fraud website.


What’s next?


You can use our Website Audit Checklist for Maintained Schools or MAT, Academy and Free School Website Information Checklist to see what’s required on your school website, and make a decision whether what remains leaves you in any danger or is safe and valuable.

Our Protecting Yourself from Online Fraud Leaflet for Pupils can help your school community stay safe online.

Access our Cyber Security Resource Pack for documents outlining and explaining measures for preventing and managing cyber security breaches in schools.




National Cyber Security Centre (2017) ‘Cyber Security: Small Business Guide’


Related terms: malware, scams, fraud, email, cyber-security, cyber crime, cyber-crime