REGULATORS ARE GETTING TOUGH
The threat of cyber attacks and data breaches continues to grow, with a 2021 UK government report finding that 39% of organisations came under attack in the previous year. Whilst there are a number of regulations and guidance designed to help schools mitigate cyber security risks many education establishments struggle to achieve and maintain compliance.
However compliance with regulations is essential. Schools, colleges and universities must all ensure they comply with tougher regulations and standards in cybersecurity for both safeguarding and data protection purposes.
Keeping Children Safe in Education
The new KCSIE guideline came into force on 5th September 2016 putting further emphasis on the need for all education professionals to understand that safeguarding is everyone’s responsibility. Each school needs to consider and review their safeguarding policies and procedures, particularly with respect to how they protect and maintain duty-of-care amidst the growing online threats to each student’s wellbeing. With the enhanced auditing requirements needed to meet KCSIE schools now have to look much deeper into internet and social media traffic to identify potential children at risk.
The Prevent Duty
In the summer of 2015, the UK government made Prevent (its full name is the Preventing Violent Extremism strand) a statutory duty for schools, childcare providers and further education establishments. Along with prisons, local authorities and NHS trusts, they are now under a legal obligation to “have due regard to the need to prevent people from being drawn into terrorism”. According to the government’s guidance, the day-to-day responsibilities of teachers and staff now include being able to spot children who might be vulnerable to radicalisation.
Schools are responsible for the security of credit card account data shared with them, entered through their online systems or wherever the data is received or stored. The standard to which they are held is known as the Payment Card Industry Data Security Standard (PCI-DSS). It is important to meet the PCI-DSS levels for your school to avoid credit card fraud, which could result in hefty fines for your school if the school is deemed out of compliance.
Under the terms of the UK Data Protection Act, all organisations that handling personal information about individuals have legal obligations to safeguard that data. All data kept on electronic media within educational institutions should be kept secure, encrypted and logged in order to keep track of any theft or loss. Where theft or loss does occur and encryption has not been imposed, enforcement action may follow which could be a fine of up to £500,000.
The GDPR is the European Commission’s latest attempt to strengthen data protection for EU citizens, including the export of their data outside of the EU. With the demise of ‘Safe Harbour’ companies that export and handle the personal data of European citizens will also need to comply with the new requirements put forth or risk being fined €20 Million EUR for a security breach or 4% of global turnover, whichever is higher.
HELPING EDUCATION ESTABLISHMENTS TO CYBER SECURITY COMPLIANCE
The Department of Education have issued guidelines for all schools and colleges.
Navigating the growing compliance requirements can be difficult without expert help. The right balance needs to be found between effective security, detailed monitoring and respecting the privacy and personal lives of students.
Infosec Partners have helped schools and universities achieve and maintain compliance with standards such as PCI and ISO 27001, and helped them to understand what needs to be done to meet statutory requirements such as Prevent, KCSIE and the Data Protection Act. Contact Infosec Partners today to find out more.