Why cybercriminals target schools - and what to do about it

Most cybercriminals are motivated by one thing: money. Some want to cause disruption or gain notoriety, but the majority are after financial gain - either by tricking schools into transferring funds, or by stealing and selling personal data.

That second motivation is why cybersecurity and data protection are two sides of the same coin. When criminals target your school's data, they're targeting the personal information of your pupils and staff. Protecting that data isn't just good practice - it's a legal requirement.

Cybersecurity is a GDPR issue

The UK GDPR requires that personal data is processed securely, using appropriate technical and organisational measures. As attacks on schools increase, cybersecurity is one of the most important ways schools can meet that obligation.

The National Cyber Security Centre and the ICO developed a set of GDPR security outcomes built around four aims:

• Manage security risk
• Protect personal data against cyber attack
• Detect security events
• Minimise the impact

Three ways to align cybersecurity and data protection in your school

1. Talk about them together. They're not separate workstreams - treat them as one.
2. Train your data protection lead in cybersecurity. The overlap is significant and growing.
3. Help staff understand what attackers are actually after. When people know it's personal data at stake, the importance of vigilance becomes real.
   
   

When reporting a data breach to the ICO, one of the first questions they'll ask is whether a cyber attack caused it - and what measures you had in place. Being able to answer that confidently starts now.

Not sure where your school stands? Cyber score gives you a free, instant picture of your cybersecurity posture, mapped against the standards your school is already expected to meet.

Get started with cyber score here