"Limit who knows the password to those who REALLY need to know."
2. Teach Good Practices
Remind staff regularly about good security practices, especially when the risk or the policy changes. If you use social media, you should ensure that all staff know that no sensitive material should be disclosed and that users behave responsibly while using it, bearing in mind that they directly or indirectly represent the school.
3. Protect your Network and Devices
Make sure that any router supplied by the Internet Service Provider (ISP) has a firewall built in and make sure it’s operational. Limit who knows the password to those who REALLY need to know.Install modern proprietary security software from mainstream suppliers like Symantec, Sophos or Kaspersky on your PC/MAC and laptops. Preferably use a suite of software which includes anti-virus, anti-spam, identity protection and other protection because they are generally easier to manage.
4. Manage IT Access
Don’t write passwords down or share them between users. Use different passwords for each application. Some security software providers offer password ‘vaults’ which allow complex passwords to be generated and then stored in an encrypted form, so you don’t have to remember them. Limit administrative privileges on your network and devices to those who really need them. They might be enabled when software is installed, so be careful.
5. Keep Your IT Up-To-Date
Document your IT assets so you know what you’ve got. IT assets will include hardware, software and even key IT staff.Install current software and operating system patches, firmware updates, etc. immediately when they are issued. Ensure all software is licenced.
6. Use of Removable Media
If you transfer data using CD, DVD, USB, SD or any type of flash memory drive:Only permit school issued and controlled devices in your systems. Issue, retrieve and track the devices - know where they all are, who has them and, ideally, what software is on each. Ensure they are encrypted and scanned for malware on each use. Many commercial anti-malware packages have the ability to scan removable media.
"Remember that all data stored in the cloud or processed using cloud-based applications is available to the bad guys."
7. Mobile Working
The use of mobile devices should require top-level approval. Such devices must, at a minimum, have:
• Anti-malware software installed and updated, daily.
• Pin, password or other authentication installed.
• Encryption, wherever possible.
• Capable of being remotely tracked and wiped.
8. Using the Cloud
Cloud computing can simplify your IT operations, but there are risks. Outages in service are no longer within your own ability to fix. Data leakages are no longer within your remit to control. Security policies are no longer necessarily yours to decide and to enforce. You cannot outsource or “cloudify” all aspects of computer security.Remember that all data stored in the cloud or processed using cloud-based applications is available to the bad guys. Where you use data storage, applications or other services which are provided by another business, you should choose one that has security which has been independently audited.
9. Incident Management and Business Continuity
Document any incident and decide what caused it, how much it costs to fix and whether there is anything you could do better in future. You should ensure that you know what to do on the catastrophic failure of anything critical to your school, such as information, applications, systems or network. Don’t wait for an incident to try out the plan.
10. Further reading
The government has issued cyber security guidance for business most recently online, relating to basic elements of technical-cyber security.
Do you have any essential tips to add? Share them below!