Summary of "NCSC Cyber security training for school staff"

Overview / main ideas

Schools depend heavily on technology (email, lesson plans, MIS, online services); loss of access can cause serious disruption.
A cyber incident is any negative impact to systems, processes, or people caused via IT.
Technology/IT teams reduce risk but are not foolproof; staff awareness and behaviour are often the best defence.
Schools face a mix of external and internal threats: targeted and untargeted attacks, social engineering, organised cyber‑criminals, opportunistic malware, insider mistakes or malicious insiders, and curious or malicious pupils.
Accidental incidents (misplaced USBs, emailing the wrong person, reused passwords) are more common than deliberate insider attacks and are a major cause of ICO reports.
Training non‑IT staff is important but underused (65% of schools do not train non‑IT staff).

Schools hold sensitive, monetisable personal data (pupils, parents, staff).
Schools process financial transactions, often authorised by a small number of staff — a single compromise can enable financial fraud.
School IT teams may not be cyber‑security specialists; schools may run older or vulnerable software and hardware.
Busy teaching environments and competing priorities can mean good security practices are overlooked.

Ransomware: attackers phoned pretending to be the Department for Education, then encrypted the school’s data, causing days of outage.
Phishing / fraud: attackers used phishing to steal money and sell parents’ personal details; affects all types of education providers.
Widespread malware: WannaCry (attributed to North Korea) demonstrates how unpatched vulnerabilities can cause large, untargeted disruption.
Pupil breach: a pupil accessed the MIS when a teacher left a password visible; password reuse gave access to thousands of records — incident reported to the ICO.
Disgruntled employee: rare but real — staff with access caused damage; lesson: remove access promptly when staff are suspended or leave.
Accidental data breach: unencrypted or non‑school USB lost or stolen containing sensitive data.

What phishing is: fake messages that try to obtain credentials, trick you into clicking malicious links, or open infected attachments.
Common tactics: urgency, imposed authority, pressure, unusual wording, or inclusion of a stale/leaked password to appear credible (poor grammar is not always present).
Reduce your digital footprint: review privacy settings and avoid posting detailed role/school information online, especially for staff who handle finances or sensitive data.
Know normal processes: understand your school’s invoice and approval procedures so unusual requests stand out.
Verify requests: don’t be embarrassed to check — call a known number or contact the sender through an independent channel.
Report early: if you click a suspicious link or open an attachment by mistake, report immediately to your IT team or line manager — early reporting limits harm.

Create strong passwords: use long, hard‑to‑guess combinations — a practical pattern is a sequence of three random words (optionally with numbers/symbols).
Use separate passwords for work and personal accounts — do not reuse school passwords elsewhere.
Check breaches: use Have I Been Pwned (https://haveibeenpwned.com) to see if accounts have been compromised and change passwords if needed.
Enable two‑factor authentication (2FA) for important accounts (banking, email, social media, and school accounts).
Store passwords securely: use a reputable password manager or browser password vault; if writing passwords down, store them securely.

Install updates and patches promptly; updates fix security flaws attackers exploit.
Only download apps/software from official stores (Google Play, Apple App Store) or approved sources.
Check app permissions and ensure apps accessing school data are necessary and permitted by policy (GDPR implications).
Physically protect devices: use screen locks (PIN/password/biometric), enable device encryption where available, and back up important data (cloud or offline).
Use school‑issued, encrypted USBs if required; avoid unissued giveaway USBs that may contain malware.
Consult IT if unsure about device protection.

Report suspicious or unusual activity immediately to your IT team or line manager.
Report even if you think you caused the problem — everyone makes mistakes and timely reports reduce damage.
Don’t assume others will report; encourage a culture of prompt reporting.
Challenge impractical or unsafe processes and policies so they can be improved.

Have and read your school’s IT security policy and acceptable use policy; ensure staff actions comply.
Remove IT access promptly when staff are suspended, leave, or when temporary contracts end.
Train non‑IT staff on cyber security basics and reporting procedures.
Encourage a culture where staff feel safe to report mistakes and near‑misses.

Review privacy settings on social media, professional networking sites, and apps.
Know who to report unusual activity to (confirm with your line manager or IT team).
Ensure devices are set to receive updates automatically where possible.
For your most important accounts: set strong passwords and enable two‑factor authentication.
Remove apps not installed from official app stores.
Confirm your work account password is unique (not reused elsewhere).
If security advice or policies are impractical, report this to IT or management so it can be addressed.

National Cyber Security Centre (NCSC) — presenter of the training (part of GCHQ).
GCHQ — parent organisation of the NCSC.
Department for Education (England) — cited as an organisation impersonated in scams.
Organised/online criminals — actors behind phishing, ransomware, and fraud.
Foreign governments / nation‑state actors — example: WannaCry attributed to North Korea.
Information Commissioner’s Office (ICO) — regulator for school data breach reporting.
School IT team / IT support provider — responsible for technical security and updates.
Case study actors: school victims, a pupil who accessed MIS via reused/visible password, a disgruntled staff member.
Threat sources discussed: pupils and staff (accidental and malicious insiders).
Tools/sites referenced: Have I Been Pwned (https://haveibeenpwned.com) for checking breached accounts.