NCSC Alert: Rise in cyber attacks hitting the education sector


There has been a sharp rise in ransomware attacks for the whole sector including primary, secondary, further and higher education. Already, the industry has seen a lot of disruption with students only recently returning to the classrooms. The institutes hit have lost coronavirus testing data, financial records and students’ coursework. These ransomware attacks also eliminate communication throughout the institutes, taking systems offline, disrupting students’ learning and leading to the cancellation of events.

One example is Castle School Education Trust (CSET) who were infected in a highly sophisticated ransomware attack on the 16th March which affected 24 schools. Many systems have remained offline until this week.

The malicious actors identified by the NCSC for the attacks are:

Remote desktop protocol (RDP) configurations

Many institutes, like all sectors, had to quickly develop new infrastructures to accommodate remote working at the beginning of the pandemic. In many circumstances, a strategy planned over a period of time had to be quickly implemented, whereas some schools had no plans in place for these infrastructures. Functionality was more important at the time than security which has been a pit fall for many institutes. Cyber criminals can use brute force where other security protocols are weak, such as passwords, or phishing emails can be used to collect the sensitive information needed.

Our recommendation is that systems accessible with RDP are not made directly accessible from the internet. RDP Gateways could be used, but ideally, RDP, where absolutely necessary, should be accessed via a properly configured remote access VPN.

VPN vulnerabilities

Since the start of the pandemic, a huge increase in home working has seen organisations rushing to implement remote access solutions, such as remote access VPNs, to allow their workforce to access organisations resources.

This has happened at a time of increased disclosure of vulnerabilities affecting VPN technologies. This, combined with the possibility of misconfigurations due to speed of deployment has seen a huge rise in attackers exploiting VPNs as a means of gaining access to organisations.

Unpatched software

All institutes must have a strategy in place to manage vulnerabilities. The stages in a vulnerability management strategy are to assess, prioritise and manage software-based vulnerabilities. Prioritising weaknesses allows you to be able to patch the high-risk vulnerabilities first. There are different scoring systems that depend on the solution you are using; a common system is the CVSS score that rates vulnerabilities from low to critical.

Unsecured devices

All devices that access organisations resources must be included in the cyber security scope when evaluating risks. For example, any personal devices (e.g. mobiles or laptops) used to access work emails need to be included. Security protocols need to be implemented for these devices in your security strategy.

Phishing emails

A fraction of malicious emails manage to dupe email filtering systems. In one recent study, by Stanford University & Tessian reported that 1 in 4 employees admitted to clicking on a phishing email at work. Awareness training is crucial, not only is it important to share what possible threats there are but this is an opportunity to share any other security protocols such as password security. Content must be bespoke depending on the employee’s responsibilities or role, engaging, and flexible. Testing with realistic and up to date examples is key to the success of an awareness training programme.


At Data Connect, we deliver Cyber Security Assessments (CSA) to institutes looking to ensure that IT infrastructure and associated services are secure. We can help identify gaps in your security landscape and offer immediate security improvements including remediating ‘low hanging fruit’. A strategic roadmap is also included which will outline a strategy to mature your cyber security controls and help maximise your investment.

If you would like to find out more about the Cyber Security Assessments or have any queries regarding your cyber security, please send an email to or call on 01423 425 498.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email