Cyber Security Matters in Schools
Why Cyber Security Matters in Schools
In an increasingly digital world, schools are more connected than ever—using online platforms for teaching, communication, and administration. With this connectivity comes the critical need to protect sensitive data, ensure safe access to systems, and defend against cyber threats.
Cyber security in education is essential to:
- Protect student and staff data from breaches and misuse
- Prevent disruption to learning caused by malware, phishing, or ransomware attacks
- Ensure compliance with data protection regulations
- Promote digital confidence among staff, students, and parents
- Safeguard school infrastructure from evolving cyber threats
Key areas of focus include:
- Strong password policies and multi-factor authentication
- Regular system updates and patching
- Monitoring for suspicious activity and risky sign-ins
- Blocking malware and phishing attempts
- Secure data backups and recovery plans
- Educating staff and students on cyber awareness
Schools in Norfolk can access a wide range of trusted resources to support their cyber security efforts as below:
- Cyber Security Overview
- Cyber Security for Governors
- Cyber Security Introduction
- General Cyber Security Resources
- Eastern Protect Police-Led Initiative
- Teaching & Learning Resources
External partner, Secure Schools also offer:
https://partner.secureschools.com/norfolk-ict-solutions - access to 30 day free trial
By prioritising cyber security, schools can create a safer, more resilient digital environment for everyone in the education community.
Why Implement MFA?
- Enhanced Security: MFA significantly reduces unauthorised access risks by requiring additional verification beyond passwords.
- Regulatory Compliance: Many cybersecurity guidelines now recommend or mandate MFA for educational institutions.
- Protection of Sensitive Data: Schools manage confidential student and staff records, making secure authentication a necessity.
- Mitigating Cyber Threats: MFA helps defend against phishing attacks and stolen credentials, preventing costly security breaches.
MFA Option | Description | Potential Additional Costs | Product Examples |
|---|---|---|---|
SMS-Based Authentication | Users receive a one-time code via text message to verify their identity. | Low-cost option but may require integrating SMS services, with minor carrier fees. | Microsoft Entra MFA via SMS, Google 2-Step Verification via SMS. |
Authenticator Apps | Generates temporary login codes on mobile devices for authentication. | Free apps, but may require training and support for staff and students. | Microsoft Authenticator, Google Authenticator, Authy. |
Biometric Authentication | Uses fingerprints or facial recognition for identity verification. | Requires specialized hardware (fingerprint scanners or cameras), increasing upfront costs. | Windows Hello, Apple Face ID, Android Biometrics. |
Physical Security Keys | A small physical device used for verification during login. | Requires purchasing security keys, estimated at £30-£50 per user. | YubiKey, Google Titan Security Key, Feitian Security Keys. |
Email-Based Verification | Sends an authentication code to registered email accounts. | No direct cost but relies on secure email systems with proper spam filtering. | Microsoft 365 email authentication, Google Gmail MFA. |
Microsoft and Google MFA Options
MFA Option | Description | Device App or Browser App | Microsoft Licence Requirement | Google Licence Requirement | Potential Additional Costs | Examples |
|---|---|---|---|---|---|---|
Conditional Access Policies | Enforces risk-based authentication based on user, device, and location. | Works across device apps and browser apps. | Microsoft Entra ID P1/P2 (previously Azure AD Premium). | Google Cloud Identity Premium. | Licensing costs depend on existing agreements. | Microsoft Entra Conditional Access, Google Cloud Conditional Access. |
SMS-Based Authentication | Sends a one-time code via text message for verification. | Browser app and mobile app compatible. | Available in Microsoft Entra ID Free. | Available in Google 2-Step Verification. | Minor carrier fees may apply. | Microsoft Entra MFA via SMS, Google 2-Step Verification via SMS. |
Authenticator Apps | Generates temporary login codes on mobile devices for authentication. | Device app-based authentication. | Included in Microsoft Entra ID Free. | Included in Google Workspace. | No direct cost, but training may be required. | Microsoft Authenticator, Google Authenticator. |
Biometric Authentication | Uses fingerprints or facial recognition for login verification. | Device app-based authentication (requires compatible hardware). | No specific licence required unless integrated with Conditional Access. | Integrated into Google Advanced Protection Program. | May require biometric hardware. | Windows Hello, Apple Face ID, Google Biometrics. |
Physical Security Keys | A hardware key used for secure authentication. | Works with browser apps and device apps via USB or NFC. | Supported in Microsoft Entra ID P1/P2. | Supported in Google Workspace for High-Security Access. | Security key purchase (~£30-£50 per user). | Yubikey, Google Titan Security Key. |
Email-Based Verification | Sends an authentication code via email for login verification. | Works primarily with browser apps. | Available in Microsoft Entra ID Free. | Available in Google Workspace. | No direct cost but depends on secure email filtering. | Microsoft 365 email authentication, Google Gmail MFA. |
Passkeys Authentication | Eliminates passwords, using device-based authentication. | Works on both device apps and browser apps. | Passkey support integrated into Microsoft accounts. | Available in Google Passkeys. | No direct cost but requires device compatibility. | Windows Hello, Android Passkeys, Apple Passkeys. |
Here's a breakdown of the advantages and disadvantages of each Multi-Factor Authentication (MFA) option:
MFA Option | Advantages | Disadvantages |
|---|---|---|
SMS-Based Authentication | Easy to set up and widely accessible. No additional apps or hardware required. | Vulnerable to SIM swapping and phishing attacks. SMS messages are not encrypted, making them less secure. |
Authenticator Apps | More secure than SMS-based MFA. Works offline and does not rely on mobile carriers. | Requires users to install and configure an app. If a device is lost, access may be difficult without backup codes. |
Biometric Authentication | Highly secure and convenient. Difficult to replicate or steal. | Requires compatible hardware (fingerprint scanners or facial recognition cameras). Privacy concerns regarding biometric data storage. |
Physical Security Keys | Extremely secure and resistant to phishing attacks. No reliance on mobile networks or passwords. | Requires purchasing security keys, which can be costly. If lost, recovery can be challenging. |
Email-Based Verification | Simple to implement and does not require additional hardware. | Vulnerable to email account compromise. Relies on email availability, which can be affected by outages. |
Conditional Access Policies | Provides dynamic security based on user risk, device, and location. Reduces unnecessary authentication prompts. | Requires advanced configuration and licensing (Microsoft Entra ID P1/P2 or Google Cloud Identity Premium). May require IT expertise. |
Passkeys Authentication | Eliminates passwords, reducing phishing risks. Works across multiple devices seamlessly. | Requires device compatibility. Adoption is still growing, and not all services support passkeys yet. |
Each option has its strengths and weaknesses, and the best choice depends on your school's security needs and budget.
