Cyber Security: A Guide For Education Providers

Firewalls, data back-ups and training staff to verify email senders are some of the actions colleges should take to protect themselves against cyber-attacks, according to new UK government guidance. 

The Education and Skills Funding Agency has published advice after colleges fell victim to phishing scams earlier this year, where genuine-looking emails were sent by fraudsters to trick people into sending money or private information.

As well as the tips, the ESFA release warns providers that they “retain responsibility to be aware of the risk of fraud, theft and irregularity and address it by putting in place proportionate controls”. Phishing scams and malvertising – when malicious code is downloaded onto a victim’s computer after they click on, or even just hover over an advert online – are two traps the ESFA has warned providers of.

Five Strategic Questions for Education Providers
Academy/college audit committees and the management of independent training providers (ITPs) should use the following high-level questions, based on government guidelines and industry standards, as a starting point to consider cyber risk in their organisation.

As part of its assessment, the audit committee or ITP management should also consider the quality of the evidence underpinning any assurances provided.
1. Information held
Does the organisation have a clear and common understanding of the range of information assets it holds and those that are critical to the business?
2. Threats
Does the organisation have a clear understanding of cyber threats and their vulnerabilities?
3. Risk management
Is the organisation proactively managing cyber risks as an integrated part of broader risk management including scrutiny of security policies, technical activity, user education/testing and monitoring regimes against an agreed risk appetite?
4. Aspects of risk
Does the organisation have a balanced approach to managing cyber risk that considers people (culture, behaviours and skills), process, technology and governance to ensure a flexible and resilient cyber security response?
5. Governance oversight
Does the education provider have sound governance processes in place to ensure that actions to mitigate threats and maximise opportunities in the cyber environment are effective?
It goes on to list 10 “cyber security tests”, which are based on the National Cyber Security Centre’s ‘10 steps to cyber security’ guide.

As well as verifying email senders before sending payment or data, college staff should be trained to ensure they “understand the risks of using public Wi-Fi” and “understand the risks of not following payment checks and measures”, according to the ESFA.

Fraudsters, perpetrating a phishing scam, hacked into the email account of principal Chris Nattress and sent a link to his contacts to “review and sign”. When Nattress’s contacts replied to check if the email was genuine, the fraudster replied saying that it was. They also changed the college’s phone number in the email signature by one digit, and made up a mobile number, so contacts could not check in that way. The college’s digital team identified the issue before staff received any reports of a problem.

Education providers were first warned about phishing in an ESFA update in June, which said some had suffered “financial losses” after falling for this type of scheme, but it is unclear how many.

This is not the first time education providers have been attacked: in 2014, emails purportedly from the Skills Funding Agency were sent to providers, asking them to send details that would allow the fraudster to take money from the provider’s bank account.

FEWeek:           Gov.uk:         Image: Nick Youngson

You Might Also Read: 

Students Blamed For University & College Cyber Attacks:

 

« Transforming A Business The Data Driven Way
Foreign Cyber Intrusions On The USA »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NCX Group

NCX Group

NCX Group is committed to helping customers identify and mitigate the risks inherent in today’s interconnected environments and business processes.

Micron Technology

Micron Technology

Micron is a global leader in the semiconductor industry providing memory and secure storage devices for Networks, Mobile devices and IoT applications.

Vaddy

Vaddy

Vaddy provide an automatic web vulnerability scanner for DevOps that performs robust security checks to ensure that web app code is secure.

Entersekt

Entersekt

Entersekt is an innovator in push-based authentication and app security.

Clearswift

Clearswift

Clearswift is trusted by businesses, governments and defense organizations globally for its Adaptive Cyber Security and Data Loss Prevention solutions.

Eclypsium

Eclypsium

Eclypsium protects organizations from the foundation of their computing infrastructure upward, controlling the risk and stopping threats inside firmware of laptops, servers, and networks.

SIS Certifications (SIS CERT)

SIS Certifications (SIS CERT)

SIS Certifications is an ISO certification body serving more than 10,000 clients in over 15 countries worldwide.

IdentityIQ

IdentityIQ

IdentityIQ is a US-based identity theft and credit protection company designed to help users stay on top identity thieves and data breaches.

Electric Power Research Institute (EPRI)

Electric Power Research Institute (EPRI)

The Electric Power Research Institute’s Cyber Security Research Laboratory (CSRL) addresses the security issues of critical functions of electric utilities.

Securolytics

Securolytics

Securolytics offers the simplest, most complete and affordable IoT security for all organizations. Securolytics quickly identifies unmanaged devices to reduce security and compliance risks.

DoQubiz Technology

DoQubiz Technology

DoQubiz is using the idea of security through obscurity to develop their proprietary Fractal Security Engine that implements a highly resilient data protection protocol.

Luta Security

Luta Security

Luta Security implements a holistic approach to advance the security maturity of governments and organizations around the world.

APCERT

APCERT

APCERT cooperates with CERTs and CSIRTs to ensure internet security in the Asia Pacific region, based around genuine information sharing, trust and cooperation.

Tanzania Industrial Research and Development Organization (TIRDO)

Tanzania Industrial Research and Development Organization (TIRDO)

TIRDO is a multi-disciplinary research and development organization.

Staris

Staris

Human based defense is dead. Staris is reinventing application security for an increasingly AI driven world.

Whiteswan Identity Security

Whiteswan Identity Security

At Whiteswan, we are committed to protecting the digital landscapes of modern enterprises with adaptive, identity-first security solutions that ensure trust, compliance, and resilience.