December 14, 2021

Would your school pass or fail the cyber security exam?

Mitch Field

Lessons learned from the K-12 Education sector

Since early 2020, Australian schools have demonstrated remarkable adaptability and innovation, but they are also now at the forefront of a less than welcome trend.

In a July 2021 report, education was found to be the industry attacked most by global cybercriminals, with a rise of 17% from the first half of the year1. Little wonder, then, that as the government moves to mandate adherence to the ACSC’s Essential Eight security measures, education is high on the list for compliance. It is a test that has challenged most government entities. So, are schools ready for the task ahead, or do they need some extra study to lift their grades?


Over the last 20 years, school IT leaders have guided their organisations into the digital era, and the role of technology in the classroom has evolved dramatically. Even before COVID-19, students were largely moving from notebooks and textbooks, to paperless learning. Most schools adopted a tactical (and sometimes haphazard) approach, doing what they could to stretch resources to deliver the best student learning environment.

Undoubtedly, schools are responsible for highly sensitive data, and the 2020 ransomware incident involving a NSW Grammar School was a wake-up call. ICT managers have been pleading for additional funding from their boards and councils to bolster security, but many feel they are shouting into a void. The Essential Eight mandates may help to progress the conversation more urgently, so while challenging, we see this as a good thing. With specialist security expertise in short supply though, the task is far from simple.

Social Studies:

Of the 60+ schools that I have met with recently, four distinct “tribes” have emerged:

  1. No Vulnerability Assessment / Pen-Test within the last three years.
  2. A focus on adopting the Essential Eight Maturity (Level 1) Framework within 12 months.
  3. A focus on better utilising the Microsoft suite to increase cyber maturity.
  4. Those who have the above covered and are actively exploring plans for business continuity, disaster recovery and incident response.

The split across the groups is around 50:20:20:10.


With schools experiencing growth, many invested capital funds on building programs; with university-style buildings, flexible classroom spaces, new gyms and performing arts centres at the top of the must have list. To be fair, a significant portion of these facilities were funded by government grants, benefactors, and fundraising. Schools’ reputations hinge on campus facilities, teachers, curriculum, and co-curricular programs, so it makes sense.

However, at the same time, cybersecurity tops the risk-register for many school councils and boards; with leaking of personally identifiable information of parents, custody arrangements, and student data an enormous concern. Despite the danger, little is currently spent on understanding cybersecurity risks, so why doesn’t this add up to action?

From experience, there are two major factors:

  1. IT people have difficulty explaining risk to school councils/boards, who become overwhelmed or confused by cyber issues
  2. A perception that our school wouldn’t really be a target and that IT just wants “a new toy to play with”.

Physical Education:

As any great PE teacher will tell you, training and preparation are the keys to success on the sports field. The same applies to cybersecurity. Many large organisations seldom do incident response plans, let alone schools. However, many valuable lessons can be learned by rehearsing cyber incidents in a safe environment, before the event. Uncover the oversights in your systems, processes or people now before the real disaster hits. Regularly testing your Disaster Recovery, Business Continuity and Incident Response Plans will prepare you to enter the contest with cybercriminals with confidence you can win.

Homework/Exam Prep:

Few things are more stressful than being in the middle of a cyber incident, locked-out of your own systems, juggling demands for ransom payment and a school at a standstill. Here’s some prep work that should be made a priority. As one of my teachers often said, “You will be examined on this at some point, so you’d better understand it.”

  1. Understand your biggest risks. Get an external party to do a broad vulnerability assessment of your current state. What high-risk vectors are likely to be exploited? An Essential Eight assessment will identify the top priorities.
  2. Have an end-state in mind. Schools have finite budget and resources, so you cannot address everything. For example, an Australian private school group has mandated its schools achieve Essential Eight (Level 1) by June 30, 2022. Our ‘Guide to the ACSC’s Essential Eight Maturity Model’ can help you understand and achieve Maturity Level 1.
  3. Optimise your Microsoft licensing to uplift maturity. Most schools under-utilise the capabilities of their Microsoft Suite (usually A3). There are additional capabilities worth considering in both A5 Security and full A5, with Microsoft-funded*, partner delivered workshops so you can try before you buy. Compare Microsoft 365 licensing options here, or see the list of workshops your school may be eligible for.
  4. Read the cyber insurance fine print and seek your own advice! Some insurers no longer offer cyber insurance, while many others have onerous T&Cs full of legal jargon. At a high-level, insurers are normally looking for commitment to cybersecurity over time (regular assessments, certifications, cyber security programs), so ensure you’re meeting their requirements or you may find yourself high and dry if, or more likely, when crunch time arrives.

Do these four things and you will have a good foundation to inform future technology projects and make a stronger business case for resourcing and budget. This is essential preparation for any school’s cybersecurity test.

Need some specialist advice to implement the Essential Eight and pass the cybersecurity test with flying colours?

Ask us about an Essential Eight Assessment today.

As Microsoft’s largest Australian partner, Data#3 also offers a range of free Microsoft 365 workshops to approved customers. There are 12 workshops including threat protection, securing identities, sensitive data, endpoint management and much more – talk with our security experts to book your free workshop today.