Further Education and Schools: Cybercrime
(asked on 11th March 2025) - View Source
Question to the Department for Education:
To ask the Secretary of State for Education, whether her Department holds data on the number of ransomware attacks against schools and colleges in the last three years.
Educational settings in England are responsible for maintaining their IT systems and cyber security. There is currently no mandatory reporting requirement legislation for schools to report a cyber attack and no central register of cyber attacks exists. However, the department has been notified of 53 ransomware cases across the sector over the last 3 years.
The department has a small, dedicated sector cyber security team to support the education sector. The team provides appropriate guidance and advice, via regular targeted and broad communications, to help schools adhere to and maintain good cyber security standards. The department provides guidance for schools and colleges on how to help protect against a cyber incident, which can found at: https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/cyber-security-standards-for-schools-and-colleges.
The department also works closely with the National Cyber Crime Security Centre (NCSC) and Joint Information Systems Committee (JISC) to ensure that up-to-date cyber security guidance is shared with schools, colleges and universities.
Further guidance on cyber security for schools can be found at: https://www.ncsc.gov.uk/section/education-skills/cyber-security-schools.
The department’s Risk Protection Arrangement (RPA) has more than 9,900 member schools, which is 52% of eligible schools in England, and is including cover for cyber incidents as standard from the 2022/23 membership years. In the event of a cyber incident, RPA members have access to a 24/7 Incident Response Service.
The department’s dedicated sector cyber security function provides advice in response to cyber security enquiries and incident reports from the sector, liaising with the affected institution following an incident to advise on steps to mitigate the threat and provide guidance on recovery.
The department adheres to the NCSC guidance on payment of ransoms and does not encourage, endorse nor condone the payment of ransom demands in response to a ransomware attack. This guidance is outlined at: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks.