top of page

Should school passwords be child's play?

Cyber-attacks against schools continue to be a concern across the Eastern region.

IMage of children playing with bricks

The reasons for this are fairly simple

  • Schools possess enormous quantities of high value and sensitive data that they may have to pay for to get back.

  • Schools’ networks and processes offer a lot of vulnerabilities through either underinvestment or weaknesses in their underlying processes. In many cases these vulnerabilities are caused by the necessity of having so many people and devices to attach to the network

A number of education ransomware alerts have been published by the National Cyber Security Centre throughout 2020 and 2021, and more are expected over the coming year. 1000s of schools have been attacked over the past few years and many have resulted in long term problems for the organisations affected, including the staff, students, and parents.


Whilst the rise in attacks was blamed partly on the pandemic and a rise in remote learning, the risk to schools will persist until they are provided with the tools to fight back. And these attacks are happening right now in our region. In the summer of 2021, a ransomware attack against schools in Kent actually caused several to close for several days whilst the data breach was resolved. And these cyber-attacks are continuing to affect schools and colleges every day in our region.


An online UK survey in 2022 from Cantium Business Solutions found that two-thirds (66 percent) of UK schools surveyed claimed to have suffered a cyber-attack in the last 18-months and only 35 percent felt strongly that they were well prepared to protect their school against malicious activity in the future.


How important are passwords?

According to Verzion, 80% of hacking-related breaches are linked to passwords making them a key target for criminals. Most people have a company email address which is going to be something like jo.bloggs@myschool.co.uk and this is frequently used as the username as well. So, with a little bit of research most people could figure out someone’s username.


Passwords are a little bit harder to guess, but research has shown that we are creatures of habits and there are a few things we all seem to do. When we are asked to add a number to a password, most of us will add the number to the end. Over half of users have their name or date of birth in their password or use other easily discoverable information such as pet’s, partner’s, or children’s name.


For work passwords we use the company name somewhere such as MySkool1. We tend to reuse passwords on multiple sites/systems, with employees reusing the same password an average of 13 times according to LassPass.


Criminals can create lists of these common passwords and then try the username/password combination to try and gain access to your systems. But they don’t just create these lists themselves, they harvest previously known passwords from other criminal’s data breaches, which is why the last statistic above is particularly important. If a password ends up as part of a data breach, then you must assume that everyone knows it, meaning you can’t use it anymore.


What can I do to protect my school?

See what passwords you and your staff have which are already known. Why not run a poll to see who has the most/least breaches? Haveibeenpwned.com is a website where you can enter your email address and telephone number and see if your information has been captured in a data breach. As a business owner you can also register your domain and get notified when your domain pops up in another breach.

  • Have a clear password policy for staff and tell them why having strong, unique passwords are essential. If you need some help with this, our affordable student services offer security awareness training. Why don’t you make a booking to discuss further?

  • Enable Two Factor Authorisation wherever you can, but especially on your emails and social media accounts. Even with the best passwords, once someone knows that password then the system is not secure. With 2FA, even if the password and username are known, the criminal won’t have access to the second verification factor so they shouldn’t be able to just “log in”.

  • If your staff have a lot of passwords to remember, consider getting an enterprise password manager so they only have to remember one and the password manager generates and remembers the rest – goodbye reused passwords. If you do look at this option, speak to the provider and see if they offer reduced public sector pricing. Some won’t advertise the fact but will offer a discount if they can.


And as you can see below, if you don’t use complex passwords, it won’t take long for the criminals to figure them out.


The below graphic represents the time to brute force a password using current technological capabilities.

Matrix showing that the longer and more complex passwords take longer to breach

What next?

The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of data and permanent loss of reputation. But all is not lost.

Here at the centre, we would advise you to do three things now

1. Join our free core membership by clicking here. You will be supported through implementing the changes you need to make to protect your organisation, staff, and students.


2. For all of schools across the Eastern region we would recommend that improve your overall cyber resilience through the free Little Steps pathway we provide to Cyber Essentials – the basic government backed kite mark standard for cyber security. And remember that a company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks.

Join the centre as a free member and we will take you as far as the CE accreditation process. And if you want to pay for the assessment, we can refer you one of our Trusted Partners – all regionally based cyber security companies that can help you become accredited.


3. We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf.

Whatever you decide to do, doing nothing is no longer an option. Here at the ECRC we are already working closely with dozens of schools and academic institutions across the seven counties to help them tackle the continually changing cyber threats that they face. So come and join our community as free members and let us help you protect your organisations from the ever presents threats out there in the cyberverse.


Reporting a live cyber-attack 24/7

​If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing ​

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040



The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page