The Number One Cyber‐Risk – Emails

Malicious emails are on the increase. Independent schools are a prime target for email attacks; a surprising number are unprepared and inadequately protected. Heads, Bursars, Governors and school leaders, although ultimately responsible, often have no idea if or how their school is protected from something as simple as a user innocently clicking on a link in an email that leads to open doors to Cyber Criminals.

The Cyber Criminals aim is to make money. They are ruthless and unrelenting, using advanced technologies and working 24 hours a day, seven days a week, 365 days a year to exploit whoever they can. These global criminals see UK independent schools and the families able to fund private education as high‐value and lucrative victims. Email systems are their favoured method of exploitation and their most frequent target, with an eye‐opening success rate, resulting in such things as data theft, ransomware, phishing and whaling.

The Impact of an Attack

A successful email cyber‐infiltration will have an enormous impact on a school. There are three ways to quantify this.

  1. ‐ Direct costs. A successful attack will be time consuming, difficult and extremely costly to tackle. Not only will your IT staff be working on this for days or weeks, other staff will be unable to do their jobs. The cyber criminals demand many thousands of pounds for a dubious promise of fixing the chaos they have caused. Incidents can also lead to extensive ICO investigations if personal data is accessed by hackers, substantial fines are a possibility.
  2. ‐ Reputational damage. Independent schools thrive on their well‐deserved and hard‐earned reputation. The damage caused by an email related cyber‐incident is widespread and often very public. Prospective parents, fee payers, and alumni may be among the victims, suffering fraud or personal data loss as a result.
  3. – Impact on people. Let us not forget that there can be many victims of an attack and cyber criminals will be extremely unpleasant and threatening. I know cases where pupils were targeted and told to pay up or their closest secrets and most personal photos will be shared online – this is devastating for the individuals involved.

Prevention Better Than Cure

There are some simple things that schools should do to take a preventive approach:

  1. – Review your existing email security systems.
  2. – Carry out a simulated phishing exercise.
  3. – Keep educating all staff and pupils.

Do One Thing TODAY

By far the biggest risk factor is a human one, someone innocently clicking on a dangerous but convincing link in an email. The best systems will reduce this risk massively by utilising a technique known as URL Sandboxing. If you ask only one question as a result of this article, I urge you to ask those responsible in your school how you are protected and whether this includes URL Sandboxing. I hope that you get a very positive and reassuring reply!

John Sainthouse spent many years as Head of IT at Charterhouse and Eton College, giving him a unique insight and enabling him to really understand the challenges that independent schools face. The opinions in this article are his own. He is a Director at RivaNET Limited, an IT services company, working exclusively with independent schools to solve their IT challenges. Contact John at or on Linkedin