Five common Cyber Essentials misconceptions for schools

Over the past four years, I’ve worked as a cybersecurity assessor, helping schools and businesses through hundreds of Cyber Essentials certifications. 

To cover the very basics, Cyber Essentials is a UK government-backed certification designed to help organisations, including schools and trusts to protect themselves from the most common cyber attacks. At its core, it’s a set of straightforward security controls that every organisation should have in place. Since it needs to be renewed annually, it ensures your school stays ahead of potential risks.

There are a tonne of benefits to being Cyber Essentials certified, with these being the main three for schools:

1. Reassure your board or trustees that your IT infrastructure is secure
2. Show your school community that cybersecurity is a priority
3. Qualify for up to £25,000 in free cyber insurance (if your organisation meets turnover and scope)

Through all my conversations and consultations with schools, it’s clear that some core misconceptions of Cyber Essentials might make it seem impossible to achieve for your school, or highlight areas many organisations overlook when applying for the certification. 

Let’s run through the five most common misconceptions I hear from schools and trusts on a near-daily basis, with some explanations/clarifications that can help clear things up for anyone looking to get Cyber Essentials: 

‘We need Multi-Factor Authentication to pass Cyber Essentials’

We always recommend that schools implement Multi-Factor Authentication (MFA) where available. However, you can’t fail Cyber Essentials on MFA alone.

Enabling MFA makes it significantly harder for unauthorised users to gain access to accounts as it adds an extra layer of protection and helps to protect accounts against 

password-based attacks such as brute force. It’s also part of the DfE’s Cyber Security Standards (which you can learn more about in our School Cybersecurity handbook here).

‘Students are exempt from credential and account sharing’

To pass Cyber Essentials, all user accounts must be unique and secured by distinctive credentials, including students and staff.

Unique logins are essential for accountability. The UK’s latest Keep Children Safe In Education (KCSIE) guidance reinforces this stance, which mandates that schools and colleges have ‘appropriate filtering and monitoring systems in place and regularly review their effectiveness’. 

‘We’re only a small school - we don’t need Cyber Essentials’

Cybersecurity, like safeguarding, plays a fundamental role in ensuring the safety and well-being of students and staff. Schools collect and store sensitive data, including students' personal and safeguarding information and medical records

Cybercriminals often target schools, exploiting potential gaps in security controls due to limited resources.

‘We can’t pass Cyber Essentials with unsupported or end-of-life software’

Unsupported software is software that no longer gets updates or support from its manufacturer. You can exclude devices with unsupported software from the network by putting them in a separate group (a sub-set) that is isolated by a firewall or VLAN.

If this group's internet access is blocked by the main firewall, you don't need to produce a special statement for Cyber Essentials; the whole organisation will be covered.

Note: If these devices are moved to a separate group and can still access the internet, then you must produce a statement to exclude this group from the Cyber Essential assessment scope.

‘We need to apply all updates within 14 days of release’

Cyber Essentials does state that updates must be installed within 14 days of release. We do recommend that all updates are applied within 14 days, but it is only mandatory if they fall into one of the following criteria:

• The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
• The update addresses vulnerabilities with a Common Vulnerability Scoring System (CVSS) v3 base score of 7 or above
• There are no details of the level of vulnerabilities the update fixes provided by the vendor, e.g. if it is classified as a security update with no information

We recently explored some of these misconceptions in our community even further, you can watch the recording to learn more.

I hope you’ve found this helpful! If you’re interested in a conversation about Cyber Essentials for your school or trust, Secure Schools are an approved certification body, working exclusively in education to help you achieve your CE certification. You can make a request directly here, or you can book a meeting to get the ball rolling!

Get started here!