Updated March 2025
Cybersecurity remains a critical concern for organisations, especially those handling sensitive learner data and assessment materials. With the increasing frequency and sophistication of cyber threats, it is essential for Centres to remain vigilant and take proactive measures to protect their systems and information.
The Growing Threat of Cybercrime
Recent research commissioned by NatWest in October 2024 highlights the critical need for ongoing vigilance, revealing that 42% of British adults have been targeted by scammers in the past 12 months. The education sector is particularly vulnerable, with cybercriminals targeting institutions due to the sensitive data they hold.
The National Cyber Security Centre (NCSC) has published several advisories on the heightened risk of cyberattacks. It is strongly recommended that Centres review their security measures and ensure adequate safeguards are in place.
Useful Guidance from the National Cyber Security Centre (NCSC)
The National Cyber Security Centre (NCSC) offers valuable resources to help organisations protect their data, including:
- Top tips for staying secure online: Personal cybersecurity best practices,
- Cyber essentials : Guidance to help organisations defend against cyber threats,
- 10 steps to cyber security: Aimed at medium to large organisations to enhance their security framework,
- NCSC Small Business Guide: Support for SMEs in preparing for and recovering from cyber incidents,
- Secure system administration: IT design principles for protecting sensitive data,
- Exercise in a Box: A tool designed to test and improve cybersecurity responses.
For the latest updates, Centres are encouraged to subscribe to various topics, including threats and advisories.
Additional Cybersecurity Resources
In addition to the core guidance provided by the NCSC, Centres can benefit from a range of news articles, research papers, and best-practice recommendations, including:
- Introduction to threat intelligence : Insights into identifying and responding to cyber threats,
- Selecting Secure Operational Technology Products: A new guide advising organisations on choosing operational technology products and manufacturers that adhere to secure-by-design principles,
- Exploitation of Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities: A recent advisory encouraging organisations to take immediate action to mitigate security risks.
Reporting Cyberattacks
We would like to remind our Centres that under the Centre Agreement, both parties must notify each other within 24 hours of any cyberattack experienced. This is particularly important when there is any risk of personal data or system access being compromised. As joint data controllers, this reciprocity protects both parties and ensures we work together towards a resolution that does not adversely affect learners.
If you have experienced a cyber incident, please report it immediately via your designated Centre contact or through our online reporting system.
Cybersecurity Training and Qualifications
Educating staff and learners about cybersecurity can significantly reduce risks. Centres may want to integrate cybersecurity training into their curriculum using regulated qualifications, such as:
Level 1 Award in Cybersecurity Level 2 Award in Cybersecurity
These qualifications offer several benefits, including:
- Fully funded (subject to learner eligibility),
- No final external assessment – portfolio-based achievement,
- Standalone regulated qualification,
- Can be embedded into various curriculum areas,
- Covers essential topics relevant to today’s cybersecurity landscape.
For more details on these qualifications, speak to the Business Development team at 01206 911 240 or contact us online.
Further Guidance and Best Practices
- Introduction to Active Cyber Defence: An overview of proactive measures organisations can take to strengthen cybersecurity,
- Device Security Guidance: Advice for organisations on selecting and securing mobile devices,
- Vulnerability Scanning Tools and Services: Guidance on selecting and implementing automated vulnerability scanning tools,
- Mitigating Malware and Ransomware Attacks: Best practices for preventing ransomware attacks and ensuring an effective recovery process.
With the increasing number of cyberattacks against Academic institutions, remain vigilant and understand your legal obligations around notifications in the event of your organisation being targeted.
Under the GDPR, we, like yourselves, are considered to be a data controller with regards to learner data. This means that jointly, we have the same legal obligations around reporting potential security breaches, and more importantly, possible data breaches. In the event that either your organisation or ours experiences a cyberattack, we are both responsible for not just notifying the necessary authorities (ICO, NCSC, police, Ofqual, etc), but we are obligated to notify each other.
Our approach to notifications will be to ensure that any potential cyberattack or breach of data on our systems will be communicated to the relevant authorities and yourselves as one of our centres. The reporting will inform you within the legal 72 hour notification period of the incident, as well as containing details of the steps we are undertaking to determine the cause, nature and potential impact of the cyberattack or breach. The communication will also indicate the primary contact in our organisation who will be the primary contact throughout the duration of the incident. We will shortly be confirming with your centre who your primary contact would be for these communications so that these are received by the correct person responsible for GDPR compliance.
We will require the same communications from you in the future so the correct primary contacts are always aware of and able to respond to any future incidents.