School security: controlling and securing user accounts to meet DfE cybersecurity standards 

27 June, 2024

School security: controlling and securing user accounts to meet DfE cybersecurity standards 

The Department for Education (DfE) states that protecting user accounts and related data is a critical defence against cyber incidents and attacks. In this article, we outline how your school, college or trust can meet the DfE’s cybersecurity standards when controlling and securing user accounts.   

DfE sets out specific cyber security standards for schools and colleges in the UK. One of these standards focuses on controlling and securing user accounts and access privileges

At Salamander, we’ve had 15+ years of provisioning and managing user accounts for schools, colleges and trusts, so we have created this guide, breaking down the standards set by DfE when it comes to securing your user accounts.   

Illustration of person next to a laptop with a lock symbol while successfully controlling and securing user accounts

Why is securing user accounts in schools important? 

Cybersecurity has always been crucial for schools, colleges and multi academy trusts. However, in recent years, we have seen a dramatic rise in cyberattacks on the education sector

The Cyber Security Breaches Report found:   

  • Educational institutions are more likely to identify cybersecurity breaches or attacks than the average UK business.   
  • Around 1 in 10 primary schools experienced cybercrime in 2023.  
  • Around 1 in 3 secondary schools experienced cybercrime in 2023. 

As you can probably imagine, cyber incidents have a severely detrimental effect on schools, resulting in safeguarding issues, student outcomes, disruption to teaching and learning, financial loss and reputational damage.   

What’s more, cyber incidents are not always carried out by an external group or organisation; they can be caused by accidents within your school or college.  

Not meeting the DfE’s standard on controlling and securing user accounts and access could lead to your school: 

  • Being exposed to external and internal threats 
  • A significant data breach  
  • Students and staff being exposed to inappropriate content 
  • Disrupting and costly ransomware attack  
  • Not being covered by your insurer for cyberattacks and incidents 

Who is responsible for securing user accounts in schools? 

The Senior Leadership Team (SLT) digital lead is accountable for meeting the DfE’s cybersecurity standards, and the school’s IT support (whether internal or external) is responsible for implementing them.   

Your IT support will work with any digital technology suppliers, the data protection officer (DPO), whoever is responsible for movers, joiners and leavers and any other IT leads in your school or multi academy trust.   

Illustration of a user accessing an account with a pin code or password

How to secure user accounts in schools 

Create a plan  

The SLT digital lead must agree on a plan with IT support on key elements of your user account management, such as who should access what, password policies and security features such as multi-factor authentication.  

Password policies  

The DfE states all your school users must be authenticated with unique credentials before they access devices or services. 

Your IT support must enforce password strength at the system level and the NCSC suggests using a three random word system or machine-generated passwords.  

Any passwords that are compromised – or suspected to be – must be changed immediately.  

Password protections should also be set, such as a limit to the number of login attempts before locking a device.  

Of course, for younger children and some SEND and EAL users, alternatives to passwords may need to be used.  

The DfE recommends PIN codes or a separate account accessed by the teacher using the student’s login so that the student can still be identified. 

Meanwhile, networking devices and servers should use a password or PIN of at least 6 characters when physically accessing network switches and boot-up settings.  

A process must be agreed upon with SLT and IT support on securing access to key system passwords and pins in the event of an emergency. 

Illustration of multi factor authentication when controlling and securing user accounts

Multi factor authentication set up  

Senior leaders and staff must use multi-factor authentication (MFA) if working with confidential, financial, personal and sensitive data.    

Of course, MFA may not always be accessible for SEND students and younger students, so you may need to discuss alternatives or extra support when logging in.    

You may also want to consider MFA for cloud and online services, all staff accounts, and all student accounts (if verification does not need to be completed on a mobile phone).    

MFA should include at least two of the following:  

  • Password.  
  • Code sent to a mobile device (staff only).  
  • Automated phone call (staff only).  
  • Secure, portable device, such as a mobile phone or tablet (staff only).  
  • Security key or device.   
  • A known or trusted account.  
  • A biometric test (you may need a biometric policy depending on how the data is stored).  

If MFA is not available, a more complex password should be used.   

Biometric thumbprint illustration

Account management  

IT support must control user accounts and access privileges by:  

  • Immediately disabling accounts of leavers. 
  • Creating and managing a process for handling joiners, leavers and role changes.  
  • Using tools linked to your Management Information System (MIS) to automate creation and deletion. 

The Salamander Integration Suite helps schools and trusts meet the DfE’s cybersecurity standards.  

We automate all user account provisioning, integrating your MIS data with your systems and software. This means: 

  • Access is automatically revoked for all school leavers, according to your school’s policies.   
  • Automated set up of user permissions – staff and students only access data/resources they need to teach, work and learn.   
  • Class memberships are always up to date as soon as a student moves up the school.  
  • Multi Factor Authentication (MFA) can be automatically enabled for new and existing staff. 
Illustration of person holding a tick after successfully controlling and securing user accounts with Salamander

What responsibility does IT support have when securing user accounts in schools? 

To summarise, here’s a checklist of responsibilities of IT support when securing user accounts in schools, colleges and trusts: 

  • Ensuring students and staff only access necessary data and systems. 
  • Applying MFA to staff accounts and cloud-based applications for remote work. 
  • Disabling remote access when not needed, enabling it only by authorised personnel. 
  • Implementing enhanced security, like MFA, for handling confidential or sensitive data, with advice from the data protection officer. 
  • Reviewing accounts each term with business professionals or the finance team to identify any missed changes, including adjusting access levels and rights and suspending or deleting unused accounts. 
  • Avoiding the use of global or administrative accounts for routine business; instead, using dedicated accounts with enhanced privileges to limit damage and track issues during incidents or attacks. 
  • Establishing a process for handling administrative accounts, requiring approval from senior leadership or trustees for access changes before implementation. 
  • Ensuring senior leadership can access a dedicated administrative account for emergencies when IT support is unavailable. 

More resources: 

Courtney Farrow

Written by Courtney Farrow

Marketing and Social media

Courtney supports SalamanderSoft in creating engaging online content for the company website and social media channels. She has over ten years of experience in digital content creation and her company Bloom Creative specialises in helping software and tech brands attract, convert and retain customers.

Copyright © 2024 SalamanderSoft Limited