Cyber Essentials challenge for Special Educational Needs schools

Indelible Data offers a range of packages for Cyber Essentials certification.

 

Cyber Essentials can be a challenging certification to achieve for schools that operate Special Educational Needs (SEN) facilities explains Aidan Collins.

With limited public guidance for SEN schools relating to Cyber Essentials, the following blog aims to help those who may have concerns about the upcoming changes to the scheme in April 2023.

There are already concerns being raised in SEN schools around the existing 12-character password requirement (it can be reduced to 8 characters if a common password deny list, or MFA, is implemented).

To alleviate this concern, children may share these longer passwords with teachers or carers as long as the username is unique to the child but the password must not be shared with other parties such as the school’s Managed Service Provider (MSP).

We are aware that passwords and accounts may be shared between MSP employees when accessing school systems to configure the system or fix faults. This is not compliant under the Cyber Essentials scheme as accounts must be unique to each user with their own passwords

The key challenge from April 2023, with the introduction of the Montpelier standard, is likely to be around Multi-factor Authentication.

The requirement for Cloud Services (such as Office 365) to have multi-factor authentication (MFA) enabled for all students (irrespective of ability) is likely to be a worry. Options to implement MFA include:

  • Using a managed/enterprise device as an extra factor
  • Using an app on a trusted device as an extra factor
  • Using a physically separate extra factor (such as an RSA token or Yubi Key)
  • Using a known or trusted account as an extra factor (such as an email address to receive the MFA code)

Yubikeys allow the One-Time Passcode to be automatically inputted by pressing a button on the device, whilst managed devices take it one step further and remove the need to enter an MFA code.

The above options can generally not be implemented quickly, we therefore urge SEN schools to plan for this as soon as possible.

Further information on the scheme changes can be found on the following National Cyber Security Centre (NCSC) blog here.