Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.
Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.
Internal fraud can be demoralising. Staff exploiting weaknesses in internal processes to set up false suppliers, abuse the company credit card or claim additional expenses appear minor, but all amount to fraud and could have serious repercussions for the individuals concerned.
A recent decision in the Supreme Court in R v Andrews [2022] UKSC 24 has highlighted that anyone falsely claiming qualifications on their CV can be stripped of the profits of their deception. The Supreme Court permitted a Proceeds of Crime Act 2002 (POCA) confiscation order on the basis of the pre-appointment earnings. Ensuring that validation in recruitment processes is properly and diligently carried out would avoid the worst excesses of CV fraud, but would also deter appointments of people who may see education as a soft target.
But what of the external actors who target education and charities, who rely on volunteers, community support, co-operation and public goodwill to operate effectively and generate additional income? The sophistication and variety of modes of the attack has certainly evolved over the past two years, as has the frequency of experience and level of disruption caused.
The Department for Digital Culture Media and Sport has surveyed the education sector as part of its aim to inform government policy on cyber security in its annual Cyber Security Breaches Survey 2022 . The results show 92% of higher education institutions identified a breach, while the education sector as a whole, experienced some of the highest levels of the most dominant form of attack in phishing emails, outstripping even the business sector.
But one concern is the survey identified that most education establishments experienced some form of attack or breach on a weekly basis. Spoof emails or impersonation attacks, and attempts at gaining unauthorised access through malware, were also a common occurrence.
The high levels of reporting could point to increased security, senior management engagement and staff vigilance underlining their preparedness to invest in approaches to prevent attacks – such as security monitoring or penetration testing, as well as maintaining risk assessment and disaster plans to trigger appropriate responses.
In reality, where these attacks were effective, a significant proportion of the institutions experienced a negative outcome, with loss of data for illicit purposes or financial losses or accounts systems being compromised. As a consequence, they reported significant disruption with increased manpower and staff time to deal with the reporting and stakeholder engagement, post event.
One key feature of the report is the kudos given to the education sector as a result of its cyber security planning and policies, the level of knowledge of directors and trustees and how they dealt with breaches – including external reporting (with stakeholders, insurers, regulators) and implementation of additional controls (passwords and two factor authentication). In fact, it was regarded as the equivalent of large businesses, who are considered to be the most well-equipped to deal with these issues.
It is perhaps testament to the education sector’s reported high levels of compliance with the 10 Steps to Cyber Security and its proactivity in seeking guidance and enhanced security that has led to its overall rating which, in some instances, outperforms businesses. Despite the concerning levels of attacks which target educational institutions, these efforts go a long way to block potential disruption. Regrettably, in the digital and online times in which we live, it does not eradicate the risk, but it mitigates the harm and allows educators to focus on what they do best, which is heartening news.
Partner
paul.wainwright@brownejacobson.com
+44 (0)121 237 4577
There’s been little evidence of interventions or financial management reviews this year and it appears the Education and Skills Funding Agency (ESFA) has re-focussed on financial delivery. It’s also telling that there were no discernible changes to the reporting of financial irregularities in the Academies Trust Handbook 2022.
The Children’s Commissioner, Rachel De Souza, has recently published a report “Beyond the labels: a SEND system which works for every child, every time”, which she intends to sit alongside the DfE’s SEND Review (2019) and SEND Green Paper (2022) and which she hopes will put children’s voices at the heart of the government’s review of SEND system.
There’s greater opportunity than ever for parents, carers and guardians to voice any concerns they have relating to their child’s education and for their concerns to be heard and to be taken seriously. While most staff in schools and academies are conscious of their legal duties relating to complaints management, many are struggling to cope with such a significant increase in the volume of complaints they must manage.
We’re pleased to collaborate with Lloyds Bank, who recently asked us and audit and risk specialists Crowe UK to offer guidance that academy trusts would find helpful when considering setting up a trading subsidiary.
The DfE has published new guidance and opened the application process for window two of the Trust Capacity Fund (TCaF) for 2022/2023, with a fund of £86m in trust capacity funding focused particularly on education investment areas.
The Independent Inquiry into Child Sexual Abuse was established in March 2015. We now have its report. As you would expect with such a broad scope, the report is long and makes a number of far-reaching recommendations. In this article, Dai Durbridge highlights seven of the 20 recommendations, sets out how they could impact on schools and suggests what steps to take now.
Browne Jacobson’s education team has been named as winner of the ‘Legal Advisors to Education Institutions’ category at the Education Investor Awards 2022 for a record sixth time.
Since the new Suspensions and Exclusions Statutory Guidance was published, we have received a lot of questions about the use of managed moves. For the first time, the Statutory Guidance does explain what a managed move is, but in relatively broad terms and does not cover the mechanics of how a managed move should operate.
Over 3000 young people from across the UK and Ireland took part in a virtual legal careers insight event, aimed at making the legal profession more diverse.
Holly Quirk, an associate barrister in Browne Jacobson’s Manchester office, was awarded the Legal Professional of the Year Award at this year’s Manchester Young Talent Awards.
The risk of assault against staff is, sadly, something that all schools need to consider carefully. Here one legal expert explains what they can do to protect staff and ensure they fulfil their duty of care.
Browne Jacobson’s education team has again been confirmed as a national powerhouse after securing five Tier 1 rankings relating to Education in the latest edition of Legal 500 and maintaining a Band 1 UK-wide ranking for Education in Chambers & Partners UK 2023.
Created at the end of the Brexit transition period, Retained EU Law is a category of domestic law that consists of EU-derived legislation retained in our domestic legal framework by the European Union (Withdrawal) Act 2018. This was never intended to be a permanent arrangement as parliament promised to deal with retained EU law through the Retained EU Law (Revocation and Reform) Bill (the “Bill”).
The majority of people do not feel the need to embellish their CV to get that coveted position and move on up the career ladder. Their worthiness and benefit to the hiring organisation are easily demonstrated through the recruitment process – application, psychometric testing, selection day or interview.
