ⓘ This page has been translated using artificial intelligence.
IT security in schools is important. Perhaps even more so than in other areas, as it concerns the protection of children's and young people's personal data. Many schools face the challenge of wanting to provide access to the internet while ensuring the highest possible level of security. On this page, you can find out what school administrators need to consider when it comes to network security. In collaboration with experts, we have also created a template for an ICT security concept.
Go directly to topic
Share this page
Schools are a popular target for external hacker attacks or network raids. Data is stolen or the school is denied access to its own data and thus blackmailed. To prevent this, the firewall is a key security element.
Firewalls are available as hardware or software. Both versions effectively prevent external attacks, but each has advantages and disadvantages in terms of use:
A local firewall is installed on a specific computer or network device, usually located at the gateway to the internet. The firewall monitors data traffic entering and leaving the network. It acts as a digital security guard, controlling data traffic and automatically blocking suspicious activity.
A school's data traffic is routed through a cloud-based firewall via a special cloud infrastructure before it reaches the internet. This cloud-based firewall secures the data traffic.
Compared to a local firewall, this architecture does not require any hardware at the school, only the appropriate router configuration: data traffic is routed exclusively to the cloud firewall and incoming traffic is only allowed from there.
Best security practice: For multi-layered security, it is advisable to use both hardware and software firewalls in IT security at schools. If a school does not have sufficient security expertise, it can call on a professional security provider. A cloud-based firewall tends to perform better and offers more security features than a local firewall.
In school environments in particular, there is often the challenge of third-party computers (bring-your-own-device) being used. A cloud-based firewall is particularly recommended in this case.
Swisscom's ‘Schools on the Internet’ initiative provides all schools in Switzerland with an Internet connection and a security solution.
The individual school connections are protected by a security infrastructure in Swisscom's core system and managed by Swisscom. The security settings on the education networks of primary and secondary schools can be configured individually by the cantons according to their needs.
Viruses and malware are often sent via email in the form of attachments, links or embedded scripts. You can prevent such attacks by taking targeted technical measures.
Malicious software is often sent as an attachment (e.g. as an executable file, document or image) to an email. When the recipient opens this attachment, the malware can install itself on the computer.
Links are also a common gateway for malicious software: an email with emotional content lures the recipient to a malicious website. The term phishing should also be mentioned in this context.
In addition to attachments and links, embedded scripts can also carry viruses and malware that are executed when the email is opened. The danger is particularly great in HTML format, which is now the standard for displaying emails.
To protect your school from such attacks via email, there are technical measures you can take:
Install reliable antivirus software on the school computers. Depending on the quality of the software, this can block many malicious emails.
Be sure to always keep the operating system of the school computers up to date in order to close security gaps as early and reliably as possible. All other network components must also be kept up to date at all times (e.g. local firewall, access points, local server).
Some email providers offer virus and malware protection. Find out what your provider offers and take advantage of protective services.
The aforementioned (hardware or software) firewalls are a popular option for blocking not only suspicious internet traffic, but also suspicious email traffic.
However, even all technical measures combined cannot offer 100% protection. Despite these measures, malicious emails may still end up in your inbox at any time. In this case, it is important that the person concerned knows how to respond. Here you can find out how to recognise fraudulent emails.
Urgently raise awareness among all users (teachers and pupils) of the potential dangers of malicious emails in order to prevent viruses and malware on school computers.Here are some ideas for training or awareness campaigns:
Cloud-based services, applications or local data management systems allow different security levels for user authentication. For data with special protection value, security should be given the highest priority.
As a general rule, the greater the access protection, the lower the user-friendliness. Login processes with multiple authentication steps can be cumbersome, but when it comes to personal data on employees or pupils, grades, learning reports, etc., no compromises should be made. Instead, the highest possible level of security and protection should always be chosen.
How to secure access to data, files or devices:
To protect access to data, files or devices, you can almost always set passwords. Make sure that these are complex and long enough to provide a high level of security. Keep your passwords safe (e.g. in a school password manager), because unlike biometric keys, passwords are unfortunately not theft-proof (see phishing).
Increasingly, it is now also possible to use time-limited login codes or login links sent by email or text message instead of passwords as login details.
Often, the authentication method for a login can be selected. Fingerprint and facial recognition have become established methods for mobile devices such as smartphones, tablets, and laptops. Compared to passwords, biometric keys are resistant to phishing and therefore fundamentally more secure.
As the name suggests, MFA combines two factors:
It is even more secure if the code in the second step is replaced by a biometric key (known as inherence).
To secure access to data, storage locations or devices at your school, we recommend:
After you have marked an exam, for example, you want to store the school grades digitally. Where is this sensitive data safest: locally on your computer, on a local data server or in the cloud?
Nowadays, laptops are hardly suitable for storing data. On the one hand, there is often not much storage space available on the hard drive, and on the other hand, laptops can fall on the floor or be stolen. For data storage, the following two options are therefore prevalent in schools, which can also be combined:
One option is to store data on an internal school data server that is not directly connected to the internet. This is often located within the school infrastructure and can therefore only be accessed from within the school network.
Nevertheless, since the internet, school devices and the data server are ultimately connected to each other, an external attack cannot be ruled out. A virus that enters the school via email or a USB stick, for example, can still reach this infrastructure and cause damage by identifying points of entry and transmitting them to hackers.
These digital storage locations are provided by professional services such as Swisscom, Microsoft, Google and Amazon. They all have a responsibility to protect the data entrusted to them particularly well and invest heavily in this security.
If the data is stored in the cloud, it may also be physically stored abroad, depending on the company and server locations. This means that the data has left Swiss jurisdiction and third countries may claim access to the data on the basis of their legislation.
However, the association of cantonal data protection officers, privatim, has now succeeded in ensuring that Microsoft's popular Office solution, Microsoft 365, has its place of jurisdiction in Switzerland. This means that Swiss citizens and the administration can take legal action against Microsoft in Switzerland in the event of unauthorised access to such data.
The Fachstelle educa, run by the cantons and the State Secretariat for Education, Research and Innovation (SERI), offers schools an easy-to-understand analysis process to assess which aspects require particular attention at each school.
Many schools already work with cloud-based solutions today. However, even though data is stored online, schools often still maintain additional local data storage. This pays off particularly well in its function as an IT backup.
Manually managing local data storage as separate, additional data storage makes little sense. The effort involved in handling it, as well as the risk of unnecessary redundancies and, conversely, deviating variants, is too great.
The better solution: set up an IT backup that automatically copies the relevant data at regular intervals and stores it in a second, independent location. It is important that this IT backup is stored and kept in a different location from the original files – so that in the event of damage, both the original AND the backup are not lost. It is also important that the backup is protected against virus infection – the backup infrastructure should therefore be isolated from the rest of the network.
Since the advent of cloud-based services and data storage, data protection has become a key issue in schools. It is essential to take responsibility for particularly sensitive data and to protect it as effectively as possible.
Data requiring special protection? This includes, for example, pupil reports, grades, homework or teachers' salaries.
If such data is stored in online storage services such as Apple iCloud, Microsoft SharePoint, Dropbox or Google Cloud, various requirements must be met. The Association of Cantonal Data Protection Officers (privatim) has published a leaflet(opens in new tab) describing the necessary steps in detail.
The Centre for ICT in Education (educa, www.educa.ch(opens in new tab)) has also compiled canton-specific resources(opens in new tab) entitled ‘Information material on data use and data protection’.
If, despite all security precautions, a successful attack on the school's data or systems does occur, you should respond as quickly as possible. Some immediate measures are now mandatory, while others can be adapted to the situation.
In the event of theft, loss or unauthorised disclosure of personal data, there has been a reporting obligation since the Data Protection Act (DSG) came into force on 1 September 2023. The report must be submitted to the Federal Data Protection and Information Commissioner (FDPIC).
The following steps must be taken immediately in the event of data theft:
Determine as quickly as possible which data is affected by the incident. Measures must be adapted depending on the sensitivity of the data.
If only some of the data is affected, secure access to the remaining data with regard to the danger that has occurred. For example, take other servers off the network, block logins from affected end devices or change passwords, etc.
Depending on the type of attack, you will not be able to stop it without outside help. Inform your security provider and the contact person at your canton's education authority. They will assist you with all further steps and measures.
Inform the persons affected by the data theft as quickly and clearly as possible. Quickly, so that these persons can immediately update their passwords or take other security measures. Clearly, so that the extent of the data theft can be narrowed down as precisely as possible. Also make sure that your message cannot be misinterpreted as spam or a phishing attack.
Crisis plans are mandatory in many Swiss cantons. A crisis intervention team (CIT) undergoes special training to be prepared for threats and disasters.
Conventional crisis plans often cover cases such as fires, floods, hostage-taking, accidents, etc. Unfortunately, a chapter on ICT crises is often missing. You can find out which aspects are relevant for an ICT crisis plan in the sample ICT plan.
Crisis plans are mandatory in Swiss schools in many cantons. However, these crisis plans often lack a section on ICT crises, which can have devastating consequences. We recommend developing an ICT crisis plan at an early stage and also provide a sample template that has been reviewed by experts.
An ICT crisis plan helps you and your team to gain a common understanding of the areas of the school network architecture, identify existing risks and rely on a defined process in the event of a data leak or IT failure.
It does not matter whether your ICT crisis plan is incorporated into your existing crisis plan or created as a separate document – as long as it exists in one form or another. Like the crisis plan, the ICT crisis plan should also be reviewed and practised at regular intervals with all departments involved.
The link below provides a sample template for an ICT crisis plan. Depending on the architecture and organisation of your school, certain aspects may be omitted, while others may need to be added.
We have compiled further information and content on the topic of ‘IT security at school’ here.