These issues, says NGS Secure, mean that schools are now putting pupil, employee and administrative information at risk.
The assertion is based on an audit of one randomly selected UK secondary school and primary school – neither of which the firm says can be named due to confidentiality agreements – to ascertain how secure each was as part of a project to boost security within a local education authority.
The company says it found a myriad of basic security oversights and security issues on the school's 338 computers.
Auditors found more than 9000 instances of missing critical software patches and multiple instances of outdated or missing anti-virus software.
These flaws, says NGS Secure, would allow an attacker or virus to trivially exploit the systems without any prior knowledge of the target.
In some instances, the company warns, systems holding databases were found to be vulnerable to attack, which would allow a hacker complete access to information contained within those databases.
The audit also found that the root cause of the security problems apparently derived from the use of easily guessable passwords, such as 'private' or 'password,' which could allow anyone to enter the systems and change their configurations.
Multiple users, says the firm, were also found to have access to the admin facilities on the network, one of which is a backup account with a default and widely known password. This could, says NGS Secure, allow a hacker administrator access, rendering the school's entire network vulnerable to attack.
Paul Vlissidis, technical director at NGS Secure, said that it is widely thought that UK schools are, for the most part, behind other public sector organisations when it comes to information security. The two tests that the firm carried out, he explained, do nothing to dispel this perception.
"The schools in question displayed missing patching – some of which was 15 years out of date – as well as firewalls and anti-virus security provision that was totally ineffective. Even the basics of logical security, such as complex password protection and limiting administrator access, were not being followed", he said.
Vlissidis added that he and his team believe their research to be indicative of similar issues in many UK comprehensive and primary schools, where networks are open to trivial attacks by even the most amateur hackers.
"This is highly concerning considering the amount of personal information on staff members and pupils these networks contain", he said.
According to NGS Secure's technical director, whilst an attack on a school network may seem like a trivial matter as no financial data is likely to be obtained, a miscreant could potentially access thousands of children's personal information, such as where they live, next of kin and telephone numbers.
In the wrong hands, he argues, this information could be highly dangerous. "Schools need to be aware that public sector organisations are not exempt from ICO fines and that a serious breach could be costly to local education authorities", he said.