Cyber response plan for schools

The National Cyber Security Centre (NCSC) defines a cyber incident as:

“A breach of a system's security policy in order to affect its integrity or availability or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).”

Cyber incident categories

Category 1: national cyber emergency

A cyber incident which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.

Category 2: highly significant incident

A cyber incident which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy.

Category 3: significant incident

A cyber incident which has a serious impact on a large organisation or on wider or local government, or which poses a considerable risk to central government or UK essential services.

Category 4: substantial incident

A cyber incident which has a serious impact on a medium-sized organisation, or which poses a considerable risk to a large organisation or wider or local government.

Category 5: moderate incident

A cyber incident on a small organisation, or which poses a considerable risk to a medium-sized organisation, or preliminary indications of cyber activity against a large organisation or the government.

Category 6: localised incident

A cyber incident on an individual, or preliminary indications of cyber activity against a small or medium sized organisation.

It is unlikely that a cyber incident in a school would involve the NCSC. However, any cyber incident experienced by a school would impact negatively on teaching, learning and learner progress as well as cause worries about additional loss of data, time and reputation.

The plan will help to ensure that, in the event of a cyber incident, a school can:

• ensure immediate and appropriate action is taken
• continue to safeguard learners and staff
• maintain a minimum level of functionality and minimise disruption
• respond effectively to reduce confusion and further risk
• restore the school back to an operational standard

Identifying and reducing the risks

To reduce the risk of a cyber incident, a school should:

• have an up-to-date IT Security Policy and Data Protection Policy that has been approved by governors
• have an up-to-date Safeguarding Policy and relevant Emergency Plans (this could include a Learning Continuity Plan, Security Plan, Critical Incident Procedure, Business Continuity Plan and Disaster Recovery Plan)
• ensure all users have read the relevant policies and signed Acceptable Use Agreements and Loan Use Agreements for school devices
• identify a Cyber Lead for the school (this member of staff should keep up to date with National Cyber Security Centre (NCSC) advice and the NCSC supported resources on Hwb and share details about how any advice should be implemented)
• provide ongoing awareness training for staff to recognise, report and appropriately respond to security messages or suspicious activities. Free training is available from the local authority and via Hwb. Free training from NCSC includes:
  • Response and Recovery
  • Exercise in a Box
• evaluate and review their practice on an ongoing basis using the 360 digi Cymru and 360 safe Cymru tools available on Hwb
• ensure the school’s IT providers regularly assess the school’s security measures including firewall rules, malware protection and role-based user access
• implement a regular patching regime on all network connected and internet facing devices in the school
• assess any remote access policies on an ongoing basis
• ensure data is properly backed-up regularly and held fully offline
• ensure multi-factor authentication (MFA) is in place for staff and important accounts
• develop a Cyber Response Plan and then review it annually as part of the normal school risk control arrangements
• communicate the school’s Cyber Response Plan to key staff and the school’s IT provider (this will ensure everyone is aware of their roles and responsibilities in the event of an incident)
• ensure a hard copy of the plan (and its templates) is kept in a secure location in the event of an incident that prevents staff from using digital devices
• consider implementing a cyber monitoring and vulnerability scanning solution should this be available via your IT provider, such as a Security Operations Centre (SOC) or Security Information and Event Management (SIEM) system and also any relevant NCSC Active Cyber Defence tools

The Education Digital Standards and Guidance on Hwb have been developed to assist schools, in partnership with the local authority or IT Partner, to understand, manage and implement their digital environment. The standards provide clear expectations of schools' digital environment, ensuring that they are future-proofed with examples provided of best practice solution for schools to meet their digital needs.

The local authority can provide you with advice and guidance on how schools can meet these standards. The Network and Data Security Standards on Hwb follow the advice and guidance provided by the National Cyber Security Council (NCSC), which is part of GCHQ, the UK’s lead intelligence, cyber and security agency. 

Network security will help protect schools from cyber-attacks and ensures that your data is kept secure. The Network and Data Security Standards offers technical considerations to supplement the standards to aid schools and local authorities to apply them within their setting.

Back-up strategy

To reduce the potential impact of a cyber incident, a range of information including registers, staff and learner contact details, timetables, safeguarding records, medical information and ALN records should be available from previous back-ups or hard copies.

The NCSC provides useful guidance on the frequency and type of back-up that is needed. It is recommended that all schools adopt this guidance.

More information about backing up your data can be found on the NI Cyber Security Centre website.

Actions in the event of an incident

Speed is of critical importance during a cyber incident. This will help to protect and recover any systems that may have been affected and help prevent further spread. If the school suspects it has been the victim of a ransomware or other cyber incident, the school should not pay any money demanded.

The school should take the following steps immediately:

• enact the school’s own Cyber Response Plan and inform the Chair of Governors
• contact the school’s IT partner
• inform Hwb
• contact the local police via Action Fraud Action Fraud website or call 0300 123 2040
• contact the local authority’s 24-hour emergency response team who will in turn contact the Chief Education Officer, the Data Protection Officer and other relevant individuals
• contact the school’s Data Protection Officer who will consider whether reporting to the Information Commissioner's Office (ICO) is necessary. There is a 72-hour window to make any report to ICO using their online form or by telephone on 0303 123 1112 (this may be done in consultation with the local authority’s Data Protection Officer)

Cyber response plan overview

There are 4 stages to the process:

1. Preparation
2. Detection and analysis
3. Containment, eradication and recovery
4. Post-incident activity

Throughout all 4 stages, schools will need to monitor, track and prioritise open incidents.

1. Preparation

The school must do all it can to prepare for incidents.

2. Detection and analysis

When incidents happen, schools need to take time to identify and report them. They then need to analyse and investigate what has happened.

At this stage schools also need to start:

• documenting the incident
• notifying relevant parties about the incident
• following an escalation process
• communicating with partner security representatives and resolvers

They will need to continue doing this until the end of the process.

3. Containment, eradication and recovery

At stage 3, schools need to:

• contain the incident
• resolve the incident
• take steps to recover from the incident

At this stage, schools will also need to:

• communicate with partners and users
• engage support teams by communicating with customers and external parties
• capture forensic evidence by communicating with law enforcement, regulators and media

They will need to continue doing this until the end of the process.

4. Post-incident activity

At stage 4, schools need to:

• review the incident and learn from it
• introduce improvements
• take steps to prevent an incident from happening again

The National Institute of Standards and Technology (NIST) incident diagram sets out the end-to-end incident handling process in overview.

Cyber response plan template

The following template should be completed to produce a bespoke cyber response plan for your school.

The school must review this plan on at least an annual basis and ensure this plan is kept up to date with new suppliers, new contact details, and changes to policy.