The following 8 questions for governing bodies and management committees have been produced by the National Cyber Security Centre (NCSC) working with Welsh Government, to help improve a school’s understanding of their cyber security risks. 

Schools rely heavily on IT and online services to function. They also hold large amounts of sensitive personal data on learners, parents and carers and education practitioners. All this needs to be kept safe and secure.

Cyber security’s main purpose is to ensure the devices we use, and the services we access are protected from the risk posed by a cyber security incident that could result in theft or damage It is also about preventing unauthorised access to the vast amounts of personal data we store on these devices, servers and in online accounts.

A cyber security incident can affect the school’s ability to function, the security of its data and its reputation. Both the school leaders and the governing body will want to ensure they are aware of cyber risks and adequately prepared in the event of a cyber-incident. Schools will already be following similar approaches when it comes to managing risks and responsibilities around GDPR and learner safeguarding more generally

Roles and responsibilities

The role of governing management committees is strategic and should be focused on ensuring that schools have IT policies and procedures in place that cover the use of ICT systems and data security, including compliance with the General Data Protection Regulations (GDPR).

These questions are not intended as a checklist. They have been written to start the cyber security conversation between the governing body and school leaders, with the governing body taking the lead.

The questions are set out across three themes: to seek out information, raise awareness, and improve preparedness in case of an incident.

Factual questions for the governing body to give the school a good understanding of their IT services:

For a school to keep its data and systems safe, it should know who its main education technology partners are. This list might include who provides the school’s internet connection or who runs the school’s website. It might also cover IT support contracts from a Local Authority or a Managed Service Provider.

Depending on the school, this may be a member of teaching staff, or a separate education technology partner such as their local authority. It’s important that school leaders know who/what this is, and that this person/team/company follows key cyber security practices as outlined in the and the NCSC’s guidance 10 Steps to Cyber Security.

Some IT services are critical to the day-to-day running of the school - these are the ones that will need securing the most. Think of them like the school’s “crown jewels”. For example, the school’s Management Information System (MIS) will contain learners’ medical records, safeguarding information and parents and carers contact information. Without access to this information (or hard copy backup), schools would find it difficult to remain operational if their IT systems went down in any way. The IT services in your school could be managed internally, in conjunction with an education technology partner or a mixture of both.

If a school loses access to its critical data, the effects can be softened by having a proper backup and restoration plan in place. Backups of important data can help when there are cyber incidents but also with other disaster scenarios like fire, floods, physical damage or theft of devices.

The degree to which both users and the governing body understand the importance of cyber security and their role in it:

TIP: Cyber incidents or attacks should be considered in terms of risk management and be listed on the school's risk register, alongside other IT and data risks. Cyber security should be referenced in any relevant school policies (e.g. business continuity, data protection, acceptable usage etc). It is also advisable to have cyber security as a regular agenda item at governing body meetings as with other topics like GDPR and the physical security of the school.

Good cyber security is dependent on people. Education practitioners can alert schools to potential problems like spotting phishing emails or phone calls, or noticing when a service is running particularly slowly, which could be a sign of a cyber-attack.

TIP: Assurance can be sought by asking the school’s staff to take part in cyber security training.

Phishing is a common method of cyber-attack, this training module will help education practitioners understand phishing and how to protect themselves and their school.

There are other training resources like the NCSC’s Practical Tips guide which be downloaded from the Hwb .

Being prepared for the potential impact of a cyber-security incident is crucial in helping schools minimise disruption should an incident occur:

All types of schools can experience a cyber-incident. A cyber incident could result in a school’s network being unavailable for an unknown period of time, with limited or no access to important data and services. The importance of access to the MIS has been covered earlier in theme A, but there are other services like: telephones, access control systems, cashless payment systems. These will impact on the school’s operation if they are unavailable.

TIP: Assurance can be sought in this instance by establishing whether the school has a business continuity plan in place that includes IT and these wider services. For example, it might be that your school holds a paper copy of the school register and parent contact information. This way a school can increase its chances of functioning in the event of a cyber-incident. Key to this is the list of education technology partners the school uses including contact numbers. The NCSC’s 10 steps to Cyber Security and the Response and Recovery Guide can help inform the school and provide governors with assurance.

A school’s business continuity plan should list its key IT support partners education technology partners, as well as those that may be responsible for the management of IT within the school. It is very important that up-to-date contact information sits alongside this.

TIP: For schools, establishing what role these education technology partners IT support partners will perform in the event of a cyber-incident would be very beneficial at this planning stage. If additional support or expertise is needed in the event of an incident this should be identified beforehand. A school may also want to list important contact information from the local authority, chair of the governing body and local law enforcement. Schools can report cyber security incidents to Action Fraud, UK’s national reporting centre for fraud and cybercrime. If the incident involved a data breach it may be necessary to report it to the Information Commissioner’s Office (ICO) under GDPR guidelines.