This week, Charlie gives advice on how schools and trusts can prepare for cyber incidents and provides a useful checklist of considerations.
In last week’s bulletin, I wrote about ‘Business Continuity Planning in Schools’. Once the bulletin had gone out, it occurred to me that I hadn’t mentioned anything about cyber, so I thought this week I would write a checklist for schools to see if they are prepared to respond to a cyber attack. I have also done some research on a couple of school events, including the attack on the Harris Foundation Group of Academies, where a cyber attack in 2021 impacted 50 schools and approximately 40,000 pupils. Part of the research was a BBC ‘File on 4’ podcast, which can be listened to here. I also noticed that there was an attempted brute force attack on one of The de Ferrers Trust’s schools in Derbyshire in the last week, which resulted in pupils being told to come back to school a day later than they were due to come back after the Easter holidays, while the school systems were checked.
I am not a technical cyber expert and so my checklist of preparation looks at the response to a cyber incident and can be used by schools and academy trusts to assess their level of preparation and identify areas where further work could be carried out.
Operational Impacts
- Does the school have manual workarounds so they can operate the school without IT for several days? This could include registration, safeguarding, conducting exams and classroom teaching.
- Has the school looked at how they would operate if telephony was lost?
- If IT systems are unavailable this could affect security systems including CCTV and access control systems. Staff may have to manually carry out the role of these systems. Is there the necessary staff to do this and has this been planned?
- Are you aware of your backup strategy, which data is backed up, and how often it is done? Hackers will try and destroy your backups which makes recovery much more difficult. The National Cyber Security Centre suggests a 3-2-1 strategy. There should be three backups, two on site, and one offline. Restoring backups should be regularly tested.
- Have you reviewed your data and assessed the impact if access to it is lost, or if the data is released on the dark web? Key data which could have a large impact on operational delivery if lost, is pupils’ work and financial information. Public release of safeguarding, pupils and staff personal information could have a major impact on these groups if publicly available.
- Have you decided if you might offer credit monitoring to staff if their data is lost?
- Has the organisation thought through whether they would close their school in response to a cyber-attack or whether they would stay open?
People Impacts
- Cyber incidents put huge pressure on IT staff and they often have to work seven-day weeks to restore systems. Do your plans take this into account and are senior managers trained to recognise the symptoms of burnout and take action before there is a major health impact on IT personnel?
- Dealing with the response is hugely time-consuming for senior managers and the response becomes all-consuming. Is this written into your plans and are those in your incident team aware of the tsunami of tasks and work a cyber incident brings? Senior managers also need to be aware that the response will not be over in days, but the response can take months and even years.
- During the Harris incident, the hackers contacted random members of staff to get them to put pressure on the trust to pay. Is this written into your plans to warn staff and how they should respond if they are contacted?
Technical Response
- When the Harris Federation had their cyber attack, they had to go out to the market to find a third party who could help them with the technical response to their cyber incident as they didn’t have the relevant expertise in-house. They couldn’t find a company in the UK as they were all too busy and so they had to use an Israeli company. Have you thought through who would provide technical support if your school or academy was a victim of a cyber attack? You may have to pay a retainer, this service comes as part of cyber insurance.
- Has there been a discussion to decide, if a cyber attack occurred, whether the organisation will take their systems offline? This could have a big effect on the organisation’s operations, but could prevent further spread and damage. Who has the authority to make the decision and carry this out? Can this be done at very short notice?
Communications and Reputation Management
- Have you identified a list of the key stakeholders you would have to inform in a cyber attack and have you documented who they are, when they have to be informed, what their information requirements are, how they should be contacted, and what their contact details are?
- Has the organisation thought through how they would communicate internally and externally if their usual communications channels are unavailable?
- Has the writing of and the signing of messaging been documented and practiced in an exercise? Have you got the skills to produce communications and deal with the media and social media in-house or do you need to identify a PR company who can assist you?
- Have you documented how to report a cyber incident to law enforcement?
- Will you negotiate with the hackers even if it is to buy time or will this never be done?
Plan and Procedures
- Alongside any technical response plans, do you have a cyber incident management plan, crisis plan, or business continuity plan which deals with operational response and the communications and reputational response to a cyber incident?
- Has your organisation discussed and documented whether they would or would not pay a ransom?
- Have your plans been exercised?
In discussing cyber attacks with academies, they have no money, so why hackers want to attack them and then set a ransom at £3m seems a waste of their time. Trusts are continuing to be attacked and so they need to be prepared to manage an attack. The technical security to prevent an attack is important, but it is also very important that schools and Academy Trusts are prepared to respond to an attack. A good response will go a long way to mitigating some of the impacts of a cyber attack and maintaining their brand and reputation.
