Are you cyber security savvy? Gary Henderson explores a practical approach to cyber security in schools and trusts, focusing on planning for the worst-case scenarios rather than just technical defences

At the time of writing this article, we are mid-way through the summer holiday period, and – before the start of the new academic year (including its normal opportunity for annual data protection, cyber security and other training) – I decided to give some consideration to what is new and provide an update in relation to cyber security in schools and trusts.

Now, I and many others have written about cyber security, and the things schools and other organisations need to do to remain safe, so there is a wealth of advice already out there. So, I have decided for this cyber security piece, to do something a bit different. What if rather than spending so much time on defences, on firewalls, permissions, patching, user awareness, EDR, MDR, SOCs and a million other acronyms, we stopped and said, ‘we are going to suffer an incident, so let’s just consider the worst case scenario and work out what we might do about it’.

Let me start by proposing a couple of the most common incident types as I see them:

Third party incident resulting in service loss and data exfiltration. This is increasingly a growing risk as more and more data is stored by third parties used by the school. This might be a cloud hosted MIS, or the platform used for safeguarding, or to host the school’s website. It could be a catering company which includes cash-less catering capability. When the company suffers an incident, the data belongs to the school, so the incident is the school’s responsibility from a data protection point of view. Credential Compromise resulting in data exfiltration and possible ransomware. This is a likely risk and relates to a school user account becoming compromised resulting in all data equally being accessible by a criminal. Now I hear you say, “but we have MFA”, however MFA isn’t perfect and can be bypassed, so let’s work from the position that it has, that it was a teacher or leaders account and therefore that access to the MIS was possible and data possibly exfiltrated. Third party technical failure IT outages happen; just look at the CrowdStrike incident, so we need to consider the risk. This might be the schools MIS, or it might be the internet service provider, or even productivity suites such as Googles Workspace for Education or Microsoft’s Office 365. Whatever third party solution it is, any outage will have an impact on schools and colleges.

So, what can we do?

Authority, contact details and thresholds

The first thing we need to establish is who has the authority to call a critical incident. This information should already be included in the school’s critical incident plan which should be easily accessible, including available offline in case IT systems become inaccessible. It should include consideration for periods of holidays or other times where key staff members may be out of contact and therefore identify alternative staff with the relevant authority, as well as the relevant contact details of key people and organisations which may be required to support response to an incident. It should also identify what the threshold is for a critical IT incident versus a normal day to day IT issue, to ensure that the plan isn’t unnecessarily instigated, causing stress and concern, where there is no need.

Know your data

The next thing we need to have in place is knowledge of what data you have and where it is including what data is held in third party platforms. For example, if your MIS is compromised you need to know what data may have been accessed including the types of individuals involved, rough numbers and if any high-risk data may have been involved. This information should already be available in your Record of Processing Activities or an Information Asset Register, but do you know where this is stored, and could you get hold of it during an incident? Knowing what data is involved will help response and reporting efforts.

Comms, comms and more comms

During an incident one of the key processes is that of communication. Communication internally with staff, externally, potentially with parents and the press and also with regulators or other supervisory bodies. Now the specific communications will be specific to each incident however you can easily prepare some template communications in advance. You can also consider and document which options are available in terms of communications including the school’s website, social media, messaging platforms, etc. This will reduce the stress of developing such communications and working out how to distribute them during an actual incident.

Working through a possible incident

The main thing you can do, in preparing for the worst, is to gather the relevant staff together and discuss what an incident might look like and how you might respond. We are not talking about the IT requirements here but in terms of the school’s wider operation. Will the school be closed? Will it remain open? How will you communicate with parents? If it was a data breach, what will you say to parents and students? It is about working through the process now when it is safe to do so, rather than waiting to do it in the midst of a cyber incident.