This month, October, has been Cyber Month 2023. In our role as DPO, we support schools in reducing their risk of cyber attack but we are also there to support a school if the worst has happened and they have suffered from an incident. The importance of understanding these threats and taking the appropriate steps to protect sensitive information can’t be overstated.

We want to spend a few minutes looking at the possible consequences of a cyber attack, how to respond if you have been affected, and some strategies for minimising the risk to your school or Trust.

#CyberMonth2023

Cyber Attacks – A Grim Reality

Let’s take a closer look at the harsh reality of cyber attacks. For instance, documents stolen from Pate’s Grammar School (Schools hit by cyber attack and documents leaked – BBC News) were comprehensive, with hackers taking documents using generic search terms. One folder marked “passports” contained passport scans for pupils and parents on school trips going back to 2011, whereas another marked “contract” contained contractual offers made to staff alongside teaching documents on muscle contractions. Yet another folder marked “confidential” contained documents on the headmaster’s pay, and student bursary fund recipients.

Such incidents raise several concerns. For instance, were records appropriately processed? Were retention schedules adhered to? Should all of the data been available for the hackers to access? Was appropriate access control in place for different levels and roles of users? Would multi-factor authentication on user accounts have prevented this attack? Had staff received Cyber Security training to help reduce risk against common threats?

What to Do When Things Go Wrong

Despite best efforts, there are times when things do go wrong, and it is crucial to know how to respond to a cyber attack. In such cases, there are a number of steps you should take including reporting the incident to the relevant authorities:

✅ Incident Identification and Assessment:

  • Prompt identification of the cyber incident, its nature, and the extent of the breach is crucial. Employing intrusion detection systems and monitoring the network for anomalies can expedite this phase. 
  • If they are not already involved at this stage, bring in key support functions such as your IT Support and Data Protection Officer!

✅ Containment and Eradication:

  • Once identified, efforts should be directed towards containing the incident to prevent further damage. This includes isolating affected systems and removing malicious codes.

✅ Notification to Relevant Authorities:

  • Department for Education (DfE):
    Especially if the Management Information System (MIS) is compromised, informing the DfE is a procedural necessity. Their contact for reporting cyber incidents is sector.securityenquiries@education.gov.uk.
 
  • Action Fraud:
    The UK’s national reporting centre for fraud and cyber crime. Reporting can be done by calling 0300 123 2040 (option 9) or at https://actionfraud.police.uk.
 
  • Information Commissioner’s Office (ICO):
    As the national data protection authority, reporting a significant breach to the ICO within 72 hours is a statutory obligation under the GDPR. If the cyber attack involves a personal data breach, it is likely that this will meet the threshold for reporting to the ICO.
 
  • National Cyber Security Centre (NCSC):
    The NCSC has a new Cyber Incident reporting tool that can be accessed here at https://report.ncsc.gov.uk. They also have a Cyber Incident Signposting Service (CISS) which can provide guidance on who else to report to based on the specifics of your particular incident and your location within the UK.
 
  • Cyber Security Insurance Provider:
    Notify your insurance provider to understand the coverage and the support they can provide in managing the incident.
 
  • Local Authority Designated Officer (LADO):
    If the breach involves safeguarding issues, the LADO should be informed.

 Communication with Stakeholders:

  • Clear communication with stakeholders including staff, parents, and the governing body is essential. This should include the nature of the breach, the steps taken to remedy it, and how future incidents will be prevented.

✅ Utilize the NCSC’s Suspicious Email Reporting Service (SERS):

  • Forwarding suspicious emails such as phishing attempts to the NCSC’s SERS can help prevent further phishing attempts and contributes to the national cyber security resilience.

✅ Recovery and Lessons Learned:

  • Restoring and validating system functionality for school operations is critical. Post-incident analysis to understand the root cause and implementing lessons learned to prevent future incidents is a key component of organizational resilience.

✅ Engagement with Cyber Security Professionals:

  • Engaging with cyber security consultants to audit and enhance the school’s cyber security posture is a prudent step towards fortifying the institution against future threats.

Questions from the Information Commissioner's Office (ICO)

In the event of a cybersecurity incident, the ICO will want to know several details. This list is not exhaustive but the details they will request include:
  • how the threat actor gained access to your systems;
  • an itemised list of the affected personal data;
  • the number of data subjects affected by the incident;
  • whether any data has been permanently lost;
  • your assessment of the likely risk to the data subjects;
  • the measures you are taking to prevent a reoccurrence of the incident;
  • information about compromised accounts;
  • your password and account management policies;
  • your incident response plan; and
  • what staff training about phishing attacks and account compromises you have in place.

Prevention: The Best Strategy

Though it’s important to know how to respond to cyber threats, prevention is still the best strategy. Schools and colleges are advised to follow the cyber security standards outlined by the government
 

These include using properly configured boundary or software firewalls, enabling security features on network devices, and implementing multi-factor authentication for accounts with access to personal or sensitive operational data. 

Regular backups of important data, having a business continuity and disaster recovery plan, and conducting a Data Protection Impact Assessment (DPIA) as required by GDPR are also crucial precautions. Lastly, all staff with access to school IT networks should be trained in the basics of cyber security.

More detail on the Cyber Security Standards can be found on GOV.UK and we will be publishing our own guide in the future.

 

How We Can Help

A reminder to you that we offer Cyber Security Training for School Staff which has become an annual training requirement for those schools that are RPA members with Cyber Cover. If you are not an RPA member, it would be worth checking your own cyber cover to see if there are any similar conditions.

We also provide our Cyber Security Standards Audit Tool to help schools audit, monitor and improve their cyber security measures. This is built into our existing data protection portal audit tool.

By understanding the threats and implementing proper security measures, we can significantly reduce the risk of cyber attacks and protect our sensitive data.

If you have any other questions about this or any other data protection topic, please contact us at DPO@schoolpro.uk.

Stay safe and healthy,

The SchoolPro TLC Team

 

SchoolPro TLC Ltd (2023)

SchoolPro TLC guidance does not constitute legal advice.

SchoolPro TLC is not responsible for the content of external websites.