To make sure your school is covered for Cyber Incidents under the RPA, school members need to ensure that four conditions are met:
This article deals with conditions one and four. Oh, and not forgetting a little snippet at the end on how to reduce the energy cost of your wireless network.
9ine’s Cyber Credentials
If you’re familiar with 9ine, you’ll know that our heritage is based in consultancy. This means we work day in, day out, supporting schools with technology, privacy, cyber and safeguarding challenges. In 2017, we launched our cyber practice, and have a dedicated team of professionals identifying, mitigating and managing cyber threats for our schools. This is through our Systems & Security and Cyber Vulnerability services. We regularly support schools in responding to cyber incidents, some serious, some not so - and in doing so, have developed strong processes and procedures to pre-empt cyber incidents, and also recover from them as soon as possible. Our team supports Edtech providers in identifying software vulnerabilities, therefore protecting the Edtech supply chain from cloud and SaaS based attacks.
All that said, since 2020 we have been developing in-house software, which essentially ‘operationalises’ our consultancy expertise into workflow, tools and resources for schools to use. We started with privacy, now we have three more products:
The relationship of regulation and cyber security
The GDPR, in May 2018, was a security regulation as much as it was around ensuring organisations understood and had legal reasons for collecting and using personal data. This messaging, however, was largely diluted by a number of ‘GDPR’ education specialists focusing on ‘fines’ and scare tactics rather than the actual core of what the regulation meant. Articles 25 and 32 place specific requirements on organisations to protect, and also be able to restore data when a security incident, such as a cyber attack occurs. What you are seeing now, not only with the RPA, but also further entrenched within the Academy Trust Handbook and other obligations for schools, is a realisation and manifestation in governance that privacy law is directly correlated to cyber risk. A joining up between the two if you like, when it comes to expectations, in being able to evidence how schools are managing their obligations and ability to respond when a cyber attack occurs.
Template Department for Education Cyber Response Plan
The DfE has created a template Cyber Response Plan, a link to which is at the bottom of this article. The document includes a comprehensive overview of the scope for planning, including useful resources such as an Incident Impact Assessment, Communications Template, Incident Recovery Event Recording Form and Post Incident Evaluation. These are incredibly useful resources which will support any school in preparing for a cyber attack. However, the forms are static, and not really supportive of investigatory analysis, impact assessment / evaluation, incident management, regulatory reporting or risk. The 9ine Cyber, Tech & Privacy Incident Management platform is though. More on that in a bit.
Managing the fallout of a cyber attack
When a cyber attack occurs time is the amplifier of damage. In many of our previous articles and webinars we have highlighted that many cyber attacks happen out of core school term time. We believe this is because it’s easier to remain undetected for longer, and in doing so, create more damage, and therefore more leverage that a school will pay a ransom demand. Through timely identification, assessment and response, a school under attack will be able to limit the damage, restore systems quicker, reduce the potential for exfiltration of sensitive personal data and mitigate costs.
The DfE Cyber Response Plan is designed to support immediate and appropriate action in the event of an IT incident, to enable, prompt reporting and recording of incidents and to have immediate access to all relevant IT system details supporting a response that is consistent and effective As a condition of the RPA, if you’re not able to demonstrate an ability to do those things, it’s possible the insurance cover of the RPA may be at risk. It’s also worth noting that if your cloud IT systems and on premise servers are compromised by the cyber attack, it’s unlikely that you’ll be effective in responding to an attack if all forms of assessment, communications and incident management are based on those school systems. This being one reason why we have built our Cyber, Tech & Privacy Incident Management Platform.
There are various stakeholders involved with responding to a cyber attack. The DfE Cyber Response Plan identifies roles and responsibilities for the Headteacher / Principal, Designated Safeguarding Lead, Site Manager, School Business Manager, Data Protection Officer, Governors, IT Lead and Teaching Staff. Each has an identified responsibility, and each has risks they need to qualify and evaluate. The capture of those disparate individual risks, and associated mitigating actions, form the tasks that need to be undertaken to manage the response to the attack. Yet collating and assessing those in a spreadsheet, or worse, notebook, make successful incident management very difficult. In using 9ine’s Cyber, Tech and Privacy Incident Management platform a single, collaborative record and response to cyber incidents is created. Central triage of the impact on IT systems, identification of safeguarding risks and additionally, evaluation of the impact on privacy in consideration for reporting to the ICO. The collective record provides all the information you need when reporting to the ICO, and responding to any further investigatory questions.
Recovering from a cyber attack
The specific nature of the technology in schools is very different from that in a commercial business context. When recovering from a cyber attack you’ll likely find that the atypical cyber specialist has limited benefit when seeking to restore systems and data in schools. Yes they can cleanse files and data for residual malware, but understanding the interconnectedness of device and user federation through interconnectors such as Wonde, Group Call, and Salamander - from experience, is very unlikely! In restoring data and systems, the data is the easy bit. Having access to the config files which set out how everything is glued together is often more challenging, and if you haven’t considered this detail within your planning, you can significantly extend the rebuild time. Another area that is often overlooked is software, licensing and image deployment. Without having ease of access to the software that needs to be deployed on PCs, and the associated licensing, getting back to business can be a challenge. Whilst PCs and Laptops can be re-imaged relatively quickly, deploying the software and applications needed to work / teach can have a lingering impact.
Lessons learnt
Every IT and privacy related incident will identify lessons to be learnt. A component of privacy related law is having evidence that you have learnt from those lessons, and having evidence of what you have done. This message is reiterated by the DfE. Along with the many benefits of 9ine’s Cyber, Tech & Privacy Incident Management is integrated task, risk and lesson management. Providing an audit trial of all tasks, risks and lessons which have been identified and undertaken. I can almost hear you ask how you get your hands on this amazing piece of technology!
Why our expertise and software is useful to schools - and how to access it
Our pedigree in supporting schools in security hardening, implementing privacy management programmes, independent auditing IT systems, having internal software development capability and an in-house cyber security team gives us knowledge, expertise and credibility to create solutions that work for schools. In this blog I have mainly spoken about incident response, but our newly launched Governance module provides a solution for implementing and auditing Network Security, Business Continuity & Disaster Recovery and Safeguarding Systems Management (Critical for KCSIE 2022).
To learn more about our services or have a demo / trial of our incredibly useful and very timely software solutions, get in touch below.
PS: Link to the DfE Cyber Response Plan
Saving money on your wireless network
Taking an average Aruba access point which is consuming 11W of power an hour, over 24 hours, that is 13.73 pence of electricity based on the October price cap. Multiply that by 50 access points, and your school is spending £6.86 a day on energy for wireless access points, or £2,503.90 over the course of a year. By A) configuring them to go into sleep mode after the school day finishes or B) configuring them to turn them off overnight, you’ll save at least £1,000.00. If you have more than 50 access points, the savings could be an awful lot more. Now with that saving in mind, reinvest it in an affordable Cyber Incident Management Platform or Cyber Vulnerability Assessment from 9ine :)