Cyber-crime can have a devastating impact on schools. In this blog post Louise Green from the Department for Education's Schools Commercial Team, hears from three schools that have suffered cyber incidents and explains the benefits of joining the risk protection arrangement (RPA), the DfE's alternative to commercial insurance.
Cyber crime
Ensuring schools and trusts have robust measures in place to reduce the risk of cyber-crime is paramount.
Hopefully, you will never encounter a problem or have to deal with the aftereffects a cyber incident can have on your school. We live in a time of increased reliance on IT and online systems, and consequently this increases the risk of a cyber-attack.
We acknowledged this increased risk and the concerns raised by schools, when the department took the decision to add cyber to the wide range of cover within of the RPA.
If your school is already an RPA member, here's a quick reminder of the four conditions to ensure you are fully covered, you must:
- have offline backups - this will minimise disruption
- make sure all employees or Governors who have access to the school's information technology system undertake NCSC Cyber Security Training annually - this shouldn't take longer than about 30 minutes
- register with Police CyberAlarm - you don't need to install anything unless you want to
- have a Cyber Response Plan in place - this will help make good decisions under pressure should an incident occur
A cyber incident can be time consuming and expensive to put right and potentially affect your schools' ability to function. It is increasingly important to make sure you have sufficient, reliable cyber cover. Through the RPA cyber cover, help is just a phone call away, 24 hours a day should an incident occur.
Through the RPA's cyber incident cover, experts will be on-hand to guide and support you to rectify the situation as quickly as is possible.
I've spoken to a number of schools who were unfortunately impacted by a cyber incident. Luckily, they were all RPA members who had made sure the four components for cover were completed, so they were able to tap into the support available and avoid what could have been a very costly bill for their schools.
Hayley Kellett from Settle College in Settle, North Yorkshire, told me:
"When a cyber incident occurred in our school, we found the reporting process quick and easy, which is just what was needed when something like this happens. We would recommend if a cyber incident happened to others that use a cashless catering system, that they try and get an alternative in place as soon as possible e.g., bring in the use of a cash register.
You need cyber-attack insurance. Cyberclan was invaluable, leading the whole investigation, guiding our IT staff on the rebuild, advising the ICO officer, holding regular online update meetings and providing a constant point of contact for school queries and support. They have the expertise and tools to manage cyber incidents, but crucially also in customer support.
This is an important learning point, to stop using plug-in memory devices and store documents in the cloud. Initially you just don't know what has caused the problem and so you can't assure people one way or the other and anyone with a connection will block your access to protect themselves."
Settle College are RPA members who had met the required cyber cover conditions, so were able to avoid costs of around £128,000.
Ken Robb, Finance & Resource Director from The Bridge Academy in Hackney, London said:
"It was a Saturday afternoon in September 2022 when our school was subject to a cyber-attack. Within an hour of contacting the RPA helpline we had a call back from Cyber Clan who started their action plan immediately. They led us through the process of securing our systems, monitoring, and stopping the malicious activity and establishing how the attackers had gained access. They worked through the weekend and for some weeks to come to ensure the threat was acted on and to ensure we had improved security put in place. Without the RPA cover and Cyber Clan help we would need to have found a cyber security company, agreed terms, and met the cost from our own resources, all in an emergency situation. It would have undoubtedly been slower, more expensive and led to worse outcomes.
Both for the quality and speed of the service and for the relatively low cost I would definitely recommend the RPA cover. Contacting the RPA is now the first and most important action on our cyber-attack plan."
And lastly, I spoke to Claire Curchin, Business Manager at Bishop Stopford School in Headlands, Kettering, she told me:
"Our school was notified by DfE cyber response team that there was an incident, and our remote credentials were for sale on the dark web. Our schools cyber plan was immediately activated that evening and all remote access was switched off so if someone were to purchase the credentials, they would not have access to the network.
What was a very stressful time - where potentially we could have lost everything, CyberClan kept us grounded and their support helped us to get through it. We felt we were in safe hands and had their full support. The staff and students didn't see any change and other than changing their passwords, they were not impacted. Without CyberClan we would not have known where we were at that point. We have the reassurance of knowing that we have done as much as we possibly could do and the expertise, they brought was invaluable."
As RPA members, Bishop Stopford School avoided a £45,000 bill following a cyber incident at their school.
Find out more
There's more information about RPA cyber cover on our "RPA members - if an incident were to happen, is your school cyber secure and are you covered?" blog.
In addition to cyber cover, joining the RPA offers a wider range of benefits to schools and is a valuable safety net that can help to protect your school's finances, here's a quick summary of some additional benefits:
- simple, standardised membership terms and conditions. This makes it easy to understand what is covered by your membership and how to make a claim.
- dedicated 24/7 helpline
- network of experienced professionals who can provide advice and support
For more information about the RPA, please visit the GOV.UK RPA website or contact schools.commercial@education.gov.uk .
If you've found this article useful and want to learn more about how we're supporting schools, click 'sign up and manage updates' to subscribe to our blog and receive notifications when we next post.