Your school should identify those individuals who will need to be contacted in the event your school is subject to a cyber incident. Your team should include all those who have responsibility for your school's running and safeguarding. Contact details for those identified should be recorded, so that if school email systems are lost, contact details are recorded.

These should include contact details of:

The School headteacher

Members of the SLT

Governors who have been identified as part of your team

Local Authority contacts - Log alert under TopDesk and mark as Priority 1

School business manager

School technician - note a contact phone number for your school Federated Technician/IT Network Manager

Cyber incident response company/Data Protection Officer

Other members whom the school choose to add

A Cyber Incident can gain access to your digital infrastructure through several ways; those which are most common are:

1. Through Email, via Phishing emails, with attachments or with links

2. Malicious Downloads, staff/learners download files which have malware to attack the school's systems

3. Weak or stolen Passwords, staff or learners with simple passwords which can be guessed, allowing access to school systems

4. Unpatched software, not updating software, where security patches have been released, or using outdated software without security updates

5. Ensure Anti-virus software is up to date on devices (your school's Federate Technician can facilitate this)

6. Infected USB drives, staff or learners using personal storage devices on school devices.

7. 3rd-party Apps, where schools use additional applications which have access to core digital applications

8. Denial of Service attacks, when the school's website/network is inundated with access requests

Knowing that these are possible aspects which could be used to access your school's infrastructure, there are steps which can be taken to minimise each of those listed above.

1. Through Email, staff training to understand how the content of an email is used to elicit a response from the receiver and understand that only attachments and links from known senders should be opened, schools working through the Hwb platform have additional security through the filtering provided by the Welsh Government 

2. Malicious Downloads, staff and learners should not be downloading additional software to their school-issued devices

3. Weak or stolen Passwords, ensure strong passwords are used, and Multi-factor Authentication is applied where possible. Schools using Hwb have MFA applied for their staff as a default. 

4. Unpatched software, ensure that the software is regularly updated, and that out-of-date software is removed from school systems

5. Infected USB drives, USB drives should no longer be used by school staff or learners unless necessary. Schools should be making use of online storage to avoid the use of USBs

6. 3rd-party Apps, schools should complete due diligence on the 3rd-party applications used and assess the levels of data collection and access which they require. This can be done by your school's Data Protection Officer (DPO) completing a Data Protection Impact Assessment (DPIA)

7. Denial of Service attacks, schools can ensure their procedures can cope with a failure of their school's website

Your plan should:

1. Have the contact details of your cyber response team printed out and in a secure place

2. Have a list of applications/programs which the school uses as part of its daily processes

3. Identify which of those applications can have MFA activated

4. Identify the data that each of the applications collects when used, e.g. name/email/address/bank details/medical/phone numbers

5. Assess and create a possible 'workaround' for an application that is unavailable due to a cyber incident 

6. Ensure the school has a printed list of all suppliers if the school has no access to digital records or the internet

What your school should do as soon as you suspect there has been a cyber incident:

1. Contact Flintshire Support or Hwb via telephone, depending on the system affected and...

Start to document the incident, times, devices and individuals:

• What has led to the incident? 

• Can it be traced to an individual account or device?

• Make a record of any messages from those responsible.

2. Assess the level of impact on the affected application and the school's processes

NB. It is important that the school has developed a 'No Blame Culture' to avoid any delay in the reporting of any cyber incident.

What your school should do as soon as you confirm there is a cyber incident:

1. DO NOT TURN OFF THE AFFECTED DEVICE, REMOVE WIFI ACCESS AND ISOLATE TO SUPPORT FUTURE INSPECTION

(unplug the desktop network lead/laptop/Chromebook/iPad, disconnect from wifi access)

2. DO NOT LOOK TO REPLICATE THE ISSUE ON ANOTHER DEVICE

3. FOLLOW SUPPORT FROM THE LOCAL AUTHORITY- including when and who to notify at specific stages.

4. Use your Cyber Response Plan to assess the impact of the Cyber Breach

What to do once your issue is resolved:

1. Ensure the affected services are accessible again, and where applicable, patches are applied 

2. Ensure that reassurances have been made that the performance is at the level pre-attack

3. Monitor the performance of the affected applications/tools/programs

What could be done differently to improve procedures?

1. Were all additional precautions identified in Step 3 taken?

2. Was the use of time from the initial breach being identified to the next steps as swift as possible?

3. Based on how the breach occurred, does the school need to reassess the applications/tools which are used to support teaching and learning?