In April 2022 the department included cyber cover as part of its Risk Protection Arrangement (RPA). We are almost a year on and Katy O’Connor, RPA Future Projects Strategy and Delivery Lead thought it was a good time to check in and see if all members are taking full advantage of this vital cover.
Cybercrime has no boundaries; nothing is off limits and that includes all our schools. Cyber security should be high on the agenda for any school with a reliance on IT and online systems.
A cyber security incident can affect your schools ability to function, it can be very costly and time consuming to put right, which is why the cover included as part of the RPA is so important. But what is also important is to make sure that your school has met the required conditions to claim should an incident occur.
Let’s start with a quick reminder about what the conditions of cyber security cover are – there’s only four. To make sure your school is covered, you must:
- have offline backups
- make sure all employees or Governors who have access to the school’s information technology system undertake NCSC Cyber Security Training
- register with Police CyberAlarm
- have a Cyber Response Plan in place
If you don’t meet these conditions and an incident occurs, you will not be covered.
We want to make sure you are taking full advantage of this cover to protect your school, so we’re going to look at each of the conditions little more closely to try and answer any questions and/or concerns you may have.
Let’s get started ...
Condition 1. Must have offline backups
I want you to take a moment to think about how much of your school business is reliant on IT systems and the data stored in there, I would imagine it will be most of it. Now, take a moment to think about how you would continue to function if something were to happen to that data.
The purpose of an ‘offline backup’ is to minimise disruption (or as much as possible) should any incident impact your live environment. Making sure you have and take regular backups of your data is incredibly important so it can be restored as quickly as possible.
Here are a few tips from the NCSC website for you to consider:
- Identify what data you need to back up – what is essential data that your school cannot function without
- Keep your backup separate from your computer – this could be on a USB stick, a separate drive or a separate computer
- Make sure access to data backup is restricted so that they are not accessible by all staff and not permanently connected (either physically or over a local network) to the device holding the original copy
- Consider the cloud – this is a service that means your data is physically separate from your location. Most providers offer a limited amount of storage space for free. If you need any help procuring a service, contact the free DfE Get help buying for school service. The NCSC website also has some useful Cloud Security Guidance
- Protect all devices on every network with a properly configured boundary or software firewall – this will protect your backup from malicious activity on other networks
- Make backing up part of your everyday business – okay, its not the most interesting job, but vital and the majority of network or cloud storage allow you to make backups automatically. But taking this time is so important to make sure you have the latest versions should you need them
- Keep multiple backups and logically separate them - that way if one is compromised, at least another remains. The NCSC suggest following the ‘3-2-1’ rule; at least 3 copies, on 2 devices, and 1 offsite
Your cyber cover as an RPA member includes any actual or suspected unauthorised access to any computer or systems. If you have any concerns, no matter how small contact the 24/7 dedicated helpline 0800 368 6378 or RPAresponse@CyberClan.com. Taking action immediately, could save your school time and money.
Condition 2. All employees or Governors who have access to the Member’s information technology system must undertake NCSC Cyber Security Training
It’s important to ensure all staff members have cyber security awareness as this will help keep them vigilant towards the latest threats. This is why it is a requirement condition for all employees and Governors to undertake the free NCSC Cyber Security training.
The NCSC Cyber Security training material uses real-life case studies to help you understand how cyber incidents can affect a school environment. It comes in two formats, you don’t have to do both, they deliver the same material so you can choose which will work best for your school. Choose from either:
- a scripted presentation pack for group delivery, or
- a self-learning video for staff to complete by themselves.
I know there has been some concern about how long this training will take and difficulties fitting this in an already busy day. Be assured, the training should take no longer than 30 minutes. At the end of the training, it is important to complete the training certificate so you can demonstrate your cyber security awareness training.
All employees or governors who have access to the Member’s information technology system must undertake NCSC training annually.
Condition 3. Must register with Police CyberAlarm
I want to dispel any concerns about this condition and whether you need to install the Police CyberAlarm software tool.
You do not need to install anything unless you want to, the RPA condition of cover is to just to register with Police CyberAlarm. By registering it will connect your school to the local Police Cyber Protect team who will ensure you are notified of any known threats by email. When you register, you will receive email confirmation. This confirmation will also include the option for you to install CyberAlarm Software, you do not have to do this, as long as you have registered, you will be covered as an RPA member.
If you did want to install the CyberAlarm software, it is free and gathers data that can identify any malicious activity or if an attack has taken place. There are of course advantages to installation, for example some schools were identified to have misconfigured firewalls that left virtually all ports open to allowing suspicious traffic through. Because they had installed the software, the Local Force/Regional Protect Teams contacted them to highlight the issue.
Installation was not made a condition of RPA cover because there are a number of technical circumstances where it is not possible.
Condition 4. Must have a Cyber Response Plan in place
Effectively detecting, responding, and resolving cyber incidents can be stressful. Putting a plan in place on how to handle cyber incidents will help you to make good decisions under pressure should a cyber incident occur. It will help to identify if there are any gaps in your incident handling capabilities and is a critical step towards a robust and effective incident management and technical response.
A basic plan should include:
- key contacts – including the 24/7 dedicated helpline 0800 368 6378 or RPAresponse@CyberClan.com
- escalation criteria – making sure people have the knowledge and authority to make critical decisions
- a basic flowchart or process – that guides and informs co-ordinating functions
- at least one conference number
You need to make sure the cyber response plan, in whatever format it takes, works for you and the key members of staff that will be required to act. There is a template available to download from RPA Information & Documents or by emailing RPA.DFE@education.gov.uk.
As an RPA member, your cyber cover includes any actual or suspected unauthorised access to any computer or systems. If you have any concerns, no matter how small contact the 24/7 dedicated helpline 0800 3686378 or RPAresponse@CyberClan.com they are there to help you.
….. and finally
If the worst happens and you need to make a cyber claim, there is a range of support designed to simplify the claims process for you.
You can call the 24-hour 365-day emergency helpline to start the process and you’ll be provided with a named account manager to help you through the claims process, plus access to a dedicated portal for claims handling. Subject to the conditions being met and consequently a valid claim, your RPA cyber cover will provide expert loss adjusters and legal advisers and the incident response service may determine that on-site support is appropriate.
Whilst we have only stipulated four conditions for RPA cover, there are many other measures that you can carry out to improve your cyber security, including registering with the NCSC Early Warning Service.
If you have any questions or would like more information, contact: RPA.DFE@education.gov.uk
Join the RPA today
If you have read this and you are a public sector school that is not currently an RPA member, joining is simple and takes less than 5 minutes.
If you would like to know more or have any questions, you can contact the DfE’s Schools Commercial Team.
The team also run regular webinars providing additional information about the RPA, the benefits of being a member and real-life case studies where membership has saved schools time and money and most importantly reduced the risk of lost school days. If you follow the Buying for schools LinkedIn page, it contains details of all these webinars and much more.
There are no forms and RPA operates on a no material fact disclosure basis, so we don’t need estate, buildings or contents valuations and we don’t review your schools risk rating. There is also no annual renewal process – your membership will just roll over to the next year.
If you've found this article useful and want to learn more about how we're supporting schools, click 'sign up and manage updates' to subscribe to our blog and receive notifications when we next post.