The education sector faces mounting challenges in ensuring the security of its systems and data. According to the UK Department for Science, Innovation and Technology’s cyber security breaches survey 2023, schools and colleges continue to experience more cyber security breaches than equivalent businesses.
The same survey showed that schools are less aware of the available cyber security guidance than further and higher education colleges. One significant initiative aimed at bolstering cyber resilience within the education sector is the risk protection arrangement (RPA), which provides cover in the event of a cyber attack. Let's examine the cyber security elements of the RPA and its implications for schools.
What is the risk protection arrangement?
The risk protection arrangement is an insurance framework provided by the Department for Education. It safeguards schools in England against various risks, including cyber security threats. It offers financial protection and assistance to schools in managing and mitigating the impact of such incidents. Under the RPA, schools can access the resources and expertise necessary to help deal with a cyber security incident effectively.
To benefit from the cyber cover, schools must comply with four conditions:
- have offline backups
- staff or governors with access to the school’s information technology system must undertake cyber security training
- register with Police CyberAlarm
- have a cyber response plan in place
Backup requirements
Regularly backing up your data is an essential part of any cyber security strategy. The RPA requires schools to meet the Department for Education’s cyber security standard relating to backups. The standard specifies that schools must have at least three backup copies of important data on at least two separate devices, and at least one must be off-site. At least one backup should be held entirely offline and only connected to your systems once absolutely necessary. This ensures that the backed-up data remains unaffected by any incident that impacts your live systems. The National Cyber Security Centre (NCSC) has guidance on how and where to hold your backups, including the 3-2-1 hierarchy.
Although not explicitly mentioned in the RPA, it is good practice to test your backups periodically. Your perfectly structured backup will be essentially useless if you cannot deploy it correctly when required. You should, therefore, test backups from all sources regularly and ensure staff are familiar with their roles in the event of needing to use them.
Crafting a cyber response plan for RPA compliance
The RPA outlines specific requirements for developing and implementing a cyber response plan. The plan should outline the steps to take in the event of a cyber incident, including who to contact and how to communicate with stakeholders.
To help schools ensure that they cover all the relevant areas, the DfE has published the Risk Protection Arrangement Cyber Response Plan Template [PDF]. The template sets out the actions to take in the event of a cyber security incident and covers defensive actions to take. These tactics will make any cyber attack less likely to be successful or less severe if it does breach the school’s defences.
A school's existing IT Security and Data Protection Policy may already include elements that can be included in the response plan. Other aspects of the template, such as communication templates to notify parents and carers of the impact, will be helpful when handling an incident and allow schools to concentrate valuable resources on actions to mitigate its effects.
Five key points to remember about creating your plan
- Ensure it is reviewed and maintained as per the schedule AND when staff members change.
- You may require input on some technical elements from your IT service provider.
- In the 'Critical Activities - Data Assets' section, allocate one of the specific timescales to each one as suggested. Non-specific timings such as "Immediately" or "ASAP" are not suitable or realistic response times.
- Keep an easily accessible copy of the response plan with other critical incident documentation as per school/MAT policy.
- This document is not unlike other documents you already have, such as your "Snow Day" plans. They may well be helpful when completing it.
Time spent creating a plan will help you identify technical or skills gaps in your ability to handle an incident.
Regular cyber security training
Effective cyber security preparedness extends beyond technical measures; it requires a well-informed and vigilant workforce. Whether your school has RPA cover or not, it is worthwhile for all staff to undergo cyber security training that equips them with the knowledge and skills to identify and respond to cyber threats effectively. Specifically, the minimum training requirement is for all employees or governors with access to the school's information technology system to undertake NCSC Cyber Security Training annually.
Police CyberAlarm registration
Participating in the police CyberAlarm process is an additional layer of defence against cyber threats for schools. It is a free tool which helps users understand and monitor malicious cyber activity. This service consists of two parts: monitoring and vulnerability scanning.
The monitoring element of the Police CyberAlarm is a virtual server that will securely collect, analyse and feed data back to the Police CyberAlarm server. The data sent only includes metadata (logs) from internet-facing gateways and devices such as external firewalls.
Installing the monitoring tool is not essential. In the same way that a smoke alarm will not extinguish a fire, the monitoring tool itself provides no protection from a cyber attack. It merely monitors activity and sends data to the Police CyberAlarm server to build a picture of what is happening.
In conclusion, the Risk Protection Arrangement presents a vital mechanism for schools in England to mitigate the financial impact of cyber incidents. By adhering to RPA compliance requirements and implementing robust cyber security measures, educational institutions can enhance their resilience against evolving cyber threats.