Having offline backup capability, and using it properly, is a requirement of the cyber threat cover included in the DfE’s risk protection arrangement (RPA). Many schools are asking for guidance to ensure their backup arrangements meet the criteria. This blog sets what you need to do.
The Risk Protection Arrangement guidance on offline backups asks schools to consider three elements of a backup strategy.
What to backup?
It’s vital to access the right data via backup in the event of an incident that makes your usual systems unusable. The Cyber Response Plan template contains a list of what should be on your list of critical data. At the very least, you should consider how you would access registers, staff/pupil contact details and current child protection concerns.
Other items on the list include (but are not limited to):
- Main File Server
- School MIS
- Cloud Services
- Third Party Applications / Software
- Email Server
- Curriculum Files
- Teaching Staff Devices
- HR / Personnel Records
- Website
Is your backup secure?
Backups should be held entirely offline and not connected to your systems until absolutely necessary. This is to ensure that the backed-up data remains unaffected by any incident that impacts your live systems.
The NCSC has guidance on how and where to hold your backups, including the 3-2-1 hierarchy.
Have you tested your backup?
Your perfectly structured backup will be essentially useless if you cannot deploy it correctly when the time comes. You should therefore test backups from all sources regularly and ensure staff are familiar with their roles in the event of needing to use them.
Wider considerations about backup and how to make your backups effective
- What is a backup for?
Backups are no longer a way of retrieving files that have been accidentally overwritten or deleted. That is much more easily done through shadow copy or versioning.
Backups are now predominantly about the ability to recover from a disaster, such as a fire, flood, hardware failure, or cyber attack.
For the RPA scheme, backups should be the last safe bastion against a cyber attack.
- Don’t forget any assets
It’s easy to overlook data stored in the cloud with a service provider. Consider all your data in its various locations such as Office 365 or Google Workspace, MIS data in the cloud and cloud-based HR or finance systems.
- Understand your relationship with the service and/or the service provider.
For example, Office 365 contains many data storage elements including Teams, SharePoint, OneDrive and email. You can restore some of these through the native retention periods, but it may not protect you against ransomware.
Do the provider’s retention policy and default protection meet your needs, or should you be backing the data up yourself?
- Do you have any responsibilities toward online services for you to be covered by them?
For example, Salesforce, globally the biggest CRM SaaS provider, made it mandatory for users to enable Multi-Factor Authentication.
- Is your backup as secure as it could be?
Backups are not your secret weapon. Today’s cyber criminals expect you to have your data in a backup. Their ransomware will look for it and attack it if possible.
Your backup solutions should minimise this possibility; key attack points are staging servers, localised software and AD login credentials.
- Additional protections available in backups
Most modern backups offer the additional protections of malware and virus detection and remediation, so even if your other protection systems miss something, the backup will catch it.
- Classify your data
The easiest way to do this is to put your data into types, look at owners and then assign it a classification.
For example, OneDrive spaces could be classified as follows:
You can use many criteria to “slice” your data for classification.Data Type Owning group Classification - Reason OneDrive Bursar Critical – Confidential files OneDrive Teachers High – lesson plans in development (finalised versions stored centrally) OneDrive Year 11 Critical – Exam work and Exam projects OneDrive Year 7 Low – inconvenient if lost but not exam work
A good starting point would be the Cyber Response template for the 4th requirement for the RPA.
We have published blog pieces on the other elements of the RPA cyber protection. They cover: