Suffolk County Council’s audit team has carried out a Cyber security audit in nine LA maintained schools. The audit highlighted that school’s Business Continuity Plans or Critical Incidents Policy did not always provide a detailed process for loss of IT/data.
Background
For every organisation, the threat of a cyber attack is greater than ever and with our growing dependence on IT, the risk of losing data, prolonged or even short – term downtime will at best be a disruption to business as usual (BAU), at worst, it could significantly compromise the reputation and financial stability of that organisation.
By robust planning in the form of listing key threats, mitigations and identifying Recovery Time Objectives (RTO), an organisation can prepare for a loss of IT or a Cyber Attack.
Global reports of Cyber Attacks make daily headlines, these include some very high profile and large companies who experience a breach in their Cyber Security. We must learn from those to ensure our organisation is as protected and prepared as possible.
Actions
- Identify key threats to your organisation. This can be done by including Cyber Security in your Business Continuity Plan and completing a risk assessment for cyber security attacks.
These can be found here:
Business Continuity – Suffolk Learning
Cyber security – risk assessment and action plan template
- Decide how long you can afford to be without each of your critical functions (RTO)
- Agree what mitigations need to be applied against each of the threats to minimise the impact on your BAU including alternative supply lines or partners
- Share your plan with colleagues and ensure that everyone is aware of what to do. This will be achieved by testing your plan and making any changes that have been identified through the exercise
- Continue to monitor new guidance and regularly review your IT plan and Cyber Security measures
- Embed the IT / Cyber Security plan into your BCP.
- Ensure that Governors and Senior Leaders regularly review and discuss cyber security and GDPR to ensure the risk is mitigated as much as possible
National guidance is available to support school’s with IT security and Cyber Threat so you’re not on your own. The UK Government even offer free online training for your staff to raise awareness and understanding.
Take the time to look into the two links below and don’t hesitate to contact me for advice and support in putting your plan together or help in testing your plan.
- Guidance from the National Cyber Security Council (NCSC) can be found here and is considered to be the very latest in good practice. CAF – Principles and guidance – NCSC.GOV.UK
- Guidance from the UK Government on how to improve online security and protect against cyber threats can be found here. Cyber security guidance for business – GOV.UK (www.gov.uk)