In this fifth blog in the series, we look at Incident Management, following the guidance from the UK National Cyber Security Centre (NCSC). We explore how schools can ensure that with well structured, clearly written incident plans and procedures, they can reduce the impact of a cyber attack and ensure that key systems and services are up and running as soon as possible, minimising the impact on the users and supporting business continuity. With each blog in this series, we are building upon every stage of the NCSC’s 10 Steps to Cyber Security, and in turn, providing our independent recommendations, examples and guidance.
In our previous blog, User Awareness - How To Help Your Users Protect Themselves & The School Network! we discussed how structured and regular training, alongside clear policies and procedures, can go a long way to stopping some attacks in their tracks before they hit the network. This blog goes hand-in-hand with the above and provides schools with a greater understanding of how effective plans and procedures reduce risk and provide a safer working environment.
By following these recommended steps, you will be able to evidence that your school has the appropriate mechanisms in place to reduce the impact of a cyber attack and support business continuity. By providing your end users and IT teams with plans and procedures aligned to your business continuity plans, you will demonstrate that the school is ensuring both the availability of data, and is providing resilience through an organisational process.
Before we go any further, do you know the answers to the following questions?
- What is an incident and/or how does your school classify or categorise them?
- Does your school has an incident response policy, plan and procedure?
- Where is your school’s incident plan located and is the documentation up to date?
- If an incident occurs, who should you contact first and what is the escalation path?
- Are there immediate steps you should take before reporting?
- Is there a need to preserve evidence and document the steps taken?
- If an incident occurs when should you need it to any authorities or regulators?
Register for a free 30-day trial of the 9ine App and transform the way you manage data privacy and protection.
If you are unsure of any of the above, you need to follow the next 5 steps...ASAP!
- Establish if you have the existing skills and capacity to adequately respond to a cyber attack (Whether those skills are provided through the internal team, a managed service provider, or another third party).
- Create an incident response policy, plan and process tailored to your school’s current capacity, skills and support provider(s).
- Identify any shortage of skills through a gap analysis and define a training plan to upskill members of your support teams. As an interim measure, put in place mitigating actions or provide additional outsourced support whilst your teams receive specialist training.
- Train all users on the school’s incident response policy, plan and process, ensuring they know what to do and who to contact in the event of a cyber attack. Schedule refresher training.
- Test your new incident response plan by thoroughly addressing a variety of common attacks, such as phishing attacks, and malware (focusing on ransomware).
Following the above will ensure that you have the capacity and capability to deal with an incident effectively. Once you have this in place, have tested the plan and are confident that your users understand the process, follow the next set of steps.
Responding to an incident
In the steps above, you have captured the reaction to the incident, now let's look at the response. Some incidents will require that data, systems and/or services need to be restored or repaired, and others will require local authorities or regulators to be informed. You now need to:
6. Ensure that you have a robust method for categorising incidents and understand when an incident needs to be reported, and with whom (data protection, local authorities etc.)
7. Review business continuity plans and disaster recovery plans to ensure they are aligned. Any areas where your disaster recovery plan does not align with the business continuity plan, need to be addressed.
8. Test the disaster recovery plans to ensure that you can restore data and repair systems or services in a timely manner (remembering availability of personal information, or lack of, in some circumstances is a reportable breach). Test the business continuity plans cover any downtime of services.
9. Put a policy and procedure in place to ensure that all incidents and their responses are reviewed in order to identify areas of the process that need further review or rectifying. Lessons learned will provide efficiency and will ensure that any ambiguity, or areas where users were unsure of what to do, are addressed.
How can 9ine help?
9ine’s Incident Management software empowers you with a dependable, self-governed framework to proactively manage an incident and protect the best interests of your staff, students and reputation. It provides you with a visual representation of risk, making it exponentially quicker for you to understand who is impacted and what's at stake. 9ine’s platform is designed to avoid ambiguity so you can quickly and categorically assess if an incident constitutes a breach, its scale and if it’s reportable. Unlike other platforms that leave you in the deep end, with Incident Management you have the tools to also record and implement a successful recovery plan. Use 9ine’s integrated Incident Management and Task Management tools to confidently manage an incident without having to rely on costly external consultancy. Create and assign tasks, notify internal stakeholders and recover from an incident quicker and more successfully than ever before. Start your free trial today.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.