Cyber Risk Assessment

Schools should prepare in advance what they will do in the event of a cyber attack. Make sure you know who to contact.

Please see our Securing Your Schools Data and Protecting your Digital Technology sections for more information. 

What to do in the event of a cyber attack

If your school experiences a cyber attack and you take our ICT support: 

Immediately call 0300 123 6797 Option 1 and inform our ICT support:

My ICT Incidents

If your school experiences a cyber attack and you do NOT take our ICT support: 

Contact your ICT provider immediately. 

Reporting a school cyber incident

Reporting cyber incidents can be made to Action Fraud or, if you're in Scotland, then reports should be made to Police Scotland. If the incident involves a data breach we would advise reporting it to the Information Commissioner’s Office (ICO) under GDPR guidelines.

According to: NCSC - Reporting a school cyber incident.

Report a cyber incident or attack internally 

As soon as IT support and the SLT digital lead have been alerted by a student or member of staff to a potential incident or attack they will need to: 

• action their cyber incident response plan. See DofE Standards for guidance: (amend link) business continuity and disaster recovery plans 
• contain the risk and make sure systems are safe and secure 
• notify those in the ‘who needs to be involved’ section of this standard and in line with their business continuity plan 
• capture information on the risk 
• investigate the risk and decide on the next course of action 
• report the potential incident or attack to the governing body or trustees 
• According to the DFE: cyber security standards for schools and colleges

Any incidents, attacks or near misses should be recorded in an internal incident report or system. 

Report a cyber incident or attack to external bodies 

Incidents or attacks where any security breaches may have taken place, or other damage was caused, should be reported to an external body. 

The SLT digital lead will be responsible for assigning someone to report any suspicious cyber incidents or attacks. This person will need to report this to: 

• Action Fraud on 0300 123 2040, or the Action Fraud website 
• the DfE sector cyber team at Sector.Incidentreporting@education.gov.uk 

You may also need to report to: 

• the NCSC website if the incident or attack causes long term school closure, the closure of more than one school, or serious financial damage 
• the ICO website within 72 hours, where a high risk data breach has or may have occurred 
• your local Education and Skills Funding Agency (ESFA) contact, if you are part of an academy trust 
• your cyber insurance provider (if you have one), such as risk protection arrangement (RPA)
• Action Fraud guidance for reporting fraud and cyber crime 
• ESFA Academy Trust Handbook Part 6, if you are part of an academy trust 
• ICO requirements for reporting personal data breaches 

Police investigations may find out if any compromised data has been published or sold and identify the perpetrator.