The incident
The trusts IT provider noticed unauthorised activity on New Years Eve and on New Years Day. The trust identified that this unauthorised activity would be a problem and submitted a cyber claim through RPA.
Actions taken
Helen contacted RPA and submitted a cyber claim as soon as it was identified as an issue for the trust.
The RPA cyber supplier contacted the trust, and a call was arranged to discuss with the leadership team.
The cyber supplier advised that an external legal and communication team should be used who had experience of dealing with cyber incidents.
Whilst there was an additional cost, they were experts in this type of incident and worked seamlessly with the Helen, the RPA cyber supplier and the Trusts IT Provider.
The support provided was invaluable with calls answered immediately, no matter the day or time. This was a vital service, and all 14 schools were due to be back, and the Trust had to shut down all IT.
How communications were handled
The Trust needed to inform over 20,000 stakeholders of the incident, including staff, parents, and pupils.
The communications were done centrally with the Trust and The RPA cyber supplier working with the communication and legal teams to create responses.
They also developed a set of frequently asked questions to help them to respond effectively and efficiently.
The central team provided all communication and wording with only minor edits from the trust to make sure messages were clear.
Throughout the incident only 20 queries were received from stakeholders because the communications were thorough and clear from the outset.
“Incidents tend to happen over holiday periods, and this can leave you feeling quite isolated. The RPA cyber supplier were was brilliant, knowledgeable, and caring. They kept us calm and were there when we needed them.”
Helen Winn, Chief Executive Officer
The Trust has a PR company that deals with the press, and they collaborated with the RPA cyber supplier, and the communication company when there was interest from the press.
The trusts operational activities
All Headteachers were informed and brought together on a call to provide them with instructions about what they could and could not do. This included accessing files stored on Google and how any device connected had to be given to the IT team.
Within a week the Trust got everyone back on Google, and chrome books issued to staff as they couldn’t use network devices.
The decision was taken to open all schools as planned after the holidays once the trust had established all safeguarding measures had been met. This included making sure they know which children are on site, door entry and signing-in systems that are required under fire regulations.
The Trust prioritised the most important things first which enabled them to organise fixes and get everyone back up and running on google within a week.
The Trust operates a cashless catering system, which also had to be suspended, and parents notified. A paper-based solution was created while tills were out of operation. This meant parents could still put money on the pay system, but the Trust couldn’t charge them as the tills were not working.
Clerical records had to be created to track what was spent. Unfortunately, aspects of this process are still being sorted. Management information systems were also impacted as the IT systems couldn’t synchronise.
Helen’s advice for others
Overall, recovery from the incident has taken six months, with additional ongoing incident forensic work to check if any data has been taken.
The Trust was able to recover around £140,000 from the RPA.
Reflecting on the incident, Helen provides her advice on being prepared:
1. Have a web-based system
"Having a web-based system, Google in this case, did make resolution and recovery quicker."
2. Know how to react
"We followed our crisis management policy, but you need to make sure you know how you would react. For example, if an incident were to occur on Christmas day - what would you do?"
3. Have support in place
"I would recommend the RPA to schools. The support was invaluable on two levels - the knowledge, support and care."