Detection
Detection and reporting phase is the gateway into the formal incident process.
A designated individual or team (usually IT support, service provider or the SLT Digital Lead) gets a report or alert.
Detection sources
Standard sources of incident detection include:
- automated alerts (anti-virus, firewall, email filtering systems, SIEM (Security Information and Event Management), endpoint protection)
- manual observation - staff, learners or other users notice suspicious behaviour, devices acting strangely, and fake-looking emails
- user reports - Staff, learners, or guardians report suspected phishing, device issues, or data access
- external notification from IT provider, police, NCSC, DfE, or third-party suppliers
- routine checks and audits uncover anomalies
Encouraging early detection and reporting
Everyone in a school can help encourage early detection and reporting.
Awareness
Staff and learners should know how to recognise and report cyber security concern. You can create short guidance for everyone on how to report a cyber incident. Include this in staff and student handbooks or on the intranet.
Clarity
Have clear reporting routes and procedures in place for any actual or possible cyber incident. Nominate a first point of contact, usually the SLT digital lead.
Monitoring
Have appropriate systems in place to detect unusual activity. Record even low-level events, like failed logins and spam emails, for future trend analysis.
Set up a shared incident detection and triage log for the SLT digital lead and cyber recovery team to track suspicious events over time.
Take reports from users or third parties seriously.
Early escalation
Identifying an incident as early as possible allows for an effective response. Encourage staff and learners to report suspicious activity or incidents, even when they are uncertain.
Non-punitive
Make sure everyone can make a report anonymously or discreetly, if necessary. Make sure they are aware there will be no blame or punishment, unless the report is malicious.
Logging
The report is recorded in an incident log with details including date, source, description and initial risk judgement.
Initial assessment
The SLT Digital Lead (in consultation with IT support or other relevant stakeholders) makes a quick preliminary assessment to see if the activity:
- is harmless
- could be a cyber security incident
- Needs further evidence or context
If you are uncertain, it’s safer to be cautious and escalate for further assessment in the Triage and analysis stage.
Decision to escalate
Escalate immediately to the full incident response if any of these conditions are met:
- evidence of malware, data breach, or system compromise
- personally identifiable or sensitive data may be at risk
- key systems are disrupted or inaccessible
- external parties such as the NCSC or cyber insurance providers have issued warnings or alerts that apply to your environment
Escalating to the full incident response activates the Triage and analysis stage. Establish your school’s escalation thresholds when you create your response plan. Agree them with your SLT with your school’s tolerance in mind. Include escalation of events to senior leadership and/or external bodies as appropriate. For example, in the case that personally identifiable information or sensitive information may be at risk, it will be necessary for the DPO to be informed to potentially notify ICO.
Notification to SLT digital lead
Once a confirmed or likely incident is identified, inform the SLT digital lead to initiate your incident management processes. This included convening relevant internal stakeholders.
Who does what at this stage
SLT digital lead
- sets up clear reporting routes including who to contact, how (email/phone), and when
- logs all reports: even if it is not deemed an incident this helps with pattern recognition and review
- activates incident response: if criteria are met, formally log as a cyber security incident
Cyber recovery team and IT support
- actively monitor systems (logins, file access, network traffic, endpoint activity)
- establish thresholds for alerts and define when an alert becomes an incident that needs escalation
- with the SLT digital lead, triage reports quickly, assessing risk, scope and potential impact to determine response.