Cyber security isn’t just a job for IT. It’s everyone’s responsibility to keep your school safe. If everyone follows cyber security best practices, the chance of a cyber incident happening is drastically reduced.
But if an incident does happen, some people and jobs will have specific roles. Understanding roles and responsibilities before an incident happens means you can react faster and communicate better.
Responsibilities in an incident
Every school is different and will have different staff and structures. These roles are examples of people who might be involved in responding to an attack, and what they might do and be responsible for.
Work as a team to identify what roles you have, who is responsible for what, and any gaps. You can use our cyber response plan template to record names and contact details of the people who will be involved.
Some responsibilities align to school roles, like headteacher or governor. Others are roles that people might have in an incident, like SLT digital lead or member of the cyber recovery team.
School roles
The Chair of Governors will:
- support the Headteacher throughout the process and make sure decisions are based on sound judgement and advice
- understand the school may need additional funds and have a process in place to approve this
- ensure all governors are aware of the situation and advise them not to comment to third parties or the media
- review the response after the incident and consider changes to working practices or school policy
The headteacher will:
- make sure they get all the information they need from anyone who reports an incident
- set up and maintain the incident response plan, including logging times, dates and actions
- involve the cyber recovery team, informing them of the incident and enacting the response plan
- liaise with the chair of governors and the school data protection officer
- remind staff to follow the agreed ‘script’ when discussing the incident
- communicate with the school business officer if parents need to be notified
- prepare statements or letters for the media, parents and pupils
The IT lead or IT staff will:
- verify the most recent and successful system backup
- if the school has an RPA arrangement, contact the RPA Incident Response Service to assess whether the backup can be restored or if server(s) are damaged
- restore the backup and advise of the backup date and time to inform stakeholders as to potential data loss
- discuss possible costs of repairing, restoring or buying hardware (if necessary) with the headteacher
- give an estimate of how long systems might be down and advise which systems are affected and unaffected
- arrange access to the off-site backup if necessary
- protect any records which have not been affected, and make sure they can remain accessible
The school business manager will:
- make sure phone lines are working and make mobiles available if needed, communicating to relevant staff
- make sure office staff understand the standard response and know who the school’s media contact is
- contact relevant external agencies, such as RPA Emergency Assistance, IT services and technical support staff
- manage communications, including the website, school emails, and calls or texts to parents
- check if payroll or HR are affected and consider if additional support is needed
The designated safeguarding lead will:
- ask for clarification to find out if there is a safeguarding aspect to the incident
- consider if they need a referral to Cyber Protect Officers, Early Help or social services
School staff will:
- reassure pupils (within an agreed standard response)
- record relevant information pupils may provide
- make sure any temporary procedures for data storage and/ IT access are followed
The data protection officer will:
- liaise with the headteacher and chair of governors to decide if they must report to the ICO
The site manager will:
- make sure external IT staff have site access
- work with the Headteacher to limit access to essential personnel
Incident roles
The SLT digital lead is responsible for overseeing the management of cyber security incidents and owning incident management.
Depending on the context in the school, the SLT digital lead may delegate responsibility for cyber security incident management. This role is concerned with leadership and incident management, not necessarily the technical responsibilities. Key responsibilities are to:
- lead and coordinate the cyber response plan, ensuring tasks are delegated and there is appropriate escalation
- act as the single point of contact for incident management decisions (including reporting to senior management)
- liaise with IT support and others to ensure response tasks are initiated and monitored, as directed by the cyber response plan or playbook
- activate and oversee the cyber recovery team as required by the type and severity of the incident
- lead post-incident review activities to make sure any identified issues and lessons learnt are integrated into cyber security policy, plan updates, and other documents (such as cyber risk assessments)
- maintain links between stakeholders such as the cyber recovery team, IT support and designated safeguarding lead
The cyber recovery team is a multi-disciplinary group coordinated by the SLT digital lead. They are responsible for carrying out technical and non-technical response activities. Key roles that should be aware and involved are the:
- SLT digital lead
- incident Lead as appropriate for your setting
- technical stakeholders such as your IT team and managed provider stakeholders
- IT team
- ICT managed provider
- data protection officer (DPO)
- designated safeguarding lead
- senior leadership team (SLT)
- communications lead
- legal/governance lead, if applicable
In smaller schools individuals might carry out multiple roles. The NCSC advises always considering the risk that individuals might be unavailable and to include at least 2 contact methods for 2 or more individuals. Depending on the impact and damages of an incident, you may need to involve parties outside of your school, which may include:
- your IT provider
- your insurance provider
- Information Commissioner’s Office (ICO)
- NCSC
- legal guardians
- local police
Cyber security tasks for staff
Every staff member should understand and follow these important cyber security practices:
- recognise common threats such as phishing emails and ransomware
- create strong, unique passwords
- only use approved software and services
- follow any cyber security policies in place
- promptly raise any concerns
Managing incidents with fully outsourced IT
If your IT services are managed by a third-party provider, they may be responsible for some or all your cyber response plan actions. However, even if technical control is with an external provider, accountability for governance, compliance, and stakeholder communication remains with the school.
The school will always be responsible for:
- defining strategic direction and oversight through the cyber security incident management policy
- creating and maintaining the school's cyber response plan, with a clear process for handing over incident response tasks between the school and the IT provider
- making sure the provider has an appropriate, tested cyber response plan and demonstrates compliance with the school's statutory duties, such as safeguarding, UK GDPR and the DfE Cyber Security Standards
- the SLT, DPO, and safeguarding leads making decisions on regulatory reporting, (such as to the Information Commissioner’s Office), communications and liaison with governors and trustees
- review and assurance, obtaining evidence from the provider of plan testing, incident handling capability and regular updates to contacts and procedures