Although the video is from 2021, the information and lessons learned from it are very pertinent. The CEO of the Harris Federation explains how they were attacked on a Friday evening and how they managed the attack and the subsequent recovery. The DfE Digital Standards for schools and colleges says that anyone that has access to the school network should have cyber security training annually, and this video is great for covering that remit.
He explains that had data retention for the organisation been better, the recovery might have been easier. He talks about all of the systems that were down and relied on the availability of the network, including the electric gates.
There is no doubt, that suffering a cyber attack can be devastating for an organisation however ready you might feel you are and however cyber resilient that you are.
Remember that if you suffer a cyber attack, you must report it to the ICO and there are other requirements depending on whether you are a school or a MAT.
Working your way through our checklists, like the Information/Cyber Security one can start to give you an idea of where your organisation is with cyber resilience. We would also recommend taking a look a the DfE Digital Standard for Cyber Security, which is the largest document in the set of documents. Governors or trustees should also consider assigning a digital link role within the governing body or board of trustees as well as assigning someone in SLT to be the SLT digital lead. Watch our short video about getting started with the DfE Digital Standards:
What to do in the event of a Cyber Attack
Incidents or attacks where any security breaches may have taken place, or other damage was caused, should be reported to an external body.
The SLT digital lead will be responsible for assigning someone to report any suspicious cyber incidents or attacks. This person will need to report this to:
- Action Fraud on 0300 123 2040, or the Action Fraud website
- the DfE sector cyber team at
This email address is being protected from spambots. You need JavaScript enabled to view it.
You may also need to report to:
- the NCSC website if the incident or attack causes long term school closure, the closure of more than one school, or serious financial damage
- the ICO website within 72 hours, where a high risk data breach has or may have occurred
- your cyber insurance provider (if you have one), such as risk protection arrangement (RPA)
- Jisc, if you are a part of a further education institution
You must act in accordance with:
- Action Fraud guidance for reporting fraud and cyber crime
- Academy Trust Handbook Part 6, if you are part of an academy trust
- ICO requirements for reporting personal data breaches
Police investigations may find out if any compromised data has been published or sold and identify the perpetrator.
m. Preserving evidence is as important as recovering from the crime.
Forward suspicious emails to