7 Steps for Effective School Cyber Incident Investigation


These are the dreaded words which no school staff wants to hear from their IT department. Yet many schools around the world experience these unpleasant and worrying moments everyday. K-12 schools are considered one of the most lucrative targets for data privacy crimes often due to the non-effective cybersecurity measures and practices in schools. Many schools are often clueless and go into panic mode when there is a cyber security incident. 

In this blog, we lay out a seven-step strategic response plan to investigate a cybersecurity breach in your school.


Step 1 - Identification

The first step is to identify that there has been a cyber incident. You should also identify how the cyber incident was found. For example, this could be through a user reporting the issue, or through an alert from the monitoring system. Wherever appropriate, the incident can be replicated to determine it’s source. Finally, what are the symptoms of the attack? Has a user clicked on an unsuspecting link and is now locked out of their account? Has the performance of a system degraded?


Step 2 - Initial Investigation (System and Service Review)

The next step is to conduct an initial investigation into the incident. Administrators should identify all systems and services that have been affected. Once identified, the findings should then be compared to those reported by users.

The scope of the cyber incident should then be defined and initial priorities decided before remediation.


Step 3 - Immediate Actions

Immediate actions should be taken to prevent further cyber incidents taking place from the source of the current one. For example, in the case of a phishing incident, the email should be traced and deleted from all user inboxes, inform users not to click on any links in their emails, remove access from the file servers to prevent unauthorised access and enforce a mass password reset for all users.

All actions should be quickly documented and agreed with the Senior Leadership Team (SLT) before taking place.


Step 4 - Initial Reporting

After the immediate actions to prevent further harm, an initial report should be communicated with the Senior Leadership Team (SLT). This report should include all actions taken up to the current time such as - identification of the incident, users that have been communicated with, and what was discussed, results of the initial investigation, possible causes of the incident, and immediate actions that have been taken.

In all reports, the organisations’  Data Protection team should be involved to ensure that any data breaches as  a result of the cyber incident are also dealt with.


For a deeper dive into how to improve information security in your school, you can book a free workshop with one of our experts

Learn More


Step 5 - Remediation Planning

After it has been deemed that the cyber incident can cause no more harm than it already has, and all plans have been communicated with SLT, a plan needs to be created for the remediation of any effects that the cyber incident has caused.

The documented plan will need to include time estimations for all tasks, the priority for each task, and defined owners for each task.


Step 6 - Remediation

After the plan has been created, it needs to be executed. In line with the documented plan, the actions should be completed in priority order. Once an action has been completed, it should be documented and marked.


Step 7 - Reporting

After remedial actions have taken place and the organisations’ network is stabilised, work should continue on the incident by documenting everything that has occurred since the incident took place.

In the event that data has been compromised, the incident should be reported to applicable third parties such as the country's supervisory authority. Reports should be sent to the SLT and should include all steps taken, an analysis of the event, any remaining actions, and any lessons learned that will aid in the prevention of a similar attack in the future.


Final Thoughts

Cybersecurity breach incidents can happen in any school irrespective of how robust their IT systems and cybersecurity practices are in place. If a cybersecurity incident does occur, having a clear response strategy will help to mitigate the impact. A good response plan should include a list of steps and responsibilities assigned to school staff. It should detail contingencies and business continuity plans.

As the cyber threatscape continues to evolve it is up to the schools to reduce the infrastructure weakness and continue to review their cybersecurity policies and procedures.


Illustrations of faces-13

Marcus is a Senior Technical Consultant at 9ine, responsible for the on the ground management of new build / refurbishment projects. He specialises in the application and configuration of technical systems and services within schools, including mobile device management (MDM) systems. He holds a bachelor's  degree in computer network management and design.


New call-to-action

Let’s Stay in Touch

Subscribe to our newsletter to receive product announcements & other updates.