Incident Response for Schools: What to Do in the First 24 Hours of a Cyberattack
When a cyberattack hits a school, the decisions made in the first hours determine whether the incident is contained or escalates into a full system shutdown. Harris Federation's IT team had to respond to ransomware spreading across 50 schools simultaneously in April 2021. Newcastle University's team had to manage the discovery that sensitive data had been published on the dark web. Lincoln College had to navigate recovery while managing the operational and financial consequences of extended system downtime. This guide sets out what schools should do — and who they should call — in the critical first 24 hours.
The first hours of a cyberattack are decisive — schools with a practiced incident response plan contain incidents faster and recover sooner. Most UK schools have no tested plan.
Hour 0-1: Contain and Assess
The moment you suspect a cyberattack — ransomware note appearing, systems behaving unusually, staff reporting inability to access files — your priority is containment:
- Isolate affected devices: disconnect from the network. Use the physical network cable if needed. Do NOT turn devices off.
- Do not turn devices off: forensic evidence is lost when devices are powered down abruptly
- Alert your IT lead or IT provider immediately: this is a P1 incident
- Activate your incident response plan: it should be accessible offline (printed copy) in case systems are unavailable
- Identify the scope: which systems are affected? Is it spreading? What data is at risk?
- Begin documenting: record times, actions, and findings. You will need this for regulatory notifications.
Hour 1-4: Notify and Engage Support
Once immediate containment steps are underway, move to notification and specialist support:
- Call the NCSC Cyber Incident Response service: 0300 020 0973 — free support for UK organisations
- Contact your cyber insurance provider: invoke your policy and ask for incident response support
- Engage a specialist incident response firm if you do not have cyber insurance or the insurer's preferred firm
- Notify your Data Protection Officer (DPO): they need to assess breach notification obligations immediately
- Inform your headteacher and chair of governors: this is a board-level incident
- Do NOT communicate via school email if it may be compromised: use personal mobile phones
Hour 4-24: Manage, Report, Communicate
Once immediate response is underway, focus on the parallel workstreams that must progress simultaneously: **ICO notification**: If personal data has been or may have been accessed, the 72-hour ICO notification clock has started. Your DPO must assess this and make the notification if required. **DfE reporting**: Significant cyberattacks affecting school operations should be reported to the DfE's Cyber Incident Response service. **Staff communication**: Staff need to know which systems are unavailable and what alternative arrangements are in place. Avoid vacuum of communication — staff will speculate. **Parent communication**: If pupil data may have been affected, parents will need to be informed. Plan this communication carefully with legal advice. **Business continuity**: What paper-based processes can maintain essential operations while systems are unavailable?
After the Incident: Recovery and Lessons Learned
Recovery from a cyberattack is measured in weeks, not hours. Key post-incident steps include: System restoration from clean backup — with verification that backups are clean before restoring. Forensic investigation — understand how the attacker got in, what they accessed, and what vulnerabilities they exploited. Post-incident review — conduct a structured lessons-learned exercise and update your incident response plan based on findings. Regulatory follow-up — respond to any ICO or DfE follow-up inquiries with documented evidence of your response actions. Staff debrief — staff who were involved in the incident response may need support, particularly if the incident was prolonged.
Frequently Asked Questions
Should I turn off computers when I discover ransomware?
Do not turn computers off immediately — this destroys forensic evidence that incident responders need to understand the attack. Instead, disconnect devices from the network by unplugging the network cable or disabling WiFi. The exception is if you can see ransomware actively encrypting files in real time — in that case, powering off may limit further encryption. Seek specialist advice quickly, as the right action depends on the specific ransomware and the stage of the attack.
Who pays for incident response at a school?
Cyber insurance covers incident response costs for schools that hold appropriate cover. This is the primary reason schools should have cyber insurance — the cost of specialist incident response firms (typically several thousand pounds per day) is beyond most school budgets without insurance. Schools without cyber insurance must fund response from reserves or seek support from the DfE and NCSC, which provide guidance but not financial support for recovery costs.
How long does school have to notify the ICO after a data breach?
72 hours from becoming aware that a personal data breach has occurred, where the breach is likely to result in a risk to individuals' rights and freedoms. The clock starts when the school becomes aware — which in a ransomware attack may be immediately, as the attack itself demonstrates that systems (and potentially data) have been compromised. Not all incidents require ICO notification, but when in doubt, notify — the ICO takes a more serious view of late notifications than prompt ones.
Build an incident response plan for your school
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.