What to do in the first hour of a school cyber attack

What to do in the first hour of a school cyber attack

When a school suspects a cyber attack, the first hour can shape everything that follows.

The priority is not to understand every technical detail immediately. It is to contain the incident, protect pupils and staff, preserve evidence, and bring the right people together quickly. A calm, structured response can reduce disruption and make recovery easier.

The National Cyber Security Centre provides dedicated cyber security guidance for schools, including advice on ransomware, incident response and recovery. Its board-level guidance also makes clear that cyber resilience is not just a technical issue. Leaders have a critical role in making sure risks are understood, plans are tested and responsibilities are clear.

Through Everything ICT, schools and MATs can access trusted cyber security, managed IT, backup, recovery and incident response suppliers through a compliant procurement route, helping them put the right support in place before an incident happens.

1. Treat suspicion seriously

The first step is to recognise that something may be wrong. Warning signs might include unusual login activity, staff being locked out of accounts, suspicious emails sent from internal users, or files and systems behaving unexpectedly.

At this stage, you do not need a full diagnosis. If there is a reasonable suspicion of compromise, treat it as an incident and activate your response procedures. A cautious early response is usually better than waiting for certainty while the issue spreads.

This is especially important with ransomware. The NCSC has previously warned about targeted ransomware attacks affecting UK schools, colleges and universities, and its guidance on malware and ransomware stresses the importance of preparing for incidents as well as preventing them.

Phishing should also be taken seriously. If one account is compromised, attackers may use it to target colleagues, suppliers or parents.

2. Activate your incident response plan

Once an incident is suspected, activate your cyber incident response plan.

The plan should make clear who needs to be involved. For most schools and MATs, this will include senior leaders, IT support, the data protection lead, and the relevant trust, safeguarding, governance and communications contacts.

It should also set out who can make key decisions, such as taking systems offline, contacting insurers, instructing external cyber specialists, notifying regulators or moving to emergency communication channels.

If your response plan is still developing, the priority is to create some immediate structure. Identify who is coordinating the response, keep a clear log of decisions and actions, and bring the right people together using a trusted communication channel. Avoid discussing the incident through any account or platform that may be compromised.

3. Contain the incident and secure access

Containment is one of the most urgent tasks in the first hour. The aim is to stop the incident spreading while avoiding unnecessary disruption or loss of evidence.

Your IT team or provider may need to isolate affected devices, disable compromised accounts, restrict access to affected cloud services, or block suspicious network activity while the incident is investigated.

Do not automatically turn everything off unless there is an immediate need and no technical support is available. In some cases, powering down devices can remove useful evidence from memory or make investigation harder, so this should be guided by your IT team or incident response specialist.

Many school cyber incidents involve identity and access. A compromised account can give attackers a route into email, MIS platforms, cloud storage, finance systems or shared drives. In the first hour, focus on high-risk, including admin, senior leader, finance, HR and safeguarding accounts.

Supplier access also matters. Leaders should know which third parties have access to critical systems, what level of access they have, and how quickly that access can be removed if needed. The NCSC’s supply chain guidance encourages organisations to maintain board-level visibility of supplier cyber risk.

Through Everything ICT, schools can access managed IT, cyber incident response, monitoring and recovery services through a compliant route, helping ensure support arrangements are clear before they are needed.

4. Preserve evidence

When a cyber incident is unfolding, it can be tempting to clean things up quickly by deleting suspicious emails, wiping devices, rebuilding machines or removing unusual files. However, these actions should only be taken with guidance from your IT or cyber response team.

Evidence helps establish what happened, how far the incident spread, whether data may have been accessed, and what reporting duties may apply.

Create an incident log as early as possible. It should capture the timeline, affected systems or accounts, actions taken, people contacted and key decisions made. Screenshots of alerts, suspicious messages, ransom notes or unusual login activity may also be useful.

Through Everything ICT, schools can access specialist suppliers who can support the technical investigation, advise on containment and help plan recovery. This can help schools make informed decisions early and avoid actions that could make the investigation more difficult later.

5. Communicate carefully

In the first hour, communication needs to be controlled. The right people need to know quickly, but messages should be limited to what is known and what action is needed.

Start with the people directly involved in the response, such as senior leaders, IT support, the trust central team, the data protection lead and any external cyber response provider. Governors, insurers or legal advisers may also need to be contacted, depending on the seriousness of the incident and your internal procedures.

Staff may need early guidance, especially if there is a risk of suspicious emails spreading or shared systems being affected. Keep instructions short and practical. If school email may be compromised, use an agreed alternative channel for key updates.

Parents and carers may need to be informed later, particularly if school operations are disrupted or data may be affected. In the first hour, the priority is to understand enough to communicate accurately and avoid creating unnecessary alarm.

6. Keep the school running safely

A cyber incident can quickly become an operational issue. If key systems are unavailable, schools still need to register pupils, manage safeguarding responsibilities, communicate with staff and families, and keep the school day running as smoothly as possible.

Schools and MATs should know how they would operate if they temporarily lost access to core systems, including which paper processes, alternative contact routes or manual procedures would be used.

For trusts, it is also important to understand whether the incident affects one school, several schools or a shared central platform. Where systems are used across multiple settings, containment and recovery decisions may need to be coordinated centrally.

Everything ICT can help schools and MATs access suppliers for business continuity, backup, disaster recovery and infrastructure support, helping them maintain essential operations while recovery work takes place.

7. Prepare for reporting and recovery

You are unlikely to have the full picture within the first hour, but you should start preparing for the next stage of the response.

If personal data may have been accessed, lost, encrypted or disclosed, involve the data protection officer as soon as possible. The ICO requires reportable personal data breaches to be reported within 72 hours of becoming aware of them, where feasible. Schools may also need to follow trust policies, local authority guidance, insurance requirements, or advice from legal and communications specialists.

By the end of the first hour, leaders should know who is coordinating the response, what appears to be affected, what has been contained, who has been informed and which risks still need urgent attention.

There may not be all the answers yet, but there should be clear ownership, better control of immediate risks and a practical route into recovery.

Preparation makes the first hour easier

The best first-hour response starts well before an incident occurs.

Senior leaders, governors and trustees should have a clear view of the school’s cyber risks, who owns them and how they would be managed in a crisis. That means asking practical questions: who has access to critical systems, how quickly that access can be removed, whether backups are tested, and whether staff know what to do if something looks suspicious.

The NCSC and DfE have produced guidance for school governors and trustees to help schools ask the right questions about cyber security in a proportionate way. The NCSC also encourages organisations to test their incident response arrangements through cyber exercising, so plans are understood by the people who may need to use them.

For schools and MATs, preparation should include a written incident response plan, named roles and deputies, offline copies of key contacts, clear supplier escalation routes, tested backups, multi-factor authentication, staff awareness training and business continuity arrangements.

Everything ICT can help schools and MATs put that preparation in place through compliant access to suppliers covering cyber assessments, Cyber Essentials support, penetration testing, managed IT, monitoring, backup and recovery, incident response planning and wider resilience support.

Cyber incidents are difficult, but they are easier to manage when roles, contacts and recovery steps are already agreed. For schools and MATs, the first hour should be about clear leadership, quick containment and informed decisions, supported by the right technical expertise where needed.

Related articles: