The Three Rivers Learning Trust was established in 2011 and consists of eight schools in Morpeth and Rothbury, Northumberland.
At The Three Rivers Learning Trust, our ambition is to support our schools so that the sum of the whole is greater than its constituent parts; each school must be capable of having a greater impact as a result of being a part of the Learning Trust.
Contracting Trust-wide external IT provision is one of the ways in which we can ensure value for money but at the same time receive a high-quality service from industry experts. Whilst we receive a fantastic service from our IT provider, the rise of cyber-attacks on the education sector and the sudden requirement for remote working and learning during the recent COVID-19 pandemic brought forward our plans to address cyber security more rigorously than before. Equally, we recognise that professionals trained in IT network management and support are not cyber security experts. Ultimately, we were seeking independent cyber security specialists whose role is dedicated to protecting school information and networks.
With a robust programme of internal scrutiny already in place at the trust, Secure Schools’ Internal Cyber Security Audit service promised to assess our cyber security risk management and provide the independent assurance required by our Trust’s governance.
The Trust sought to identify areas of strength and weakness including vulnerabilities in its IT networks, policies, procedures, and people. We initially identified key risk areas as:
- Strength and breadth of governance of how the Trust addresses key risk areas in information security such as cyber security related policies and incident management
- External exposure to cyber criminals
- Likelihood and impact of a phishing attack
- Delivery and monitoring of cyber security CPD
Secure Schools Helped Us By:
- Providing an initial self-assessment which was constructed using a language that school and Trust staff could understand and respond to easily – completing this ahead of the audit day enabled us to get the most out of the process
- Undertaking one-to-one conversations with multiple members of staff across the central team and member schools to scrutinise our adherence to policy and pave the way for further development
- Producing an easy-to-understand report and subsequent action plan for aligning with recognised standards and reducing cyber security risk
- Identifying specific areas to develop in our existing formal written cyber security incident management plan to make it more thorough and robust
- Providing us with technical cyber security assessments to measure the real risk level of cyber-attacks and inform risk assessments, with easy-to-understand reports that can be shared with our board
- Providing independent assurance of the security measures implemented by our IT service provider
In just a few short months since the start of our cyber security programme, the Trust has begun the process of embedding cyber security at the board level. This will start with appointing a board member responsible for cyber security and – as we work through Secure Schools’ prioritisation matrix from the audit report – will continue in both policy and process. Also, our risk register is much more detailed and robust as a result of the audit.
As a Trust, we are now much more informed, resilient, and proactive with regard to what good cyber security looks and feels like. The supportive way in which Secure Schools has worked with our Trust has enabled us to understand and own our cyber security risk, as well as continually develop a positive culture amongst all staff and board members.
Finally, the way in which the process has been conducted has enabled us to establish a constructive partnership between the Trust, our IT provider and Secure Schools. Strategic conversations regarding cyber security are positive, and as a Trust, we now feel much more knowledgeable and well-equipped to own our cyber security risk.
With the support of Secure Schools, following the immediate commencement of technical testing as recommended in the audit report, we are continuing to address all areas of the report and to further increase cyber security awareness and resilience across the Trust.
"We’ve found the whole process very reassuring in supporting improvement in an area of weakness for the Trust. Paul and the team are excellent at sharing their knowledge with clear and concise communication with staff of differing levels of technical skills. The focus on improvement rather than inspection really helped make the process impactful.”