• 0800 0862018
  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Mon - Fri 8:00 - 17:00

InfoSec / Cyber

computer laptop with the words cyber incident review on the screen.  Data Protection Education logo on the notebook to the right of the laptop. Harry the Hacker cartoon phishing a laptop

Cyber Incident Review: The Benefits

A cyber incident review is a process or analysis undertaken after a cyber security incident or cyber attack has occurred.  It involves analysing the event in detail to understand what happened, why it happened and how it can be prevented in the future.
Key reasons for conducting a cyber incident review:
  1. Understanding the Incident: will allow an organisation to get a better understanding of attack.  Understanding the type of attack and which vulnerabilities were exploited, and the extent of the damage is crucial for improving future cyber resilience.
  2. Identifying Weaknesses: by analysing the incident, an organisation can identify weaknesses in its cyber security defences.  There might be gaps in policies, software that hasn't been updated, or training of staff may be needed.  Once any weaknesses have been identified, they can be addressed to prevent it happening again in the future.
  3. Improving Response Times: when there is a review of a cyber incident it can help an organisation improve response times for the future.  By understanding what went wrong, an organisation can streamline their response procedures and processes, meaning that any future incidents can be dealt with more swiftly and efficiently.
  4. Learning Opportunities: a cyber incident review is an excellent learning opportunity for everyone in an organisation.  It will also help raise awareness and promote a culture of cyber resilience throughout the organisation which in turn will improve cyber resilience.
  5. Compliance with Regulations or Insurance:  there may be regulations or insurance premiums that require this, but should be best practice anyway.  From a data protection point of view it will help meet the technical security measures required to protect personal data.
  6. Building Trust: by conducting a cyber incident review and following any steps recommended to help prevent future incidents, an organisation will build trust with its employees and customers.  In the cases of schools and multi-academy trusts it will build confidence in how they hold employee, parent and student data safely and securely.  It helps with transparency.

What should an incident review consist of?

  1. Understand the attack - understand how the intruder entered your systems and what the casualty was.
  2. Know the impact - what impact did it have on the organisation, can you measure the risk?
  3. Crisis response and recovery - how did your organisation respond when the crisis happened and what was the recovery process.
  4. Technology Infrastructure - understanding how your systems and network are put together will help you realise your weak spots and vulnerable areas. Could your infrastructure aid a criminal's entry into your systems?  Do you have an understanding of whether you are running any unsupported devices or software?  Best practice network design, access control, password hygiene, back up management etc, will ensure better resilience.
  5. Future risk assessment - review which systems were affected and compare to the organisation's risk register.  Could the attack reduce future risks by now forcing the retirement of old systems for example?  Is the organisation at increased risk because an attack has been successful?  Is there a risk of trying to return to' business as usual' too quickly and putting the organisation at increased risk by skipping steps in cyber recovery?
  6. Learning Lessons - document what lessons have been learned and what improvements were made.  What areas were enhanced as a result of the attack?  While looking at the systems is essential, remembering that it also affects staff wellbeing and can be devastating to an organisation, so factor in help and support for staff affected.

British Library Cyber Incident Review

We rarely see cyber incident reviews published, it's usually something held privately within an organisation, if at all.  The British Library recently published an 18 page incident review.  By doing this, they will help so many other organisations understand how they might help prevent an attack, recovery from one or perform a review.  Read the full review: British Library Cyber Incident

We can provide help and guidance when preparing for Cyber Essentials or a cyber response plan with our Information and Cyber Security Checklists.  If you are a school or trust we can provide an online checklist for the DfE Digital Standards for Schools and Colleges.

This is the kind of question we might ask your organisation:

Have staff completed cyber security training?

Invalid Input

Amazing, you have ticked off an important item on the Information and Cyber Security checklist.  Staff should have cyber security training annually if they have access to the network.  This should also include training and awareness about passwords, data breaches and information security.

For further help and guidance and access to the full checklist, please contact This email address is being protected from spambots. You need JavaScript enabled to view it..

As a controller you are responsible for keeping any personal data safe that you collected.  Raising cyber security awareness is part of keeping personal data and systems safe.  The DfE Digital Standards for School and Colleges advises that all staff that have access to the network should have annual training. This should include a designated governor.  The NCSC provides free School Staff Training.  Further free training is highlighted in this article: Free Cyber Training for Staff

Harry the Hacker loves to take data that isn't protected!


Clipart cartoon with headphones on Please contact us for more help and advice about data protection compliance and cyber security standards: This email address is being protected from spambots. You need JavaScript enabled to view it. including the full checklist and best practice. 


Try asking the data protection lead in your organisation, or SLT digital lead or contact your DPO:

We can provide help and guidance with data protection compliance, cyber security standards and records management: This email address is being protected from spambots. You need JavaScript enabled to view it. including the full checklist and best practice.

Article image base generated using Microsoft CoPilot AI and Canva.