ROCU – National Cyber Protect Network

The UK Government recognises the significant threat from cyber crime to UK businesses, charities, individuals and the educational sector. As part of the national strategy to tackle the threat of cyber crime, the national Cyber Protect network has been created.

Led by the City of London Police and that National Police Chief’s Council, the Cyber Protect network exists to help organisations protect themselves from attack as well as offering advice as to how to be prepared to deal with an attack when it does happen.

We know the educational sector is hard hit by cyber crime. Budgets are often tight with restricted funding for both the technological solutions and user awareness training. While ICT support is often outsourced, many educational institutions retain their own staff but cost pressures may limit opportunities for continuing professional development. In the Cyber Protect role we have met a significant number of staff who go above and beyond in supporting their school or college and develop themselves despite these pressures.

The threat from cyber crime is not an ICT function alone. Cyber Security should better be thought of as a whole organisation function which the Senior Leadership Team should own. There should be a designated lead on Information Security, of which Cyber Security is a part. This should not be the same person as the ICT lead. There is often a clear conflict between the two roles. Cyber risks should feature as part of the risk register for the organisation.

We know from our experience that phishing attacks continue to be the origin of the majority of attacks, followed by and often coupled with poor security practices such as weak passwords, password re-use and the lack of 2 Factor or Multi Factor Authentication. The education sector is often a target because the criminals know that their ability to defend themselves and preparedness for attack is typically less than in business. The criminals often loiter in the network to perform reconnaissance and corrupt defences such as system backups, before launching their attack.


Case Study: Further / Higher Education College

A large further education college with several thousand students was subject of a ransomware attack which occurred at the start of half-term. Everything was encrypted – sadly including the backups which were on the network. Understanding of the impact was limited – systems including fire, alarm, CCTV and door entry were all network based and could not be readily isolated. A ransom was demanded of over £200,000. Ofsted gave the college an ultimatum – they had three weeks or they would be closed down. The college had no choice but to pay a sum of between £50,000 and £100,000. It has taken months to recover from the incident, reconsider network design and improve resilience against future attack.


The Cyber Protect network is delivered by Regional Organised Crime Units (ROCUs) and individual Police services across the UK. Cyber Protect Officers are available to support you in improving your protection from and preparedness for cyber attack – for free. We can provide Cyber Security activities such as the Lego based Decisions & Disruptions tabletop exercise for Senior Leadership Teams and Cyber Awareness presentations for staff – for free.

There are lots of free resources from the National Cyber Security Centre (NCSC) – the public face of the Government Communication HeadQuarters (GCHQ) including infographics, board toolkit for Senior Leadership, Small Business Guide (equally applicable to education) and the latest advice on threats, incidents and keeping secure.

NCSC also provide the Cyber Security Information Sharing Partnership (CiSP) where professionals can exchange cyber threat information in real time in a secure environment. Exercise in a Box is a set of free cyber resilience exercises to test how ready you are for a cyber incident – including a threat hunting exercise.

Cyber Essentials is a UK Government scheme to check you are taking cyber security seriously. There is a self-assessment process to ensure a baseline of technical controls. There is an optional accreditation process including a ‘Plus’ certification which includes independent verification by a Certification Body. Your organisation should consider whether those in your supply chain are taking cyber security seriously by looking for Cyber Essentials accreditation.

Finally – and on the back of experience in dealing with victim schools and college – we would encourage you to ensure:

  • RDP is either disabled or made as secure as possible… we see a large number of breaches in education through this route
  • 2FA or MFA is switched on for as many systems as possible – especially Office 365 as more organisations migrate to it. Office 365 phishing is widespread
  • Backups – ensure they are air-gapped and that you test restoration processes
  • Be prepared! Have a cyber incident response plan and test it!

ROCUs: https://www.ncsc.gov.uk/information/regional-organised-crime-units-rocus

NCSC Guidance: https://www.ncsc.gov.uk/

CiSP: https://www.ncsc.gov.uk/section/keep-up-to-date/cisp

Exercise in a Box: https://www.ncsc.gov.uk/information/exercise-in-a-box

Cyber Essentials: https://www.cyberessentials.ncsc.gov.uk/

NCSC Office 365 2FA: https://www.ncsc.gov.uk/blog-post/securing-office-365-with-better-configuration

Andy Rawlinson
Police Cyber Prevent Officer & Cyber Security Advisor