At Kansrijk Onderwijs Enschede (KOE), digital resilience is no longer an abstract theme. As a foundation with thirty primary schools, one special primary education school, and a language school, KOE operates in a complex environment with large amounts of personal data, many processes, and a wide variety of staff members. In that kind of setting, it is essential not only to have policies on paper, but also to know what to do when things really go wrong. For Katja van Well, Head of Information Management and Privacy Officer at KOE, that was exactly why she wanted to put crisis management more firmly on the agenda.
The challenge
The biggest challenge was not so much a lack of awareness, but rather the absence of a plan that was truly alive within the organisation. As is the case for many educational organisations, there was already attention for privacy, GDPR, and compliance frameworks, but an incident response plan easily remained something that existed only on paper. For Katja, that did not feel sufficient. Especially not in a sector where dependence on digital systems is high and incidents can just as easily occur outside school hours.
Objectives
KOE was looking for an approach that would help to:
- make an incident response plan practical and workable;
- create clarity around roles, responsibilities, and escalation;
- respond more quickly and effectively to cyber or privacy incidents;
- enable leadership, support services, and ICT stakeholders to practise together;
- structurally increase crisis awareness within a recently merged organisation.
Why CCRC?
The first introduction to CCRC took place during a network event, where Katja attended a session on cyber crises and the importance of practising. What stood out most was that almost no one in the room already had a concrete incident response plan. For Katja, that was confronting, but also motivating. After that session, the conclusion was clear: this should not be postponed, but arranged immediately.
CCRC stood out because of its combination of substantive expertise, practical experience, and ability to make the topic tangible. Not just by explaining what can go wrong, but by guiding teams through the trade-offs, tensions, and grey areas that arise during an incident.
The approach
CCRC facilitated an extensive cyber crisis simulation for KOE, based on a scenario involving a hack of the student information system and the associated parent communication app. During the exercise, the focus was not only on technical questions, but also on the administrative and organisational reality: when does something become an incident? Who should be involved, and when? And how do you prevent escalation from happening too late?
One important insight from the exercise was the role of communication. In the initial version of the existing plan, this had not been sufficiently incorporated, even though communication is crucial during an incident in order to act quickly and carefully.
The result
The collaboration with CCRC helped KOE make crisis management more concrete, realistic, and executable. The incident response plan is no longer just a document, but a practical tool that stakeholders can actually work with.
Roles and responsibilities have also become much clearer. The plan now explicitly sets out who is involved in which type of incident, how escalation takes place, and who takes the lead. In addition, the session increased awareness among the participating school directors, support services, and ICT coordinators. Not only about what to do in the event of an incident, but also about the broader reality: educational institutions are vulnerable too, and human error or social engineering can have major consequences.
Next steps
Over the next twelve months, the focus will be on repetition, broadening, and embedding. This is especially important in an organisation that has recently undergone a merger and where policies and ways of working are not yet equally well known everywhere. KOE intends to review its incident response plan annually and to raise awareness of crisis management more broadly. Not only through exercises, but also through internal audits. Posters about GDPR legislation in schools and practical guides on the intranet will further strengthen privacy awareness, reporting procedures, and practical awareness at school level.