Ransomware in schools

4 things you can do now to prevent Ransomware disrupting learning 


Since August last year, the Education sector has sadly become a growing target for cyber criminals, so much so, the NCSC were compelled to alert the sector of the growing threat of ransomware in schools.

Unfortunately, where there’s a will there’s a way and whilst schools are taking every measure to shore up their defences, ransomware and other cyberattacks are an evolving threat which make it just as important to plan how you will manage and recover from an attack.

I don’t really want to mention the ‘C word’ (Covid-19) but it has had a massive impact on learning and working practices, especially where your technology, staff and students are located, it’s also diminished the control you have over your infrastructure. Perhaps this is one of the reasons why hackers see the education sector as an easy target?

So, what is Ransomware?

It’s a type of malware that uses encryption to hold a victim’s information for ransom.  It encrypts a user or organization’s critical data so that they cannot access files, databases, or applications. A ransom is then demanded to provide access.  Ransomware is often designed to spread across a network and target database and file servers, and as such can quickly paralyze an entire organisation.

Think about the responsibilities on IT managers and network technicians, they have snowballed from keeping services running into securing and defending your digital estate from highly skilled and motivated adversaries.

Attacks can be simple or sophisticated – we just need to make it as difficult as possible for hackers to gain access. Losing access to your core systems can result in learning disruption, school closure and even personal information disclosure.

Should we be afraid of Cyberattacks?

No, we shouldn’t! We’re not afraid of safeguarding or data protection, they’re a responsibility pervasive throughout the organisation and we fulfil that obligation with pride. So why should we be afraid of cybersecurity. It’s a key element of school security and one that crucially underpins Safeguarding and Data Protection along with many other responsibilities. Good cyber security will help improve student outcomes, the welfare of both students and staff and make your school a safer place to learn and work. So, no, we shouldn’t be afraid.  Aware and disciplined, yes, but not afraid.

What can we do to prepare for a Ransomware attack?

There are 4 areas schools need to consider when preparing for a Ransomware.

1. Plan

Plan for an attack even if you think it will never happen, consider your plans for:


Appoint an executive in your Trust or school who is responsible for cybersecurity.

Know what systems you have – a typical academy trust can have 30 core systems – identify your critical systems and determine the impact of these if they were affected by Ransomware.

Prioritise the systems you have – if you lost a core system for over an hour, or over a day how would you make do while your IT team are working to restore your systems?  Could you make do?

Backup your data – check with your IT team or provider, make sure they are regularly backing up the right data, that backups are held offline and they have tested that they can restore services and recover data from those backups.

Business Continuity

Does your Business Continuity Plan consider cyberattacks? If not, it really should. Business Continuity is key at the time of an attack, how can you co-ordinate your response and continue to operate as a school if you haven’t planned for it?

Ensure that incident management procedures and supporting resources such as procedures, task lists and contact information are available in the event you do not have access to your computer systems.  This is all the more prevalent now that there are hybrid operations with some staff and students learning and working at home.

Critical Incidents

Know your legal obligations regarding the reporting of incidents to regulators, and understand how to approach this including what steps you need to take and what information needs to be included.

Data Protection

Remember that if a cyberattack results in personal data being inaccessible, lost or stolen this is a data breach. Make sure staff are aware of this and know how to report it.

2. People


Make it easy for any member of staff to report an attack quickly and effectively and ensure they’re aware of the correct procedure when responding to this type of attack.

Response teams

Have you identified who, at executive level, will be responsible for cyber security at your organisation? Do you have an allocated team that will manage your response?

Establish which team members have the right skill sets to respond critical incidents, do enough staff have the skills in the event there are multiple incidents at the same time?

Do your existing plans consider that a significant part of your workforce or leadership team, or even students, may be at home and not onsite? How will you co-ordinate your response?


The ability to communicate during an emergency is critical, put in place alternative communication provisions that maintain data privacy and legal adequacy in the event your usual methods are unavailable.

If you’re unable to access your normal communications tools or your online files, think about how your staff might be able to access procedures and playbooks.  Can you be confident that they have the latest steps and policies to hand, realistically nobody will have read and memorised all of them!


If I could say something to colleague schools/academies, having just been ransomware attacked, I would absolutely suggest you take all this advice and look at the recommendations and particularly Office 365/Teams and ensure back-ups are off-site.

Karen Partridge

Skinners' Kent Academy Trust

Free quick guide to streamline your cyber security response using incident management tools

Ransomware in schools
Leave this field blank

3. Practise

They say practise makes perfect, in this scenario, I’m not sure about perfect but it can go a long way to helping prevent cyberattacks! Technology moves fast but so do hackers, a good plan today isn’t automatically a good plan tomorrow so keep reviewing, refining, and testing your plans.


Tracking your testing is just as important as the testing itself.  Make sure it’s happening, and ensure all testing steps (perform, review, discuss, improve) are followed.  Do this in a managed way so the executive level has visibility of your organisations strengths and weaknesses.

The same applies to your systems, make sure you keep up them up to date, and test for vulnerabilities regularly.


Work with your suppliers to understand how your organisation may be impacted if they were to experience a Ransomware attack, perhaps ask them to run an exercise for just that scenario.


Train staff regularly on identifying, avoiding and escalating cyber incidents, run regular group exercises with all stakeholders to refine your response, the NCSC has some great Exercises in a Box you could use for this.

Remember, your staff are both your strongest and your weakest link.  Don’t just test your plans, test your staff too! It’s not embarrassing to fall for a fake test email, it’s far better than falling for a real one!

4. Public

If you don’t already have one consider creating an internal and external communication strategy, it is vital you can communicate with all key stakeholders quickly and effectively whilst gathering information and intelligence during an incident. Ask yourself if your communication methods rely on systems that may be compromised by a ransomware attack and if so how do you plan to communicate?

It’s important to communicate with external stakeholders too but remember that anything you say externally, even to parents, could be shared with the media. Prepare your messages and press releases now whilst you have time to think about them, rather than rushing to do them when you’re in the middle of a crisis.


4 things you can do now

  1. Make cybersecurity an executive level responsibility
  2. Increase staff awareness and keep training them
  3. Follow the NCSC’s advice on planning for and responding to a ransomware attack
  4. Download our quick guide to streamlining your cyber security response using incident management tools

teamSOS can help


teamSOS is an incident and emergency response app for schools and Trusts. It provides staff with a quick way to report incidents of all types alerting the right response teams to manage the incident and provides in-app task lists, procedures and policies that can be followed precisely to ensure the best outcomes.

  • A simple ‘call for help’ button in the hands of every member of staff
  • Response team ‘hunt groups’ ensure immediate specialist support for each type of incident
  • Editable task lists make sure the correct procedures are followed for every incident
  • Timeline of each incident for later review and import into other systems

Arrange a chat with our team

Leave this field blank