“Ransomware is a type of malware that prevents you from accessing your systems or the data held on them. Typically, the data is encrypted, but it may also be deleted or stolen, or the computer itself may be made inaccessible.” The National Cyber Security Centre (NCSC).

The National Cyber Security Centre (NCSC) – part of GCHQ – has issued three specific alerts solely for the Education Sector in the last 10 months, as it responds to the increase in ransomware attacks on the UK education sector.

Ransomware can destroy school systems and victims often require a significant amount of recovery time to reinstate critical services. Often these events can be high profile in nature causing widespread public and media interest. There has also been a more significant risk since the COVID-19 pandemic as more and more school services and data is now held online.

We have seen the cost of this sort of recovery vary from between £20k to £50k depending on both the size of the establishment and the impact generated by the incident.

Our team at RM have explored the threat of ransomware to schools, and has some great advice to share on how to stop ransomware getting in, spreading and how to recover from an attack.

Stop ransomware getting in

Three of the most common routes in are phishing, web browsing, and services exposed to the internet.


  • Technical controls will vary between email providers, but we urge working with your onsite team to validate configuration options.
  • In Office 365, for example, we encourage the enablement of “Safe Links” controls to protect against bad URLs in emails (license permitting).
  • Beyond technical controls, it is important to also raise awareness of the risks of phishing. This can be done via internal messaging, blogs, or even physical posters.

Web browsing

  • Ensure that all web browsing goes via a proxy service that blocks access to known bad, suspicious, and high-risk sites.
  • Depending on the system in place, some proxy services can also virus scan content before it is downloaded from the web.
  • Finally, anti-virus can also block web access to suspicious and high-risk sites – these features must be enabled.

Services exposed to the internet

  • For any solutions that are internet accessible, e.g. Office 365 or Google Workspaces, multi-factor authentication should be enabled to protect access.
  • This is understandably difficult to enable for all staff and pupils, so we recommend focusing on teaching and administrative staff first.
  • Management access to internal servers and devices should never be exposed directly to the internet (e.g. RDP access to an internal server). Always ensure that access to internal resources is via a VPN (also protected with multi-factor authentication).
  • Finally, ensure that all devices are protected with unique and strong passwords – this will help provide protection whilst the measures above are implemented.

Stop ransomware spreading

Ransomware typically makes use of open networks, malware, and unpatched systems to spread.

Open Networks

  • Take efforts to segment networks with an analogy similar to bulkheads in a ship – the flooding of one compartment doesn’t spread to others and threaten the whole ship.
  • For example, ensure separate networks (wired and wireless) for staff and pupils. If possible, you could split further to a teaching staff and administrative staff network. A teacher will typically have to access more content, and therefore have a higher risk profile, than a member of the finance team.


  • Use the email and web browsing proxy controls mentioned above to limit chances of infection.
  • Ensure that anti-virus is installed and up-to-date on all devices.
  • We always recommend a managed anti-virus solutions where you can see all alerts in a single console and have visibility of your whole environment.


  • To patch effectively you need to know what is in your environment. We recommend building an asset register of systems, models, and their software versions (this can be as simple as a spreadsheet).
  • In terms of how quickly patches should be installed, Cyber Essentials provides a good baseline - ensure critical and high patches are installed within 14 days.
  • For Microsoft systems, patches are released on the second Tuesday of every month so installing those becomes just a simple scheduled task to plan for. For other systems, these should be monitored as and when they are released – having an asset register helps guide what to monitor.

Recovering from ransomware

Fundamentally ransomware is a modern version of extortion that leverages two things:

  1. The threat of service unavailability – pay the ransom to release your systems.
  2. The threat of data exposure – pay the ransom or we’ll leak your data.

Ransoms should never be paid – the nature of extortion is that if you haven’t fixed the root cause they will be back to exploit you again.

  • Prevention is the best cure against the threat of data exposure, but the other control is to encrypt data wherever you can. That is often complicated and more suitable for business, hence it is not prominent in Government advice to the education sector.

Having good, reliable, and accessible backups is key to technically recovering from ransomware if it happens:

  • Ensure backups are in place for all key systems and are taken regularly (daily is recommended).
  • The backup data must be separate from your network - otherwise the ransomware will encrypt both your systems and your means of recovery.
  • The easiest method to achieve this is to have a copy of backup data in cloud storage. Another common method is with tape backups, but this comes with higher management and maintenance cost.
  • It is key to test data restores using your backup system. Also, in the event of ransomware, it is likely your backup server itself will become unavailable so have a process ready for how to get that back up and running from the data in the cloud. Your backup server will be the first system to restore.

Finally, be prepared with internal response plans. We recommend the NCSC’s exercise in a box offering to promote discussion amongst teams:

  • Know how and who will manage the incident.
  • How will you communicate to staff, pupils, and parents?
  • How will you continue to operate whilst also responding?

We are sorry to end the school year on such a sombre note – especially after all that schools have been through in the last 15 months – but we do believe that this is such a serious issue as to be discussed, and where some relatively small actions could help schools avoid something much worse in the future.

If you’re worried about your school’s cyber security or want to chat to one of our experts, contact us.

back to top button
back to top button