padlock on keyboard

Cyber risk for schools

Richard Evans, Partner, Head of Risk and Assurance - Social Purpose and Non Profits
padlock on keyboard

The increased use of the internet, digital applications and innovation present many opportunities for independent schools to enhance the learning offering and engage with students in a digital age. 

Technology can also be used in wider stakeholder engagement, including the efficient and effective management of relationships with parents, funders and alumni – it has never been so easy to be connected and develop relationships. This has never been so critical as during the current period which schools have encountered, both in terms of the provision of remote learning, as well as the hybrid examination approaches being developed. 

In addition, the Russia/ Ukraine conflict has increased the scale of cyber related activity, heightening the need for focus in this area. Within the UK, given the emerging economic challenges (with inflation/ cost of living/ energy) there is also the potential for either staff to lose focus and not implement control measures, as well as a general increase in fraudulent activity in a period of economic uncertainty.

From a risk perspective, schools hold considerable amounts of sensitive personal data of children, parents, staff, donors and alumni – all of which present a security risk which has to be managed.

Back in 2019, the National Cyber Security Centre and the London Grid for Learning completed an audit into cyber security within schools

Key findings from this included:

  • The vast majority of schools had experienced a cyber incident, with 69% of respondents referring to phishing attacks and over a third stating they had lost access to data for a period.
  • Over 90% of schools stated that they wanted more cybersecurity awareness training for non IT staff.
  • 85 percent of schools had a cyber security policy or plan, but only 45 percent included core IT services in their risk register and only 41 percent had a business continuity plan.
  • Less than half felt well equipped to manage a cyber-attack. 

While the report predates the pandemic the issues, in our view, will have been exacerbated. We have seen a huge increase in phishing and ransomware incidents and in particular, schools being subject to ransomware attacks, which we have focussed on below. 

Ransomware is a type of malware that prevents you accessing your computer or the data stored in it. This generally impacts the entire network as once an attacker has accessed the systems, they will identify where key data is stored and encrypt the entire network at the point of attack. Payment (the ransom) is then requested, usually in cryptocurrency, with contact made by an untraceable email address, with threats to release the sensitive data if the ransom isn’t paid. It should be recognised that the data may not be released even if the ransom is paid. 


Key actions to take to address this risk include:

  • How does the school provide access to its systems? There are often a large number of user accounts in place, so there needs to be effective controls in place to authenticate users.
  • In addition, when considering access, is this only granted on a needs basis and how is this controlled?
  • Ensure there are monitoring controls to identify if there is an attacker present on the network.
  • Segregate the network, so that if one computer is compromised this does not allow access to the remainder of the network.

Overall, there is a need for an effective response plan should an incident occur. This should include the key contact points, escalation processes for senior management and the Board, key responsibilities, an available conference number (accessible without the network), how critical functions can be operated and importantly, access to the incident response plan and contact points in an offline form. 

We would also recommend testing this – in our experience, a desktop exercise can be used to raise staff awareness and learn lessons. You should also be aware of your cyber insurance contact points and how you can access them without systems access. 

If you are subject to a ransomware attack you need to consider how you would respond – how to identify the data which has been compromised, engage with stakeholders and in more extreme cases, how to manage a recovery process which takes an extended period. 

These attacks will often target the back ups of the school, so it is critical to understand the key data which is backed up and pertinently, where it is stored. For example, is this offline, in a different location from the network or stored in a cloud service?

There are also challenges where real time replication (which can often be part of a standard Windows setup) is in place – as a result, as soon as the ransomware attack occurs the replicated back up is also subject to the attack.

In conclusion, we recommend that schools both refresh and renew their approach to cybersecurity, considering the full lifecycle of the process and asking a series of key questions.


  • How do you manage access to the network and applications?
  • Do you understand the information security measures in place? 
  • Have you increased the frequency of vulnerability scanning and are remedial actions undertaken?



  • Is there segregation of the network?
  • Does this consider access to users and the difference between the business operations and the administration of systems?
  • Have you reviewed back up processes and are they being undertaken?
  • How do you manage the risk of ransomware if back ups replicate in real time?



  • Is monitoring being completed over the potential threats?
  • How are unauthorised access/ attackers detected?



  • Is there an incident response plan in place?
  • Has this been tested, are people aware and how will this be accessed if systems are unavailable?
  • Do you have cyber insurance and what does this include? Importantly, are there are requirements upon the school to ensure that the insurance is valid?



  • Are staff aware of potential threats and how this has changed? • What lessons have been learnt and communicated?
  • Are you monitoring communications from the National Cyber Security Centre?

If you require any further advice on any of the above, please contact Richard Evans or your usual Crowe contact.

Contact us

Richard Evans
Richard Evans
Partner, Head of Risk and Assurance