The inevitable attack

Published by Matt Setchell on

“It’s a case of if not when” for schools and trusts to be the recipients of a successful cyber attack.

And that is what is keeping a lot of IT folks awake at night. At the very time when use of IT in education is moving past the basics and staff and students are embracing exciting developments with leadership seeing the benefits.

Cyber attacks have, and always been a risk for schools. But schools have for a long time been cautious about moving their data outside of local systems, and even opening up external access to it.

Since the start of the current pandemic, this has rapidly changed – without the time often for the awareness training that is needed for schools to understand the risks, and ensure they have plans and mitigation’s in place to try and delay or minimise the impact of the inevitable attack.

Not only do schools have new systems in place, and a larger attack surface with more access to more data – but we have more devices in edu-IT then ever before, being used by staff and students anywhere anytime.

As with most things IT in Education, the cheapest -or – using the same as everyone else, or the system a mate recommended is the norm. Schools haven’t completed due diligence nor are they actively testing their defences and indeed their users – to understand and plug the gaps in defences.

And whilst prevention is ever so important, the fact that these attacks are inevitable – means that there is a need to be prepared for what to do when they do happen. Having seen major attacks at trusts over the last couple of months, including one at the Harris federation where it took all IT, websites, phones and devices offline for a period of weeks – and following the DFE email to trust leaders yesterday – the importance of having an action plan is clearer then ever

For me, there are 3 key areas to focus on:

Data protection and recovery

If you haven’t already protected access to your data by implementing MFA – you should do so now. And you should include secondary age pupils on that.

You should be testing your backups, not just making sure they happen, you should make sure you know what is being backed up – and most importantly make sure you have an offline backup. You should have multiple backups on multiple platforms and devices. Local and cloud.


Get a plan in place so everyone knows what to do – what can you do if a disaster strikes. Who is responsible. Lines of communications when traditional methods are down. What do you need to prioritise recovery of first?


Users will likely be the cause of any issues. Not on purpose of course, but they are likely to have enabled someone somewhere initial access, so the best way to protect yourself, or even just so you know when something has been breached – is to train your staff. Now.

In my work at Lourdes IT I am faced with schools that it’s my job to implement and schools where it is my job to advise, and as such I delivered a training session to those I advise on cyber security which is available on YouTube for all;

I’m also happy to chat through within anyone who wants advice – @msetchell on Twitter

Categories: Blog