Backup and Disaster Recovery for Schools: Surviving Ransomware Without Paying the Ransom
Clean, tested backups are the most important control for surviving a ransomware attack without paying the ransom. Yet many UK schools discover during a ransomware incident that their backups were not working, were also encrypted by the attacker, or had never been tested and could not be restored. Lincoln College's 2021 ransomware attack — which contributed to its permanent closure in 2022 — illustrated the catastrophic consequences for an institution that cannot recover critical systems from backup. The Harris Federation's recovery took weeks in part because of the scale of systems that needed to be restored.
Lincoln College cited ransomware as a contributing factor to permanent closure in 2022 — system recovery from backup determines whether an institution survives a ransomware attack.
The 3-2-1 Backup Rule for Schools
The 3-2-1 backup rule provides a simple framework for schools to assess their backup posture:
- 3 copies of data: the live data plus two backup copies
- 2 different storage types: e.g. local server backup plus cloud backup
- 1 offsite or offline copy: a backup that is not connected to the school network — so ransomware cannot encrypt it
- The critical addition: test your restores. A backup that cannot be restored is not a backup.
What Data Schools Must Back Up
Schools should identify their critical data and ensure it is backed up appropriately:
- School Management Information System (MIS) database: pupil records, attendance, assessment data
- Financial records: accounts, payroll, ESFA reporting data
- Staff and pupil documents: shared drives, class resources, schemes of work
- Email: critical communications and records
- Configuration data: server configurations, network settings
- Website and public-facing systems
The Cloud Backup Misconception
Many schools believe that storing data in Microsoft 365 (OneDrive, SharePoint) or Google Drive provides adequate backup protection. This is a misconception. Cloud storage synchronises data — but if ransomware encrypts local files, the encrypted versions may sync to the cloud, overwriting the originals. Microsoft 365 and Google Workspace both include version history that can provide some recovery capability, but this is not a substitute for a dedicated backup solution. Dedicated cloud backup services for Microsoft 365 and Google Workspace — such as Veeam, Acronis, or similar — maintain independent copies that are not affected by ransomware-driven synchronisation.
Testing Backups: The Step Most Schools Skip
The most common backup failure mode in schools is the backup that was never tested. IT staff configure a backup solution, see the green status light, and assume all is well — until a ransomware attack reveals that the backup job has been failing silently for months, or that the restore process takes much longer than anticipated and requires specialist knowledge that the school's IT staff do not have. Schools should schedule quarterly backup restore tests — actually restoring a sample of files from backup to verify the process works. Annual full restore exercises — recovering a complete system from backup — should be planned and practiced before they are needed in a crisis.
Frequently Asked Questions
How often should schools back up their data?
Critical systems — MIS, financial systems, email — should be backed up daily at minimum. For schools with active document collaboration, continuous or hourly backup may be appropriate. The backup frequency should match the acceptable data loss window: if losing one day of data would be a serious operational problem, the backup frequency should be shorter than one day.
What is an immutable backup and does my school need one?
An immutable backup cannot be modified or deleted for a defined retention period, even by an administrator with full access. This means ransomware — which typically attempts to delete or encrypt backup files — cannot compromise an immutable backup. For schools, immutable backups in a cloud storage service (such as Azure Blob Storage with immutability policy, or a dedicated backup platform with immutability) provide strong protection against ransomware targeting backup systems. Larger schools and MATs should consider this as part of their backup strategy.
How long does it take to restore a school from backup after a ransomware attack?
This depends entirely on the amount of data, the backup system, network speed, and available IT resources. Based on UK education sector incidents, meaningful restoration of critical systems typically takes one to four weeks. Schools that have tested their restores, have documented recovery procedures, and have engaged an incident response specialist will recover faster than those encountering the restore process for the first time during a crisis.
Review your school's backup and recovery capability
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.