A ransomware attack hit a Southampton school earlier this year. They were locked out for four days – no lessons, no access to safeguarding records, no way back in. The painful part? They had a backup. But they were unable to quickly restore systems resulting in a four-day shutdown and reliance on external experts.
That’s the gap nobody talks about. Not whether you have a backup, but whether it actually works when it matters.
The numbers are stark
According to Secure School’s State of School Cybersecurity, only 25% of schools have backup methods that meet their operational needs. Which means if you’re reading this, there’s a reasonable chance your school is in the 75% – and you might not know it yet.
Ransomware isn’t slowing down either. The 2025 State of Ransomware in Education Report found that lower education providers faced the highest average recovery costs of any sector surveyed. And Ofqual’s data shows that while fewer schools experienced incidents last year, the damage when it did happen nearly doubled.
Paying the ransom, by the way, is strongly discouraged by the DfE and UK Government and The Cyber Security and Resilience Bill aims to ban public bodies from paying ransom in the future. There’s no guarantee you’ll get your data back – and you’re likely to become a repeat target.
What good actually looks like: the 3-2-1 rule
The 3-2-1 rule is the standard your backup strategy should be measured against:
- 3 copies of your data
- 2 different storage types
- 1 stored offsite
It’s not complicated, but it does require intention. A backup sitting on the same network as your MIS isn’t truly separate – if ransomware hits your network, it hits your backup too.
That’s worth checking with your current provider.
It’s worth mentioning here that offline doesn’t mean a USB drive in a drawer or a physical hard drive in the server room. However, the NCSC and RPA consider cloud backups “offline” if they’re MFA-gated and unreachable from your local network — provided they’re protected by multi-factor authentication (MFA).
MFA is what creates the separation between your network and your backup. If an attacker compromises your systems, MFA stops them getting to your backup too.
The 10-minute test you can do right now
You don’t need a new procurement process to find out where you stand. Here’s a quick first check:
- Pick a folder or document your school uses regularly
- Ask IT to delete it
- Try to restore it from your backup
- Note how long it takes — and whether the data is intact
That’s it. That’s your baseline. If it works, great — now schedule it termly (which is what the DfE standard expects). If it doesn’t, you’ve just found something important before a crisis did.
The goal is to build up to full-system restores over time. But starting somewhere is infinitely better than assuming it works.
And who actually owns your backup plan? The DfE expects a named owner, not a shared assumption. This is a whole-school responsibility, and while the SLT digital lead should take ownership — they should not necessarily do everything themselves, but be accountable for it.
It should also feed into your wider business continuity planning. Your backup strategy isn’t a standalone document — it’s part of how your school keeps running when things go wrong. And it needs to be tested termly and reviewed annually.
What to look for in a backup solution
Whether you’re using your MIS provider or a dedicated tool, here’s what actually matters:
Offsite and immutable – Once your data is written, it can’t be deleted or encrypted by an attacker. If that’s not the case, it’s not a real backup.
Frequency – Standard 24-hour backup cycles mean a 3pm incident costs you an entire day’s attendance records and safeguarding notes. Look for 2–4 hour sync windows.
Tested, not assumed – A backup only exists if it works. Look for proactive monitoring, not just a status light you check when something’s already gone wrong.
A clear recovery process – In a crisis, you need to know exactly who calls who, and how long it takes. Ideally, your data is back within 24 hours with a verified handover to a senior leader.
Reasonable cost – We’ve heard of schools paying up to £800 a year for backup. Wonde’s Data Recovery is from £120+VAT annually – because cost shouldn’t be the reason a school skips this.
A quick note on cloud data
If your school uses cloud tools — and most do — it’s worth knowing that most cloud providers operate a shared responsibility model. They look after the infrastructure; you’re responsible for your data. Retention policies aren’t the same as backups. Your data, your responsibility.
FAQs
Yes. The 3-2-1 rule is about resilience, not any single tool. Your cloud backup can be one part of that strategy — just check whether it genuinely meets the criteria (offsite, immutable, tested), and fill in the gaps where it doesn’t.
Start anywhere. Delete a file, restore it, time it, log it. That’s your baseline. Build from there — termly testing, then full-system restores. The DfE expects termly testing; getting to that point is a process, not a switch.
There’s no single answer — it depends on the data. Your DPO is the right person to advise on retention periods for different types of records. The DfE standard expects retention to be factored into your backup planning.
Want to know where your school stands?
👉 Join a webinar
👉 Learn more about Wonde Data Recovery