The school calendar has predictable windows of elevated risk. Ransomware operators are known to time attacks to maximise pressure on schools.
Late August to early September and January (return from Christmas break) are historically the most common periods for ransomware deployment against UK schools.
Here’s what you need to know, and what you can do to protect your school.
September (back to school)
Back to school is historically the most common time for ransomware attacks in English schools.
The new academic year also means new staff accounts, and this creates fresh phishing opportunities.
Actions to take
review and remove leavers’ accounts – make sure only current staff and students have access
enforce multi-factor authentication (MFA) on all staff accounts, especially email and remote access
have phishing awareness training for all staff at the start of term
check email filtering and anti-phishing protections are up-to-date
make sure all devices (staff and pupil) have the latest security patches before issuing
check that backup systems are working and test restoration (including critical systems like MIS)
avoid default broad permissions and apply least-privilege access for new starters
December to January (Christmas break)
The winter break and January return to school is another common time for ransomware attacks. This is because systems may be unmonitored during the holidays, giving attackers time to gain access and move through networks undetected before deploying ransomware when staff return.
Actions to take
keep monitoring over the holidays and make sure alerts or managed service coverage is in place
make sure all critical security updates are applied before school closures, especially for servers, firewalls and endpoints
review remote access systems like VPNs and Remote Desktop Protocol (RDP) and disable any unused access
make sure you have a recent backup that is offline and immutable, and test restoring before the break
have clear incident response contacts and escalation routes while the school is closed
audit admin accounts and remove or disable any that are not required
enable automatic alert notifications for suspicious activity for things like logins and privilege changes
May to July (exam season)
Deadlines create leverage for attackers. GCSE and A-level coursework, predicted grades and awarding body credentials are time-sensitive assets. Destructing or encrypting materials close to submission deadlines can have serious consequences for pupils.
Attackers may gain access at an earlier point but wait to deploy an attack during this window. They can then exploit fixed deadlines (exams, results day, term starts) to maximise pressure to pay.
Actions to take
restrict access to systems, folders, and portals related to exams and award-bodies
apply additional monitoring on systems that have coursework, grades, and submissions
back up assessment data more frequently (daily or more often close to deadlines)
test rapid restore procedures for critical exam data
brief staff on targeted phishing risks, for example messages from fake awarding bodies
ensure strong authentication (MFA) on all exam-related accounts
lock down file-sharing permissions and disable unnecessary external sharing
July to August (summer holidays)
IT teams and school leaders are often absent or reduced over the holidays. Attackers can map networks and exfiltrate data undetected during periods of decreased monitoring.
Actions to take
maintain baseline monitoring (logs, alerts) even with reduced staffing and identify who will get any alerts
use quieter periods to conduct vulnerability scanning and patching
review and clean up user accounts - remove leavers and audit permissions
segment networks where possible to limit spread of any intrusion
check backup integrity and have at least one copy offline or immutable
review your cyber response plan and update contact lists for the next academic year
schedule security improvements and projects
Throughout the year
Attacks can happen at any time, but some predictable patterns (like processing supplier payments) mean schools should be vigilant. BEC fraud peaks when schools process supplier payments.
Actions to take
implement MFA for critical systems: email, admin accounts, remote access
keep all systems patched regularly and establish a patching schedule
train staff regularly on phishing, password hygiene, and reporting incidents
use strong, unique passwords and consider password managers
secure backups – make sure they are frequent, tested, and protected from deletion and encryption
apply least-privilege access principles and regularly review permissions
monitor for suspicious activity (logins, unusual file access, configuration changes)
have a tested cyber incident response plan and ensure staff know how to report issues
Take extra care at times when:
- IT staffing levels are low (increase monitoring and ensure on-call cover)
- new accounts are created (apply MFA immediately and restrict privileges)
- payments are made (verify supplier details independently; watch for BEC scams)