The Hidden Risk That Nearly Cost a School £250,000: Why IT Belongs on Your Risk Register

SCROLL FOR YOU FREE RISK REGISTER TEMPLATE

*Names have been changed for obvious reasons.

When Sarah Mitchell became the new business manager at Oakwood Primary School in September 2022, she inherited what looked like a well-organised risk register. It covered everything you'd expect—asbestos management, fire safety, safeguarding procedures, staffing levels, even the ageing boiler that needed replacing.

What it didn't cover was IT security.

Six months later, on a Monday morning in March, staff arrived to find they couldn't access anything. The school's entire network had been encrypted by ransomware. Every pupil record, every lesson plan, every financial document—locked. The attackers demanded £50,000 in Bitcoin.

"It was absolutely terrifying," Sarah recalls. "We had no idea how they got in, whether our data had been stolen, or how long it would take to recover. We couldn't even take the register properly."

Oakwood isn't alone. According to the National Cyber Security Centre, education is one of the most targeted sectors for cyberattacks. Yet when we audit schools and businesses, we consistently find that IT risks are either completely absent from risk registers or given a cursory mention with no real assessment behind them.

This needs to change.

Why IT Risks Get Overlooked

There's a strange disconnect happening in organisations across the UK. Everyone knows technology is important—critical, even. But when it comes to formal risk management, IT often gets treated as "someone else's problem."

Here's what we typically hear:

"Our IT technician handles all that." "We've got a managed service provider who looks after our systems." "We haven't had any problems so far."

The issue is that risk registers are supposed to identify potential problems before they happen, not after. And whilst your IT support might be excellent at keeping things running day-to-day, they're not necessarily thinking about risks in the same systematic way that a risk register demands.

There's also a knowledge gap. Many senior leaders and governors who review risk registers regularly don't have a technical background. They can spot issues with building maintenance or financial procedures, but they're less confident assessing whether the organisation's backup strategy is actually fit for purpose, or whether staff are adequately trained to spot phishing emails.

What Should Be on Your IT Risk Register?

A comprehensive IT risk assessment should cover several key areas:

Infrastructure and Systems Are your servers and network equipment reliable? What happens if they fail? How quickly can you restore services? We often find schools running critical systems on ancient hardware that's long past its support lifecycle, with no budget allocated for replacement.

Data Security and Privacy You're holding sensitive information about staff, pupils, clients, or customers. How is it protected? Who has access? What would happen if it was stolen or leaked? GDPR fines can be substantial, but the reputational damage is often worse.

Backup and Disaster Recovery Everyone says they do backups. But when did you last test a restore? Where are the backups stored? If ransomware hits, will your backups be encrypted too? These aren't hypothetical questions—they're the difference between a few hours of disruption and weeks of chaos.

Cybersecurity Do you have adequate firewalls and antivirus protection? Are systems patched and updated regularly? Is staff training on phishing and social engineering up to scratch? The weakest link in any security system is usually human behaviour.

Third-Party Suppliers What about your managed service provider, your cloud platforms, your payment processors? If they have a security breach, what's the impact on you? Do you have contracts that actually protect your interests?

Compliance Depending on your sector, you might have specific regulatory requirements—GDPR, Cyber Essentials, industry-specific standards. Non-compliance isn't just about fines; it can prevent you from winning contracts or accessing certain funding.

The Oakwood Case Study: What Went Wrong

Let's return to Oakwood Primary. What actually happened, and could it have been prevented?

The attack came through a phishing email sent to a teaching assistant. It looked like a legitimate message from the local authority about pension changes, with a link to a document. When she clicked it, malware was silently installed on her computer.

Because the school's network wasn't properly segmented, the malware could spread from her workstation to the servers. The school's antivirus software was outdated—they'd been using the free version because "it had always been fine." There was no email filtering to catch suspicious messages before they reached staff inboxes.

The school did have backups, which was good news. The bad news? They were stored on a server connected to the same network. The ransomware encrypted those too.

Staff hadn't had any cybersecurity training in over three years. Most didn't know what phishing was, let alone how to spot it.

When we conducted an independent audit six months after the incident, we found 23 significant vulnerabilities that should have been on the risk register. None of them were.

The Real Cost

Oakwood didn't pay the ransom. Instead, they:

• Brought in a specialist cybersecurity firm to clean and rebuild their systems: £18,000

• Replaced compromised hardware: £12,000

• Purchased proper backup solutions with offline storage: £4,500

• Implemented proper email security and endpoint protection: £3,800 annually

• Conducted mandatory staff training: £2,200

• Hired a data protection consultant to assess GDPR implications: £6,500

• Dealt with ICO notification and investigation (no fine, fortunately, but significant time cost)

Total direct costs: Over £47,000.

Then there were the indirect costs. Three weeks of serious disruption to teaching and learning. Hundreds of hours of senior leadership time dealing with the crisis instead of running the school. Parent confidence shaken. Staff morale affected.

Sarah estimates the true cost, including lost time and productivity, was closer to £80,000.

"The worst part," she says, "is that it was entirely preventable. If we'd had IT properly represented on our risk register, if we'd asked the right questions and done an independent audit, we would have spotted these vulnerabilities. We could have spent £5,000 fixing things before the attack instead of £80,000 after it."

The Value of an Independent Perspective

One of Oakwood's mistakes was assuming their IT support provider had everything under control. In fact, their provider was a small local firm doing their best with limited resources. They kept the day-to-day systems running, but they weren't equipped to provide strategic advice on cybersecurity or business continuity.

This is why we always recommend getting an independent IT risk audit, even if you have internal IT staff or a managed service provider. It's not about catching them out or suggesting they're not doing their job. It's about getting a fresh pair of eyes to spot things that might be missed when you're dealing with systems every day.

Think of it like a financial audit. You might have an excellent finance team, but you still get external auditors to verify everything's in order. The same principle applies to IT.

An independent auditor will:

• Assess your systems objectively, without any vested interest in defending previous decisions

• Bring experience from working with dozens of other organisations, so they know what good looks like

• Ask uncomfortable questions that internal teams might avoid

• Identify risks that have become normalised or invisible to people who work with them daily

• Provide evidence-based recommendations that you can present to governors or senior leadership

• 
  

What Happened Next at Oakwood

After the attack, Oakwood completely overhauled their approach to IT risk management.

They created a comprehensive IT section in their risk register, covering all the areas we've discussed. They appointed a tech-savvy governor to provide oversight. They upgraded their systems and implemented proper security measures.

Most importantly, they now get an annual independent IT risk audit. It costs them £750 a year for our Audit + Action Plan package, which Sarah describes as "the best value insurance policy we've ever bought."

"We used to think of IT spending as a necessary evil," she explains. "Now we see it as risk management. That £750 audit gives us confidence that we're not sitting on hidden vulnerabilities. And when we do need to spend money on IT, we can justify it properly to governors because we've got independent evidence of the risk."

Two years on, the school hasn't had another incident. Staff are more security-aware. Systems are more resilient. And Sarah sleeps better at night.

Taking Action

If you're reading this and realising your own risk register might have a glaring IT gap, don't panic. But do take action.

Start by downloading our free IT risk register template. It'll walk you through the key areas you need to consider and help you identify where you might be vulnerable.

Then, have an honest conversation with your IT support—whether that's internal staff or an external provider. Ask them the difficult questions:

• When did we last test our backup restores?

• How quickly could we recover if our main systems failed?

• What would happen if we were hit by ransomware?

• Are all our systems fully patched and updated?

• When did staff last have cybersecurity training?

If you're not confident in the answers, or if you'd like an independent perspective, consider getting a professional IT risk audit.

Our Basic Audit (£495) will give you a comprehensive assessment of your current position. The Audit + Action Plan (£750) adds a prioritised roadmap for addressing any issues we find. And if you want us to help implement the fixes, our full package provides hands-on support tailored to your needs.

We're also offering 10% off for organisations that commit to annual audits over three years—because IT risk management isn't a one-off exercise, it's an ongoing process.

The Bottom Line

Technology underpins almost everything modern schools and businesses do. If you wouldn't dream of leaving buildings, finance, or health and safety off your risk register, why would you leave out IT?

The question isn't whether you can afford to do an IT risk assessment. It's whether you can afford not to.

Sarah Mitchell learned that lesson the hard way. You don't have to.

Download our free IT risk register template or get in touch to discuss an independent audit.