Case Study: When “Having Backups” Wasn’t Enough
In the early hours of the morning, the IT team at a UK education organisation were alerted to system failures across their network. At first, it appeared to be a hardware issue. Systems were ageing, and failures weren’t unheard of.
By mid‑morning, most services were restored. Then everything stopped again.
Further investigation revealed that attackers had already been inside the network. Critical servers had been encrypted, and a ransom note left behind. More worrying still, identity systems were unavailable, and with them, access to primary backups.
The organisation had backups. They simply couldn’t reach them.
Administrative credentials were stored digitally. The password manager was encrypted. Backup servers were protected, but protected by the same systems that had already been compromised.
Only one offline, isolated copy remained accessible. Without it, the organisation would have faced a choice no school wants to make: pay a ransom, or lose access to essential systems.
In the weeks that followed, forensic investigations revealed how quietly the attackers had moved. Standard endpoint protection had not detected the early stages of the attack. Activity below the operating system level went unseen until it was too late.
What changed
Following the incident, the organisation reassessed what cyber resilience really meant. They realised it wasn’t enough to just have security in place, or have backups configured or meet minimum requirements.
They needed the ability to detect suspicious behaviour early, contain threats automatically and recover systems quickly, even if identity services were unavailable.
This shift mirrors the direction of the DfE’s Cyber Security Standards today: from ownership of tools to assurance of outcomes.
What Can You Do?
This scenario is exactly the reason why Schools Broadband has introduced Endpoint Detection and Response (EDR). This helps schools:
- Detect suspicious behaviour that traditional tools miss
- Automatically contain threats before they escalate
- Recover systems quickly, even when core services are unavailable
Combined with our cloud‑hosted security platform, it supports schools in meeting both the letter and the intent of the DfE standards.