Cyber mythbusters: Why schools can’t afford to ignore cyber risk

Last month, hackers targeted the Kido nursery chain, stealing names, addresses, photos, and safeguarding notes of around 8,000 children. The criminals even contacted some parents directly as part of their extortion tactics. Experts have called it ‘an absolute new low’ in cyber-crime, proof that no organisation is off-limits, not even those caring for the youngest in society.

Beyond the operational disruption, attacks like this can have a devastating emotional impact on families. Parents are left anxious about their children’s safety, privacy, and wellbeing, while staff face the stress of managing fallout and rebuilding trust. For schools and nurseries, the loss is far more personal than just the financial.

And when organisations lack cyber insurance, or don’t have sufficient cover in place, the burden of recovery falls entirely on them, making an already difficult situation even harder to manage.

Jaguar Land Rover, for example, suffered a major cyber-attack that halted production and caused weeks of disruption. With no cyber insurance in place, the company is facing losses expected to exceed £3.5 billion in revenue and £1.3 billion in gross profits.

The Co-op also faced a damaging attack, leading to empty shelves, payment issues, and leaked customer data. Despite having insurance in place, it wasn’t enough. This has resulted in over £200 million in lost revenue and £120 million in profit damage.

These stories aren’t intended to create fear, they’re reminders that cyber threats are real, and that having the right support in place can make a world of difference. Schools, like most organisations, rely on technology and hold extremely sensitive information. That’s why it’s worth taking a moment to think about your own protection, and what you can do to make sure your school’s community is adequately supported to prevent these incidences from happening and protected in the event that the worst does happen.

So, what’s stopping schools from putting cyber insurance on the agenda? Let’s look at some of the most common myths, and the facts behind them:

Myth 1: We don’t need cyber insurance. We invest in IT security.
It’s great to have strong IT systems, but even the best defences can be bypassed, often by simple human error. Over 70% of cyber claims are caused by simply clicking on a phishing link or losing a laptop.

Cyber insurance isn’t just a safety net for when things go wrong, it’s also a proactive resource. As part of a broader insurance package, schools gain access to expert guidance and specialist tools designed to help prevent cyber incidents before they happen. This includes deep web monitoring, risk assessments, simulated cyber-attacks to uncover system vulnerabilities, cyber awareness training for staff, and more. These preventive measures not only strengthen a school’s cyber resilience but also reduce the likelihood of needing to rely on the financial support that insurance provides.

Myth 2: We outsource IT or use the cloud, so we’re not at risk.
Outsourcing IT doesn’t remove your responsibility. If your provider is hacked, you’re still the one who has to issue the notifications and manage the consequences thereof. Many IT contracts don’t cover all the costs of a cyber-attack, but cyber insurance can help fill those gaps and provide access to specialist support.

Myth 3: We’re a school, not a business.
Schools may not be businesses, but they hold valuable data and rely on technology every day. Their primary responsibility is to educate, not to manage cybersecurity threats. Yet cyber criminals know how much sensitive information schools hold, and they exploit the fact that many struggle to keep up with the latest security measures. That’s what makes schools a frequent target.

Whilst a school’s primary responsibility is to educate, they are still a business and face the same exposures as any other organisation accessing the internet and operating digitally. In fact, schools have far greater exposures than many organisations due to the sensitive data they hold, the young people within their care, and the wider families they support. 

Myth 4: We’re too small to be targeted.
Most cyber-attacks on smaller organisations don’t make the news, but they happen all the time. In fact, schools and small businesses are often seen as easier targets. If your school uses popular software, you could be at risk if hackers find a weakness.

Myth 5: Cyber insurance is too expensive.
Cyber insurance is more accessible than many people think. For smaller schools, cover can start from as little as £900 – you’d only have to answer a few simple questions, with no need to complete lengthy application forms.

Myth 6: We have cover with the RPA, so we’re fine.
The Risk Protection Arrangement (RPA) offers some cyber cover, but it’s limited. For example, single schools are only covered up to a maximum of £250,000, and where a school is part if of a group network with other RPA members, the maximum aggregated liability is £750,000. There’s no cover for extortion costs or cybercrime, and it includes limited business interruption cover. The RPA is a good start, but it may not be enough if your school faces a serious attack.

This was echoed by Rachel Izzard, the Co-op’s CEO, after their own cyber incident. She told Reuters that the full-year impact would reach £120 million “inclusive of any (insurance) recovery.” She acknowledged the group’s cover was limited:

We had the front-end elements of cyber insurance in place in terms of the immediate response capabilities in the technology space for third parties, but we don’t believe we will be claiming on insurance for back-end losses.

In other words, even with some insurance in place, the Co-op found that their policy didn’t cover the full scale of the disruption and financial loss. For schools, this is a reminder to check what your cover includes, and whether it’s enough for the risks your establishment could be exposed to.

Final thought: If even the biggest organisations can be caught out, it’s worth taking a moment to review your cybersecurity strategy. Cyber insurance isn’t just for large businesses, it’s for any organisation that uses computers, stores data, or connects to the internet. And without it, or without sufficient cover, you could be left to manage the consequences alone.