When we started collecting data for The State of School Cybersecurity report which is published today, one thing became clear: too many schools still don’t have the basics in place to protect themselves.
The results are sobering. Only half of schools stated having a password policy, fewer than one in six stated having a designated cybersecurity lead, and less than 40 per cent have a cyber incident response plan.
While multi-factor authentication (MFA) is one of the simplest protections against account compromise, fewer than one-quarter of schools enable it on all supported cloud services.
As a parent and someone who works with schools daily, this alarms me. Behind every statistic is a classroom, and children whose learning and digital safety could be disrupted if systems are breached.
And as the Intradev breach reported in these pages this week demonstrates, it’s not just pupils who can be adversely affected but staff too, and schools themselves.
A breach can cancel lessons, leak sensitive safeguarding data, and cost schools millions in recovery. We’ve seen ransomware lock staff out of files mid-GCSE season, and countless schools forced to close due to severe IT outages.
Yet many leaders still see cybersecurity as an ‘IT issue’. It isn’t. It’s a leadership issue. The Department for Education expects academy trusts to assign a senior leader responsible for cybersecurity and advises all schools to do the same.
It’s not hard to see why. Only leaders have the authority to make it a whole-school priority, properly resource it, shape culture to support it, and ensure governors ask the right questions.
The good news is you don’t need to fix everything at once. Cyber resilience builds step by step. Here are three high-impact actions every school can take:
Prepare and test your cyber ‘fire drill’
A cyber incident response plan is only worth the paper it’s written on if you practise it. Imagine the network goes down on Monday morning, who do you call? How do you communicate? What gets prioritised?
With only 38 per cent stating they have a dedicated response plan, most schools don’t have these answers.
Run a tabletop exercise to build confidence with your leadership team. Find the gaps before attackers do.
Patch and scan your systems regularly
Leaving software unpatched is like leaving a broken lock on your front door. Critical updates should be installed within 14 days, and vulnerability scans should be conducted termly.
You don’t need to be perfect, just proactive enough that an attacker will move on to an easier target.
Put cyber on the agenda
If safeguarding is a standing item at governors’ meetings, why not cybersecurity?
Only 15 per cent of schools state having a designated cybersecurity lead, and just 10 per cent say senior leadership and governors regularly discuss it.
Appoint a named senior lead, train them, and make cybersecurity part of your governance cycle. When leadership shows it matters, staff follow suit.
I don’t share these findings to spread alarm; quite the opposite. Our message is that every improvement matters. Each new policy, update or staff conversation builds another layer of defence.
Think of it like classroom behaviour: consistency matters. If staff know the rules and leadership reinforces them, the culture shifts. Cybersecurity works the same way.
The threats are real, but so is the progress schools can make. Half of schools suspend accounts promptly when staff leave; that’s simple but powerful. Many are running regular scans. The building blocks are there.
Now, the challenge is to move from piecemeal action to whole-school resilience. That takes leadership.
Cybersecurity isn’t someone else’s job. It’s everyone’s. Leaders, governors and staff alike. Because what’s really at stake isn’t data or devices. It’s learning. It’s children.
If schools can take one lesson from this year’s report, it’s that resilience is built decision by decision. Start today. Make MFA the norm. Test your plan. Put cyber on the agenda.
The attackers aren’t waiting, and neither should we.
Read The State of School Cybersecurity report in full here
Your thoughts