the educator mag Jan 26 - Flipbook - Page 42
Cybercriminals
aren’t waiting,
and neither
should we
Paul Alberry, CEO Secure Schools
When we started collecting data for
The State of School Cybersecurity
report, one thing became clear: too
many schools still don’t have the
basics in place to protect themselves.
The results are sobering. Only half of
schools stated having a password policy,
fewer than one in six stated having a
designated cybersecurity lead, and less
than 40 per cent have a cyber incident
response plan.
While multi-factor authentication (MFA) is
one of the simplest protections against
account compromise, fewer than onequarter of schools enable it on all
supported cloud services.
As a parent and someone who works
with schools daily, this alarms me.
Behind every statistic is a classroom, and
children whose learning and digital safety
could be disrupted if systems are breached.
It’s not just an abstract risk, it’s the threat of
cancelled lessons, inaccessible homework
portals, and lost trust from families who
expect their children’s data to be
safeguarded.
A breach can cancel lessons, leak sensitive
safeguarding data, and cost schools millions
in recovery. We’ve seen ransomware lock
staff out of files mid-GCSE season, and
countless schools forced to close due to
severe IT outages. The emotional toll
on staff who feel responsible, and the
disruption to pupils preparing for exams,
is immense.
Yet many leaders still see cybersecurity as
an ‘IT issue’. It isn’t. It’s a leadership issue.
The Department for Education expects
academy trusts to assign a senior leader
responsible for cybersecurity and advises all
schools to do the same. It’s not hard to see
why. Only leaders have the authority
to make it a whole-school priority, properly
resource it, shape culture to support it,
and ensure governors ask the right
questions. Leadership sets the tone —
when headteachers talk about cyber
resilience alongside attendance and
safeguarding, the message lands across
the organisation.
The good news is you don’t need to fix
everything at once. Cyber resilience builds
step by step. Here are three high-impact
actions every school can take:
Be ready for real threats before
they happen
A cyber incident response plan is only
worth the paper it’s written on if you
practise it. Imagine the network goes down
on Monday morning, who do you call?
How do you communicate? What gets
prioritised?
With only 38 per cent stating they have
a dedicated response plan, most schools
don’t have these answers.
Taking simple steps, like running a tabletop
exercise to build confidence with your
leadership team. Find the gaps before
attackers do.
Patch and scan your systems
regularly
Leaving software unpatched is like leaving
a broken lock on your front door. Critical
updates should be installed within 14 days,
and vulnerability scans should be
conducted termly.
You don’t need to be perfect, just proactive
enough that an attacker will move on to an
easier target.
Put cyber on the agenda
If safeguarding is a standing item at
governors’ meetings, why not
cybersecurity?
Only 15 per cent of schools state having a
designated cybersecurity lead, and just 10
per cent say senior leadership and
governors regularly discuss it.
Appoint a named senior lead, train them,
and make cybersecurity part of your
governance cycle. When leadership shows it
matters, staff follow suit.
I don’t share these findings to spread alarm;
quite the opposite. Our message is that
every improvement matters. Each new
policy, update or staff conversation builds
another layer of defence.
Think of it like classroom behaviour:
consistency matters. If staff know the rules
and leadership reinforces them, the culture
shifts. Cybersecurity works the same way.
The threats are real, but so is the progress
schools can make. Half of schools suspend
accounts promptly when staff leave. Many
are running regular scans. The building
blocks are there.
Now, the challenge is to move from
piecemeal action to whole-school
resilience. That takes leadership.
Cybersecurity isn’t someone else’s job. It’s
everyone’s. Leaders, governors and staff
alike. Because what’s really at stake isn’t
data or devices. It’s learning. It’s children.
If schools can take one lesson from this
year’s report, it’s that resilience is built
decision by decision. Start today. Make MFA
the norm. Test your plan. Put cyber on the
agenda.
The attackers aren’t waiting, and neither
should we.
