The Educator Magazine U.K. May-August 2026 issue. - Magazine - Page 68
Cybercriminals
aren’t waiting,
and neither
should we
Paul Alberry, CEO Secure Schools
When we started collecting data for
The State of School Cybersecurity report,
one thing became clear: too many
schools still don’t have the basics in
place to protect themselves.
The results are sobering. Only half of
schools stated having a password policy,
fewer than one in six stated having a
designated cybersecurity lead, and less
than 40 per cent have a cyber incident
response plan.
While multi-factor authentication
(MFA) is one of the simplest protections
against account compromise, fewer than
one-quarter of schools enable it on all
supported cloud services.
As a parent and someone who works
with schools daily, this alarms me. Behind
every statistic is a classroom, and children
whose learning and digital safety could
be disrupted if systems are breached. It’s
not just an abstract risk, it’s the threat of
cancelled lessons, inaccessible homework portals, and lost trust from families
who expect their children’s data to be
safeguarded.
A breach can cancel lessons, leak sensitive
safeguarding data, and cost schools
millions in recovery. We’ve seen
ransomware lock staff out of files
mid-GCSE season, and countless schools
forced to close due to severe IT outages. The emotional toll on staff who feel
responsible, and the disruption to pupils
preparing for exams, is immense.
Yet many leaders still see cybersecurity
as an ‘IT issue’. It isn’t. It’s a leadership
issue. The Department for Education
expects academy trusts to assign a senior
leader responsible for cybersecurity and
advises all schools to do the same. It’s not
hard to see why. Only leaders have the
authority to make it a whole-school
priority, properly resource it, shape
culture to
support it, and ensure governors ask the
right questions. Leadership sets the tone
— when headteachers talk about cyber
resilience alongside attendance and
safeguarding, the message lands across
the organisation.
The good news is you don’t need to
fix everything at once. Cyber resilience
builds step by step. Here are three
high-impact actions every school can
take:
Be ready for real threats before they
happen
A cyber incident response plan is only
worth the paper it’s written on if you
practise it. Imagine the network goes
down on Monday morning, who do you
call? How do you communicate? What
gets prioritised?
With only 38 per cent stating they have
a dedicated response plan, most schools
don’t have these answers.
Taking simple steps, like running a
tabletop exercise to build confidence
with your leadership team. Find the gaps
before attackers do.
Patch and scan your systems regularly
Leaving software unpatched is like
leaving a broken lock on your front door.
Critical updates should be installed within
14 days, and vulnerability scans should be
conducted termly.
You don’t need to be perfect, just
proactive enough that an attacker will
move on to an easier target.
Put cyber on the agenda
If safeguarding is a standing item at
governors’ meetings, why not
cybersecurity?
Only 15 per cent of schools state having
a designated cybersecurity lead, and just
10 per cent say senior leadership and
governors regularly discuss it.
Appoint a named senior lead, train them,
and make cybersecurity part of your
governance cycle. When leadership
shows it matters, staff follow suit.
I don’t share these findings to spread
alarm; quite the opposite. Our message
is that every improvement matters.
Each new policy, update or staff
conversation builds another layer of
defence.
Think of it like classroom behaviour:
consistency matters. If staff know the
rules and leadership reinforces them, the
culture shifts. Cybersecurity works the
same way.
The threats are real, but so is the
progress schools can make. Half of
schools suspend accounts promptly
when staff leave. Many are running
regular scans. The building blocks are
there.
Now, the challenge is to move from
piecemeal action to whole-school
resilience. That takes leadership.
Cybersecurity isn’t someone else’s job. It’s
everyone’s. Leaders, governors and staff
alike. Because what’s really at stake isn’t
data or devices. It’s learning. It’s children.
If schools can take one lesson from this
year’s report, it’s that resilience is built
decision by decision. Start today.
Make MFA the norm. Test your plan.
Put cyber on the agenda.
The attackers aren’t waiting, and neither
should we.
