By Catherine Loake, Director of Business Services
Cyber security is a growing concern for all sectors, but schools and colleges are now among the most vulnerable. According to the GOV.UK report “Cyber Security Breaches Survey 2025”, schools – particularly secondary schools – are more likely than businesses overall to experience cyber breaches. In the schools participating in the survey, 60% of secondary schools and 44% primary schools experienced a cyber-attack last year, compared with 43% of businesses overall. This is despite schools reporting a higher level of engagement in cyber security amongst leaders (98% in primary schools and 95% in secondary schools) than businesses overall (63% in medium-sized businesses).
While cyber security is increasingly on the leadership agenda, vulnerabilities remain in schools. The fact is that schools hold highly sensitive information, and their IT systems tend to be older, while few schools have cyber expertise in-house. Moreover, schools are a critical service, meaning there is therefore a real urgency around getting the technology systems, on which we are now so reliant, up and running again. The external threats schools face from both domestic and overseas criminal gangs operating like franchises, targeting schools through remote learning platforms and supply-chain vulnerabilities, are well publicised. However, there is a significant internal threat too. Since 2022 the ICO has investigated 215 cyber-attack-related breaches in education settings. 57% of these attacks involved students accessing staff systems by guessing or stealing passwords.
While cyber security is a growing priority for schools, it is evident that many simply don’t have the money to invest in state-of-the-art, brand-new equipment and networks, However, there is plenty that can be done to improve cyber security in schools, starting with building a cyber-security culture.
School leaders can do this through:
Auditing where you are – using the DfE Cyber Security Standards as a framework for action
Putting an action plan in place – and reviewing progress against it as a standing agenda item in governor meetings
Ensuring clear policies – on account access, password management and privilege control
Implementing strong security practices – like multifactor authentication
Investing in staff training – to raise awareness and build confidence
Conducting regular risk assessments – and penetration testing
Engaging with trusted IT partners – to review and strengthen defences
Schools are increasingly sharing their concerns with us about cyber security. We have therefore developed a menu of cyber-security options to provide a range of support and assurance to schools, settings and trusts to ensure that they are meeting the DfE Cyber Security Standards, together with hosted services to ensure active management of cyber security.
If you’d like to discuss your requirements and find out more, email support@hfleducation.org
