When Jaguar Land Rover and Marks & Spencer made headlines for cyberattacks, it raised an uncomfortable question: if global companies with dedicated IT departments can be paralysed, what chance do schools have?
Our pupils may not hold trade secrets, but we carry sensitive safeguarding data and personal details, and we rely on IT systems for the smooth running of the school. A serious breach would disrupt education in a way no leader wants to imagine.
Recent research in The State of School Cybersecurity confirms that this isn’t just theory. Fewer than half of schools have a cyber incident response plan, and only a small minority have a designated cyber lead. In short, the risks are real, and the sector is underprepared.
Over the past year, we’ve taken deliberate steps to strengthen our defences as a trust. Here are three things that have made the most significant difference.
1. Knowing what we’ve actually got
You can’t protect what you don’t know about. After an internal audit, we discovered that schools in the trust were using a patchwork of devices, cloud tools and third-party apps, many of which hadn’t been logged centrally.
We now ask technical teams to review the inventory at least once a year and have implemented a standard naming convention for all devices across the trust.
This enables us to identify devices by school and device type, ensuring they have the correct applications installed. We are building out a software inventory so that applications are still within support and have had data protection impact assessments (DPIAs).
That sounds dull, but it means we can keep track of updates, spot unsupported systems and hold suppliers to account. It also helps leaders see the scale of what we’re protecting.
When ransomware gangs hit big organisations, it’s often because an old, forgotten system provided the entry point. We don’t want to be caught out the same way.
2. Training everyone, not just IT
A single well-placed phishing email can undo the best technical defences. That’s why we decided staff training had to go beyond an annual tick-box exercise.
We are currently reviewing phishing simulation products to enable us to support staff in identifying suspicious emails and responding to them. The use of AI by malicious actors means that staff need to be ever more vigilant and active in spotting fake emails and not clicking on links.
The tone is practical, not scary, and aims to build habits. Just as safeguarding is everybody’s responsibility, cybersecurity works best when everyone knows their part.
3. Planning for ‘when’, not ‘if’
Finally, we’ve accepted that no system is bulletproof. The question isn’t if something will go wrong, but when.
With that in mind, we are investing time in creating school and trust-wide incident plans that not only deal with phishing attacks but also consider events such as the impact of a supply chain attack.
The next step will be doing desktop exercises to role-play how IT staff and senior leaders would respond in the event of an attack. We expect to discover problems we had not envisaged, and know we must refine these plans once tested.
The result will not be a perfect plan, but a living one. Staff will know their roles, governors and trustees will understand the risks, and we will be more confident that we can keep education running even in the worst case.
None of this makes us invincible - but we are no longer blind to the risks, and we are and will be far better prepared than we were a year ago.
Cybersecurity in schools doesn’t need to be about fear or jargon. It’s about ensuring that learning can continue. By knowing our systems, training our people and planning for disruption, we’ve given ourselves the best chance of keeping pupils’ education safe, whatever the headlines throw at us next.
James Garnett is interim director of IT at Astrea Academy Trust
You can now get the UK’s most-trusted source of education news in a mobile app. Get Tes magazine on iOS and on Android
