Budget pressures are "likely" to have left schools more vulnerable to a major cyber-attack, according to a senior figure representing school business managers.
The warning from Stephen Morales, chief executive officer of the National Association of School Business Management, follows this week's global cyber-attack, which brought chaos to parts of the NHS but left schools unscathed.
He said: "Across the country some schools are ready to defend themselves from future attacks, but it is a mixed picture. Local authority maintained schools should be supported through LEA contracts, but many will have chosen to go their own way and the quality and robustness of IT support will vary enormously. Academies will bear full responsibility, and again some will be better prepared than others.
“School business professionals need to be prepared for cyber-attacks and to have clear checks and reviews, as well as processes in place if an attack happens. However, the pressure on school budgets means that it is likely there will be less, rather than more, capacity to ensure schools are prepared and protected from attack."
Meanwhile, an IT expert has warned that schools have escaped the recent cyber-attack through pure "luck" and must ensure their software is up-to-date and that staff are sufficiently trained.
Toks Oladuti, who works in an independent girls’ schools trust in London, stressed the importance of schools taking precautions.
Mr Oladuti consulted and managed IT in the corporate world before going into education, and said it was “luck” that schools up and down the country had not been targeted this time round.
The director of information systems said: “There is no reason why in the future there wouldn’t be a targeted attack on a large number of schools. And the likelihood is that some will click on a [risky] link."
In his schools, he said, there is up-to-date patching, anti-malware software and robust backups – but the latest scam only requires an end user to click on a link in a malicious email to fall victim.
Mr Oladuti said: “Good systems and staff training are both as important as each other. You can have all the systems in place but the gatekeeper is the end user.
“If people are busy then they have a tendency to click on something without thinking. I mitigate this as much as possible through regular training and reminders.”
According to Mr Oladuti, schools need to employ someone who can ensure the infrastructure is up-to-date, and must have a plan – and appropriately-skilled staff – in case an attack occurs.
Mr Oladuti added: “You are never ever going to be protected 100 per cent – it’s about minimising the risk.”
Risk of cyberattack
The Department for Education is not aware of any schools in the UK affected by the WannaCry ransomware attack, which hit one in five NHS Trusts on Friday, but some schools in China were hit.
A DfE spokesperson told Tes that it is up to schools to manage their own IT security.
Earlier this year, Action Fraud – the UK’s national reporting centre for fraud and cybercrime – warned that fraudsters were posing as the "Department for Education" to trick schools into installing ransomware that encrypted files on victim’s computers.
David Evans, director of community and policy at the BCS, the chartered institute for IT, said: "Sadly, ransomware attacks are not new, but the attack last Friday was unusual in forcing public sector organisations to close services.
"This kind of attack can certainly affect schools, and the indiscriminate nature of these attacks puts everyone at risk. Across the education sector, there will be organisations on top of good practice, and there will be ones that struggle.
"Our aim is to ensure that every organisation has access to the right skills and a cadre of professionals they can rely upon to know they are safe. We have a long way to go."
He added: "The threats, and consequent good practice in cybersecurity, are evolving rapidly, and people need to know they are dealing with someone who is responsible enough to stay on top of good practice."