We use cookies to personalize content and to analyze our traffic. Please decide if you are willing to accept cookies from our website.
Advanced Settings

24 November 2025 | Digital, innovation and technology

Share

Cybersecurity is a Governance issue

Paul Alberry, CEO Secure Schools

When we began analysing data for The State of School Cybersecurity 2025 report, one finding stood out: despite growing awareness, too many schools still lack the foundational governance and policy structures to manage cyber risk effectively.

The figures speak for themselves. Only half of schools reported having a password policy. Fewer than one in six have a designated cybersecurity lead, less than 40 per cent hold a cyber incident response plan, and only a quarter enable multi-factor authentication (MFA) across all their supported cloud services.

Each represents a real risk to learners, teachers, and communities. A single breach can disrupt teaching, expose sensitive safeguarding data, and cost millions in recovery. We’ve seen ransomware attacks lock staff out of vital systems during GCSE season and schools forced to close their doors due to IT outages. The disruption to learning and the loss of trus are immense.

Making cybersecurity a ‘whole school’ responsibility

Cybersecurity is too often viewed as an “IT problem.” It is not. It is a matter of governance, leadership, and accountability. The Department for Education now expects academy trusts to appoint a senior leader responsible for cybersecurity, and advises all schools to do the same.

This reflects a wider truth in schools, that only leaders have the authority to make cybersecurity a whole-school priority, allocate appropriate resources, and embed it into the school’s culture and governance cycle.

When headteachers and governors discuss cyber resilience in the same breath as attendance, finance, and safeguarding, it sends a powerful message that protecting learning and data is part of the school’s core duty of care.

Embedding Cyber Resilience Through Policy

Cybersecurity policies are instruments of governance. They define accountability, shape culture, and provide a framework for consistent practice.
Yet, too few schools have policies that address the cyber risks they face daily. Our research found that less than 30% of schools stated having policies to cover cybersecurity fundamentals.

Three Actions for School Leaders and Governors

Progress doesn’t require perfection, it just requires leadership. Here are three high-impact governance actions every school can take today:

1. Be ready before a breach occurs

A cyber incident response plan is only useful if it’s practised.

With fewer than 40 per cent of schools holding one, this remains a major gap. Leaders should allow for plans being rehearsed through tabletop exercises so that roles, communication channels, and decision-making processes are clear long before an incident occurs.

2. Regularly review risk and resilience

Cybersecurity should form part of your regular governance cycle. Governors should expect updates on vulnerabilities, patch management, and training. As with safeguarding, the key is oversight, asking the right questions and monitoring progress over time.

3. Appoint and empower a cybersecurity lead

Only 15 per cent of schools have a designated cybersecurity lead. Assigning a senior leader or governor to this role signals commitment and ensures accountability. Back this up with training and clear reporting mechanisms to ensure issues are escalated and addressed.

Building a Culture of Resilience

Like behaviour management or safeguarding, cybersecurity is built through consistency. When staff understand the expectations and leaders reinforce them, the culture shifts. Each small improvement, a new policy, a tested plan, an informed conversation, adds another layer of defence.

Schools are already making progress. Half now suspend accounts promptly when staff leave, and many are conducting regular vulnerability scans. The building blocks are there. The next step is joining them into a coherent, whole-school strategy, one led from the top.

The Leadership Imperative

Cybersecurity is not the responsibility of a single IT technician or external provider. It is a shared responsibility, embedded through governance, policy, and culture. The stakes are not just data or devices, they are the continuity of learning and the wellbeing of children.

As this year’s State of School Cybersecurity report makes clear, resilience is built decision by decision. Make MFA the norm. Test your plan. Put cyber on the agenda.

Read The State of School Cybersecurity report in full here

Explore the Secure Schools Policy Builder to strengthen your school’s governance and resilience framework

Events

The Future NHS Summit: Building a Healthcare System Fit for the Future

2 December 2025

The National Advancing Men’s Mental Health in the Workplace Conference 2025

4 December 2025

The Annual Neurodiversity At Work Conference 2025

10 December 2025

The Future of Surgery Show 2026

20 January 2026

Advancing Inclusivity in the Workplace Conference 2026

28 January 2026

Courses

Executive Mini MBA Accelerator Course

1 December 2025

The Aspiring Leaders Programme

4 December 2025

4 spaces available

Neurodiversity in the Workplace

9 December 2025

7 spaces available

Women In Leadership

9 December 2025

-11 spaces available

Effective Leadership Through Emotional Intelligence - CMI Level 7 Award

15 December 2025

3 spaces available

Unsupported Browser

The web browser you are using to access this website is unsupported, which means certain aspects of the site wont work properly.

To use the website we recommend upgrading to a modern web browser such as Edge, Safari, Chrome, or Firefox if possible.

Proceed anyway (not recommended)