Cybersecurity awareness for governors

Why cybersecurity matters to school boards

Lead Socio-Technical Auditor and School Governor Paul Armstrong outlines the role of school governors in the cybersecurity of their schools. The Secure Schools School Board Awareness Training expands on this blog, explaining the threats schools face and practical steps to improve resilience. 

Paul led an event outlining the elements discussed here, a recording of this is available at the end of the blog.

An ongoing threat

Schools remain prime targets for malicious activity in an increasingly sophisticated cyber threat era. School boards are uniquely positioned to influence the cybersecurity posture of their institutions. While IT teams and administrators handle day-to-day operations, the responsibility for governance, strategy, and resource allocation lies with the board.

Cybercriminals target schools because they hold vast amounts of sensitive information, including staff, children, and families' personal data, financial records, and safeguarding details. In addition, schools are perceived as vulnerable due to limited budgets, varying levels of digital expertise and well-meaning staff.

Government expectations

The Department for Education's cyber security standards outline the minimum expectation of all schools in England. Recently updated, they provide advice and guidance to schools and colleges and support school boards to understand school cybersecurity and the questions to ask the senior and IT teams.

Read the standards here

Impacts of a cyber-attack

A successful attack can be devastating for a school and take months to recover from fully. 

• Financial losses
  Recovery costs from cyber-attacks are substantial and rising annually. Costs to schools aren't documented, but in 2024, the average cost to a medium-sized business is over £10,000, with schools being much more complicated organisations that use many more devices and systems.
  
  
• Operational disruption
  Cyber-attacks can impact whole school operations, block access to digital systems and their critical data, lead to school closures, and jeopardise student safety.
  
  
• Reputational damage
  A cyber-attack can significantly diminish parents' and the community's confidence in a school's ability to protect its students.

School boards aren’t expected to be cybersecurity experts but must hold school leadership accountable. This is done by understanding the cybersecurity expectations placed on schools and the key questions to ask.

1. Understand the threats
   Recognise why schools are targeted and the potential consequences of cyber incidents.
   
   
2. Identify vulnerabilities
   Understand the common weaknesses cybercriminals exploit in schools.
   
   
3. Oversee risk assessments
   Gain the skills to assess and review cyber risks, ensuring they are adequately managed and recorded.
   
   
4. Implement best practices
   Develop and formalise robust cybersecurity policies and foster a culture of vigilance among staff and students.
   
   
5. Prepare for incidents
   Understand how best to prepare and recover for a cyber incident and the reporting requirements and legislation.
   
   

Key questions to ask
As school board members, it is essential to be actively involved in cybersecurity oversight, ensuring adequate resources are allocated and policies are implemented effectively. Asking the right questions is essential.

Here is a selection of questions from our school board training, developed from the DfE cyber security standards.

1. Understanding your school or trust

This is essential for making informed decisions, planning for the future, and ensuring that the IT infrastructure effectively supports the school.

Questions you could ask

• What are the most significant cybersecurity risks facing our school or group, and how are they being assessed and managed?
• Has an independent cybersecurity risk assessment been carried out?
• Does the school maintain a record of the various organisations that supply its IT services?

Questions you could ask

• How is cybersecurity awareness being promoted among staff and students?
• What training is provided to staff and students on common cybersecurity threats?

Questions you could ask

• What is our incident response plan in the event of a cybersecurity breach?
• How often do we conduct drills to ensure everyone knows their role in an incident?

A new standard for cybersecurity governance

We’re calling on school boards to take the lead in safeguarding their schools and creating an environment where students, staff, and parents can thrive.

Let’s secure our schools and the future together.

🎬 Secure Schools Cybersecurity event

Paul Armstrong delivered this webinar on our free cybersecurity community.

Watch the recording to learn.

➡️ The cybersecurity responsibilities placed on  governing bodies

➡️ The cybersecurity requirements placed on schools
➡️ The questions to ask school and group leaders
➡️ The questions to ask IT support teams

➡️ The need for a strong cybersecurity culture

Click the image to watch the recording and access the presentation slides.

About the Secure Schools Cybersecurity Community

At Secure Schools, we aim to make cybersecurity accessible to as many schools as possible. One way we are doing this is through our cybersecurity community.

Join to

📅 Sign up for free webinars and events

💬 Ask questions of our cybersecurity experts

💕 Share experiences with other community members

🆓 Download free resources to help your cyber resilience

🆕 Hear about our latest product and service releases

Click the image to join

About the Secure Schools School Board Awareness Training

Our School Board Awareness Training ensures school governors are knowledgeable, compliant, and ready to implement the latest DfE standards in less than 20 minutes.

Find out more about the training