How to build a strong cybersecurity culture in your school

in
Phishing email

This is the second blog in our cybersecurity series from Lloyd Passingham, Arbor’s Senior DevSecOps Engineer. Before joining Arbor, Lloyd served in the military, bringing a unique perspective to his work in security. Passionate about safeguarding information and empowering others, Lloyd is dedicated to protecting Arbor’s data and fostering a strong culture of security both within the organisation and beyond.

Cybersecurity is no longer just an IT issue; it’s essential for safeguarding students and keeping schools running smoothly. In fact, the 2024 Government Cyber Survey revealed that 71% of secondary schools and 52% of primary schools identified a breach or attack within the last year, considerably higher than the average UK business (50%) or charity (32%). With threats like ransomware, extortion, and insider breaches on the rise, schools must take a proactive approach to security.

In this document

Why is cybersecurity so critical for schools right now?

Our reliance on digital learning tools and the vast amounts of sensitive data schools hold make them increasingly attractive targets for cybercriminals. The potential disruption to learning, exposure of student and staff information, and significant financial and legal repercussions underscore the urgent need for robust cybersecurity measures.
The impact isn’t just financial; it disrupts education and raises serious safeguarding concerns.

In this post, I’d like to share my experience of how I strengthened the security culture at Arbor and offer some ideas you can implement within your school to help protect students.

Cybersecurity, child safeguarding, and the growing threat landscape

Over the years, I’ve seen first hand how schools are increasingly targeted by cybercriminals. Educational institutions store vast amounts of sensitive data – student records, financial information, and staff details – yet often have limited cybersecurity resources, making them attractive targets.  When an attack hits, it disrupts learning, exposes sensitive data, and can have serious legal and financial repercussions.  Here are some of the key threats schools face today (scroll through by dragging with your mouse):

Ransomware

Attackers use malicious software to encrypt school systems and demand a ransom for their release. These attacks can cripple administrative operations, delay teaching, and force schools into costly recoveries whether they pay the ransom or not. ( Watch GovernorHub’s interview with The Harris Foundation Trust’s CEO Sir Dan Moynihan. “The whole thing cost us three quarters of a million pounds.”) Some more recent examples show the devastating impact: Blacon High School in Chester faced temporary closure in January 2025, Charles Darwin School in London sent 1,300 students home in September 2024, and the Fylde Coast Academy Trust saw all ten of its schools affected, leading to ransom demands.

Extortion

Cybercriminals don’t always just lock data; sometimes, they threaten to leak sensitive student or staff information unless their demands are met. The exposure of sensitive data can have lasting consequences for individuals and severely damage a school’s reputation.

Fraud

Attackers impersonate trusted figures such as school leaders, governors, Ofsted inspectors, or suppliers to trick schools into transferring money or sharing login credentials. Phishing emails – the most common attack vector reported by 92% of primary and 89% of secondary schools – can lead to unauthorised access, payroll fraud, or even fake invoice payments. Wembley Multi-Academy Trust tragically lost almost £400,000 through such a scam targeting a supplier’s email.

Denial of Service (Dos) Attacks

By overwhelming a school’s network with traffic, attackers can knock key systems offline for hours or days. These attacks disrupt both day-to-day operations and long-term planning. Arbor MIS monitors and mitigates against denial of service attacks and has seen a growing trend in the frequency and severity of denial of service attacks targeting individual schools.

Insider threats

Not all threats come from outside. A well-meaning staff member clicking on a malicious link, leaving a computer unlocked or keeping passwords on a sticky note can open the door to attackers. Meanwhile, disgruntled employees or students with access to internal systems may misuse their privileges, either for financial gain or out of frustration.

Cybersecurity attacks schools

What measures should you put in place?

By putting robust cybersecurity measures in place and building a strong culture of cyber security safety, we can protect critical assets like student data and essential systems. Here’s what I recommend:

  • Adopt a secure, cloud-based MIS

A modern, cloud-based Management Information System offers significant security advantages beyond just off-site storage. Solutions like Arbor are designed with security in mind, benefiting from:

  • Automatic security updates
  • End-to-End encryption
  • Built-in compliance and access control features
  • Disaster Recovery
  • Regular security training

Make sure both staff and students know how to spot potential threats and how to respond. Training should be ongoing and cover identifying phishing emails, strong password practices, multi-factor authentication, malware risks, social engineering, and secure data handling. Make it engaging and relevant to your context; examples from your school go a long way to making it ‘real’. Consider running simulated phishing exercises – research shows repeated simulations can decrease susceptibility and positive reporting indicates increased awareness.

  • Implement strict access controls

Limit who can access sensitive information using Arbor’s role-based access permissions and implement strong network security like firewalls. Follow the principle of least privilege, granting users only the minimum level of access required to perform their job duties.

  • Keep software up to date

Software updates are essential for system security as they often patch vulnerabilities. Software vendors like Arbor can handle much of this for you but it’s important to consider the software and devices that you have running in your school like desktop PCs and smart classroom tech.

Building a security culture at your school

In my experience, a strong security culture isn’t built on policies or technology alone – it’s about people. A truly secure school starts with an open, whole-school approach, where cybersecurity isn’t just the IT team’s responsibility. Leadership buy-in is fundamental; when MAT leaders, governors and headteachers champion security, it sets the tone. Staff, students, and even guardians all play a role.

The key to making this work is an open and inclusive culture. When people feel comfortable talking about cybersecurity, reporting concerns, and asking questions, security stops being a hidden problem and becomes part of the school’s everyday thinking. Fear of blame often discourages reporting, but silence makes things worse. A security issue ignored today can turn into a crisis tomorrow.

That’s why at Arbor I focus on empowering people, not just enforcing rules. Recognising and celebrating good security behaviour makes a difference; every small act of vigilance counts. We introduced a phishing report leaderboard, turning cybersecurity awareness into something positive and visible for the whole company. Instead of making security feel like an obligation, it becomes something people engage with.

But awareness alone isn’t enough. Security needs to be practical and relatable. Regular training helps, but it can feel disconnected from reality. 

We have found it demonstrably more effective making security personal. When starting discussions of threats, I ask people to think like an attacker:

“If you wanted to break into your school, how would you do it?” 

This shift in perspective makes security real. It encourages people to recognise risks in their own environment rather than treating cybersecurity as an abstract concept.

Security threats don’t go home when the bell rings. Poor personal security habits, such as password reuse or neglecting multi-factor authentication, can inadvertently introduce risks. You can reframe security guidance as not merely a technical defense, but a tangible resource that empowers staff to understand and implement security measures that keep them safe.I like to think of security awareness as an employee benefit. By following best practices, staff can protect their personal assets like banking and email security, too.

Continuous improvement

The final piece I want to talk about is continuous improvement. Security isn’t a box to check once a year to pass an audit but an ongoing, whole-team commitment.

Cyber threats evolve, so must we. Strong feedback loops allow us to monitor how quickly we can detect and respond to incidents, reflect on what’s working (or what isn’t), and adapt accordingly. 

“The price of freedom is eternal vigilance.” – Thomas Jefferson

Activity recommendations for students, staff and parents

I’ve collected a handful of resources you might find useful for running lessons, workshops or engagement sessions at various levels in your school to get your people thinking about security and their role within your security culture:

KS1

Smartie the Penguin – an engaging storytelling collection of six stories exploring life online for 3-7 year olds. Teaching children the foundations of security culture behaviour, notably speaking up if something doesn’t seem right and seeking help from a trusted adult; you might incorporate these stories as a whole class exercise during circle time. The song can be a real earworm!

KS2

NCSC CyberSprinters – Award-winning gamified online security resources for 7-11 year olds. These resources include a game that can be played on mobile, tablet or desktop. Mini-games focus on essential topics such as identifying phishing emails, creating strong and memorable passwords, and understanding the importance of regularly updating their devices. Personally I am a fan of the practitioner-led exercises – in particular lesson 2 “Protecting your devices”. The security mapping exercise has 105 combinations allowing plenty of room for novel and open discussions as well as opportunities to correct misconceptions.

KS3

Another excellent resource from the NCSC is their CyberFirst Navigators series. Highlighting to students common cyber scams and malicious activity that they might come across online. Many students this age may have their own personal mobile devices and begin exploring the internet on their own. Communicating with friends and others online presents new risks where protections like strong passwords, multi-factor authentication and general Cyber Hygiene are vital to staying safe. You might look to incorporate authentication lessons such as choosing a strong password during new year intakes where students are first set up on your school’s IT systems.

Parents & Guardians

Providing parents and guardians with a clear and easy way to report security concerns or suggestions is essential; this could be a dedicated email inbox or submission form. Additionally, internetmatters.org Parental Controls Guides give guardians quick access to simple guides on how to implement parental controls on a huge number of different platforms. From Roblox and Fortnite to WiFi routers and mobile devices.

Staff

Organise a staff workshop where you collaborate and “think like an attacker” to identify security vulnerabilities. Divide staff into small teams and assign each team a specific area of focus, such as email, MIS, or IT networks. Have each team mind map potential threats or ways to exploit vulnerabilities within their assigned area. For example, a team focusing on email might consider a phishing attack scenario, while a team focusing on MIS might consider unauthorised student access. After identifying potential threats, have each group discuss and develop preventative measures, and then share their ideas with the group. Identify 2-3 actionable steps that can be taken in the short term to address some of the vulnerabilities and give updates on the progress to address them, ensuring continuous improvement.

Leaders

Put your security culture to the test and run a tabletop exercise from NCSC’s Exercise in-a-box. These are valuable and immersive ways to find out how well protected (or not) your organisation is and identify opportunities to improve your response to disasters before it becomes a reality. There’s plenty of choices and they range from micro-exercises that take a few minutes to an afternoon’s investment to see how you would handle a ransomware attack. These exercises provide practical scenarios for leadership teams to evaluate and refine their security strategies.

Tracking success of your school’s cybersecurity measures

A good cybersecurity culture is measurable and the results of measuring the attitudes and behaviours of the people in your culture will enable you to make informed decisions and take the right actions to improve your security posture. If you are concerned that your security culture isn’t good right now – don’t be. By measuring the current state you can establish your baseline to measure improvement and then report it back to staff (which in-turn motivates them to do better).
Some easy metrics you can start gathering:

  • Number of phishing emails reported
  • Number of security incidents reported
  • Patch management compliance %
  • Security training completion rates

Notice how I have focused on metrics that demonstrate positive behaviour – if you are seen to value the absence of problems then staff are encouraged to keep quiet to keep the metrics looking good. Consider how you can formulate your security metrics in terms of success.

Key takeaways

  • Cybersecurity is critical for safeguarding students and school operations, with UK schools being prime targets
  • Understanding specific threats (ransomware, phishing, fraud) is crucial
  • Building a strong, open cybersecurity culture involving everyone – led from the top – is essential
  • Proactive measures like regular, engaging training (for staff and students) and investing in secure systems (like cloud-based MIS) are vital
  • Cybersecurity is a shared, ongoing responsibility requiring continuous improvement and measurement

If you’re looking to boost your school’s cyber resilience, I’d urge you to check out the latest guidance for schools from the National Cyber Security Centre (NCSC). They offer a wealth of tailored resources, including specific advice for governors and trustees, staff training packages, technical guidance for IT teams, and even resources for engaging students.

Final ask

Don’t wait for a cyber incident to happen to your school. Take the first step today by having an open conversation with your team about your current security posture and how you can collectively strengthen your school’s defenses.

Also, turn on multi-factor authentication!

Keep up with the rest of our cybersecurity series here

How Arbor keeps your data backed up

Read more

How to spot a phishing attack at your school

Read more

How Arbor keeps your data safe

Read more

What to do if your school gets a ransomware attack

Read more

You might also like:

Discover more from Arbor

Subscribe now to keep reading and get access to the full archive.

Continue reading

Privacy Overview
Arbor

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Essential Cookies

Essential Cookies should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

Non-Essential Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.

Powered by  GDPR Cookie Compliance