If you’re new here, The Data Drop is our regular blog series where we share insights from our data warehouse, which holds data from over 9,000 schools.

And it won’t come as a shock that the DfE has confirmed that the phonics threshold for 2025 is 32.

–

Overall phonics average

The 2024/25 phonics results show that 81% of students met the expected standard, representing a slight increase from 80.9% in 2023/24. This continues the upward trend we’ve observed since 2021/22, when 76.2% of students achieved the expected standard.

These results are based on data from 180,182 Year 1 students across 4,938 primary schools in the Arbor community, representing a substantial sample of the national picture.

–

Phonics results: Boys vs Girls

The gender gap in phonics performance remains significant in 2024/25. Girls continue to outperform boys, with 84.7% of girls meeting the expected standard compared to 77.5% of boys. This represents a gap of 7.2 percentage points.

Whilst both groups have shown improvement over the four-year period, the gap has remained relatively consistent. In 2021/22, girls achieved 79.2% compared to boys at 73.2% (a 6.0 percentage point gap).

–

Phonics results: Disadvantaged vs not disadvantaged

The attainment gap between disadvantaged and non-disadvantaged pupils remains substantial. In 2024/25, 68.1% of disadvantaged pupils met the expected standard, whilst 85.1% of non-disadvantaged pupils achieved this level.

Notably, the results for disadvantaged pupils showed a slight decrease from 68.7% in 2023/24, whilst non-disadvantaged pupils maintained their upward trajectory from 84.8% to 85.1%.

Phonics results: SEN students

Students with Special Educational Needs (SEN) continue to face significant challenges in phonics achievement. In 2024/25, 47.7% of SEN students met the expected standard, compared to 88.8% of students without SEN.

This represents a gap of 41.1 percentage points. SEN students showed minimal improvement from 47.6% in 2023/24, whilst non-SEN students continued their upward trend from 88.1% to 88.8%.

–

Phonics results: Ethnicity breakdown

The 2024/25 results reveal significant variation in phonics achievement across different ethnic groups:

Top 5  performing groups:

• Asian – Chinese: 90.6%
• Mixed – White and Asian: 86.6%
• Asian – Indian: 85.7%
• White – Any other White background: 83.3%
• Mixed – Any other Mixed background: 83.3%

Below national average:

• White – Irish: 79.7%
• Mixed – White and Black Caribbean: 78.0%
• Any other ethnic group: 77.6%
• Black – Black African: 78.6%
• Black – Any other Black background: 76.2%
• Black – Black Caribbean: 75.2%

Significantly below average:

• White – Gypsy/Roma: 45.6%
• White – Traveller of Irish heritage: 27.3%

The results highlight persistent achievement gaps, with students from Gypsy/Roma and Traveller backgrounds facing particular challenges in phonics attainment.

–

Methodology

We take our insights from Arbor’s Data Warehouse, powered by Snowflake, which contains the anonymised data of schools in the Arbor community. As of today there are 9,355 English schools using Arbor, supporting over 3.3 million students. This data set represents 38.4% of the 24,453 schools in England. Arbor national averages track closely to DfE national averages.

This results analysis was correct as of 24th June 2025 at 2 pm.

The post The Data Drop: National phonics results 2025  appeared first on Arbor.

The Arbor School Management suite brings together best-in-class, specialist tools to support operations across your whole school or trust, and streamline the most time-consuming tasks and processes your staff face today. 

–

What’s new in School  MIS

Report Library

We’ve created a brand new home for all your Arbor reports – the Report Library. Now you can find any type of report from just one place, and search for your reports by type, date, and more. Plus, build new reports quickly and easily with the Template Library. Learn more.

Auto Absence

Auto Absence saves you at least one hour every morning by giving you a ready-made list of everyone who’s not in school and why. Every voicemail is written up into Arbor for you – all you need to do is review and approve. Learn more.

Communications inbox and outbox

To make it easier to keep on top of and manage your communications, you now have a separate inbox and outbox. See which messages have been read, and filter your comms by date range, message type, or sender to find exactly what you’re looking for. Learn more.

Staff Allowances in the Custom Report Writer

We’ve added a new Staff Allowances report to help school leaders report on employment costs more holistically. This more detailed view of staff allowance payments helps to inform more strategic financial planning. Learn more.

New BI Connector data sets:

• Physical Interventions – now you can build out a full behaviour reporting suite in your BI tool.
• Behaviour Incident Actions – allows you to link the Incident to a follow-up action and get an accurate view of what happens after an Incident is reported
• Suspension Benchmarks – we’ve added three new benchmarks on numbers of students with multiple suspensions to identify students who would most benefit from interventions
• Suspensions Across Group – Same data as we released recently in MAT MIS, this will be great for tracking students who move around schools a lot for behaviour management
• Suspensions Summary – Neat set of statistics covering some key metrics summarised by school
• 31 Attainment Benchmarks for primary schools, including EYFS Benchmarks, KS1 Above and At Expected standard for Maths, Reading and Writing Combined, and KS2 Proportion achieving expected standard in each topic

–

What’s new in MAT MIS

Updates to the Ofsted Inspections table

Following your feedback that some Ofsted reports were linked to a school’s previous URN (for example, before it was academised), we’ve added two new columns to the Ofsted Inspections table in MAT MIS – URN at Last Inspection and Inspection URN Match. The new fields make it clearer whether an inspection relates to the current or previous URN, so you can interpret Ofsted data with the right context. Learn more.

–

What’s live in Arbor Labs

Arbor Labs is the home for beta releases in Arbor. Test and influence our latest innovative features before anyone else. 

Current live Arbor Labs include:

Suggest Text

Ask Arbor 

Ask Arbor – Student App

Suggest Cover

Create Custom Report

Create intervention

Suggest formula

Student Dashboard

Venn Diagram Analysis

BI Viewer

Make sure to visit the Arbor Labs page in Arbor Labs to join a beta today. Learn more here.

To keep up-to-date with all our latest releases visit our Change Log or to see what we are working on next visit our Product Roadmap.

The post What’s new in May appeared first on Arbor.

Couldn’t make the event and want to know what ArborFest is all about? We’ve put together a small roundup of the day, stage by stage below. If you were able to join us, remember to keep sharing your insights and photos from the event using #ArborFest.

The Main Stage

James and Sonia opened the day on The Main Stage, which was followed by an inspiring talk on leadership and collaboration by Diana Osagie, a showcase of our 2025 Product Vision, and a panel of Arbor users and Alex Jones (Ofsted) sharing how schools can get Ofsted-ready with Arbor.

The final talk of the day was from our keynote speaker, Baroness Mary Bousted, Chair of the Teaching Commission. Mary shared exclusive insights into the work of the Commission and highlighted its strongest recommendations to transform teachers’ working lives, in the context of the recruitment and retention crisis.

We finished up the day with our hotly contested Customer Awards, celebrating the customers who collaborate with us and challenge us to make Arbor even better.

The Innovation Stage

Over on The Innovation Stage, Arbor customers shared their insights and top tips on how school and trust leaders can both get started and make a measurable impact with AI. This was followed by a panel of data leaders (including Andrew Proctor, AWS) discussing which questions organisations should be asking of their data.

We finished the day on the Innovation Stage with ‘A data geek’s guide to improving attendance’, in which three Arbor schools and trusts shared their data analysis insights which have surfaced the hidden reasons for absenteeism.

–

The MAT Stage

Our MAT Stage was back by popular demand, opening with a panel on how exactly trusts can operationalise a merger.

Our second panel of the day featured three MAT leaders and Arbor users asking the question: what should a MAT of the future look like, which led to discussion around belonging, inclusivity and flexible working.

We closed the day with members of both the Arbor and SAMpeople community sharing how, why and when to join up your MIS and HR at trust-level, and how the joining up of systems has supported in the delivery of their overall trust strategy.

The Show and Tell Stage

Introducing, The Show and Tell Stage!

We designed this stage to bring to life on-the-ground insights from school leaders, and to open discussion around how to get the best out of the Arbor Suite.

It was standing room only for the first talk of the day, where school and trust leaders shared the ‘wow’ moments and advice which had made an immediate impact in their first 12 months of using Arbor.

Next up, the SAMpeople Team gave a show and tell demo of SAMpeople, for trust leaders and schools who are thinking about investing in HRIS.

And to finish off the day, we had an exciting hands-on session, led by Bex Campbell, in which ArborFest attendees got together in groups to pitch and vote for the next feature to be built in Arbor! The feature in the winning pitch has been added to our roadmap.

Roundtables, Arbor Labs Live and more!

The best bit about ArborFest is getting hundreds of school and MAT leaders together in one place, in-person. We had sessions running throughout the day to bring together these leaders to share best practice, see new features and collaborate with the Arbor Team! This year, as well as our Roundtables, we introduced Arbor Labs Live!

If you can’t tell, we’re already very excited for next year. Click here to see even more photos.

The post What you missed at ArborFest 2025 appeared first on Arbor.

Copy Custom Report Card Setup

Instead of setting up Custom Report Cards from scratch each time, you can now copy an existing Custom Report Card setup in just a few clicks, including its formatting and the linked Custom Report (if one is attached) with the new Copy Report Card button.

New BI Connector Datasets:

• We’ve added 3 new fields to Suspensions to support the distinction between school defined sessions/days lost or calculated sessions lost. 
• The new Hydrated Exam Results view contains exam results plus discount codes, points values and rankings for EBacc calculations for better exam data analysis
• New Companies and URN datasets 

–

What’s new in MAT MIS

Suspension Statistics Tables in MAT MIS

We’ve added a brand new set of tables to help you monitor and track suspensions across your schools, directly from your MAT MIS. Head to Analytics > Behaviour to see the headline suspension stats at-a-glance for each school and student, plus week by week trends and student suspensions across groups. Learn more.

–

What’s live in Arbor Labs

Arbor Labs is the home for beta releases in Arbor. Test and influence our latest innovative features before anyone else. 

Current live Arbor Labs include:

Report Library – NEW

Suggest Text

Ask Arbor 

Ask Arbor – Student App

Suggest Cover

Create Custom Report

Auto Absence

Create intervention

Suggest formula

Student Dashboard

Venn Diagram Analysis

BI Viewer

Make sure to visit the Arbor Labs page in Arbor Labs to join a beta today. Learn more here.

To keep up-to-date with all our latest releases visit our Change Log or to see what we are working on next visit our Product Roadmap.

The post What’s new in April? appeared first on Arbor.

If you haven’t had time to dig into the details, here’s what we understand is happening:

• You can complete Census on SIMS7 until Spring 2026 — but not after
• SIMS Next Gen is a brand new MIS – with new workflows and a new interface to learn
• Next Gen is not yet complete — many features won’t be built until 2026

So for the first time, there’s no question that schools on SIMS will need to start using a new MIS. And at Arbor, we believe this is a really exciting opportunity to make that change count.

More than half of English schools have made the switch to an alternative MIS – with more choosing Arbor than all other systems combined. With Arbor, on average schools save: 

• Up to 2 hours every week for busy office teams, as Arbor is so easy and intuitive to use
• Over an hour and a half for Headteachers, as Arbor brings together the data you need, and the tools to act on it in real-time
• £5,000 per year on average by replacing separate systems for things like comms, payments, and parent portal/app

And for four years in a row, Arbor’s MIS has been voted the most-loved by schools.

This Summer, we’re running dedicated demo sessions to help demystify the changes for schools on SIMS and show you what life looks like with Arbor MIS – with some of our customers there to answer your questions. Sign up below to see Arbor in action, or reach out if you’d prefer a one-to-one conversation.

• Register for a Life with Arbor demo
• Book a call with us

Thanks for taking the time to read this – I hope it helps in your decision-making, and I look forward to speaking with many of you soon!

James

James Weatherill, CEO at Arbor

The post The end of SIMS7 Census: What you need to know appeared first on Arbor.

Today’s blog is from Mark Wilson, CEO and Accounting Officer at Wellspring Academy Trust, which is made up of 29 academies.

Mark shares the ten things he would do as Education Secretary.

1. Abolish Ofsted

Ofsted drives perverse negative outputs at all levels throughout education and acts as a brake on innovation everywhere. That we’ve still got failing schools thirty-three years after it was formed proves precisely what an expensive, reactive and downstream institution it is. Get rid of it. That won’t happen, of course, because middle class parents want the reassurance that their children go to ‘nice’ schools. Abolition would come with a price that no politician is willing to pay.  

A number of the other things that I would change were I Education Secretary would come as a consequence of dismantling Ofsted. So, what would those other policies be?

–

2. If I couldn’t abolish Ofsted, I would move its focus upstream and away from the schools. 

Every school belongs to a strategic authority – Trust or Local Authority.  They’re the places we should be looking if we were serious about school effectiveness.  

• Does that authority have the capacity to support its schools?  
• Does it have a plan?  
• Is it doing its duty with regard to maintaining vital public infrastructure via investment in buildings and facilities?

Shifting the focus away from schools and placing it instead on those responsible for them would place accountability where it actually belongs and would give schools themselves the room to breathe.

–

3. I would streamline inspection down to ten-person teams per government region (saving around £130m per year)

These teams would be tasked with working alongside the regional intelligence networks to identify those schools most in trouble to quickly intervene, rather than relying on an antiquated system in which we might be waiting five years or more to find out, and thus failing an entire generation of children and young people.

–

4. Fix the £11.6bn gap between funding and the infrastructure needs of our schools

Over 1 million students in England are today learning in buildings that are neither weather-proof nor safe. We hear time and again that government should provide more money when we know that central government has no money. This is not an intractable problem. Schools have focused all of their resource on the front-line because that’s where they have felt the measure of accountability. As Education Secretary, I would redraw that line.

I would make schools (and their strategic authorities) partners with government, partners with the national mission. I would be clear that the quantum of resource they received was inclusive of their responsibility to national infrastructure – that means the maintenance and good management of their buildings and estates. That includes their contributions to the generation of clean energy, that includes their own investment in carbon reduction, effective water management and waste reduction. That includes improving their environmental credentials and use of their estates to support biodiversity and greening.

–

5. Require all strategic authorities to publish a 10 year plan that made explicit their commitments, intentions, intentional planning and resourcing.

This would ensure an adequate and ongoing employee pipeline, continuous workforce development programmes, school improvement strategies, leadership training programmes and environmental enhancement commitments. Where these plans were insubstantial, ineffective or not delivered on, I would use my intervention powers to transfer schools in question into other strategic authorities who were able to demonstrate a track record of turning plans into solid actions.

–

6. Intervene with those bad actors in the system who cynically game it

Those who operate selective schools via the back door, those schools who wash their hands of students because they do not bend to an every-narrowed interpretation of conformity, those schools who routinely signpost students towards Elective Home Education or who take less than their equal share of students with additional needs or who manipulate their cohorts in myriad other ways in order to score well in League Tables or whatever version of such is in place at the time. 2010-2024 were the halcyon days of cynical manipulation of a system by a minority of bad actors to the detriment of all bar them. The sooner we look upon that era as a period of shame for our nation, the better.

–

7. Reinstate the National College for School Leadership and make graduation from it a mandatory requirement for Headteachers

The programme would focus explicitly and very heavily on the upstream components of leadership that are fundamental to downstream outcomes.  They are: workforce pipeline, workforce development, the overall workforce proposition, infrastructure building, maintenance and management, sound financial planning, long-term thinking, planning and strategising.  

This is how we improve the lot of our schools everywhere and at once, in all places and serving all demographics: by understanding that there are holistic and structural interventions that we can make that will make things better.  Everywhere.

–

8. Offer the freedom to innovate

Not the kind of innovation which creates so many stable doors that the horses are even more constrained than they would be in standard stables. I mean freedom to innovate such as radical transformation of the notion of the school year in Special and Alternative schools. Why not 52 week per year schools that allow families to take their holidays when they choose, that allow school staff to take holidays when they choose or have enhanced freedom and flexibility to further their training and qualifications? Freedom to innovate with the curriculum to free our schools from only the narrow and restrictive diet of courses and qualifications that score well as far as Ofsted is concerned. Freedom to innovate in a way that allows schools to incline closer towards the wants and needs of the communities and areas in which they serve rather than a once-size-fits-nobody narrowed school pathway that offers the binary prospect of university or fail?

–

9. Require the authorities responsible for schools to publish their plans for increasing the bandwidth in their mainstream.

That means maintaining more children/ young people comfortably within mainstream settings and communities. That may mean enhanced training, focused resourcing, revised systems and policies, re-visioned facilities, environments and access. I understand that that means a move away from measuring schools JUST by the bluntest of instrument outcomes measure. I am certain that a far more nuanced series of measures to understand effectiveness offers much better prospects and value-for-money to the tax payer, to parents in general, to children and young people, to the workforce in schools and to the country at large.

–

10. Make clear that our schools are the vanguard of the nation’s renaissance

I would issue the rallying call to arms and be clear that our mission is to be the best in the world in terms of children’s and young people’s experience in school and their preparedness for taking their place in our society as responsible, capable, resourceful and discerning adults.  I would be clear that experiencing play, the outdoors, learning the importance of co-operation, collaboration and partnership, understanding with deep insight the dilemmas that they are faced with in their daily lives through emerging technologies, technological change, social medias and other are necessary, legitimate and crucial components of any curriculum alongside the basics of English and Maths. I would be explicit that our problem solvers, innovators, negotiators and fixers of the future require rich and ongoing opportunities to experiment, fail and try again, to explore, be creative, flex their imagination muscles and to become comfortable in environments that are beyond their current comfort zone. 

As Education Secretary, I would be clear that the entire world is our resource, that it offers us a wealth of learning opportunities about what is best in class, what is impacting and making the transformational difference elsewhere, what is delivering enhanced life chances and a citizenry more prepared for the future than are our young people right now. I would be encouraging us to go out into the world and to confidently explore those rich questions.

–

11. Then, I would do the next ten things. 

Alas, they may be for another day….

The post Ten things I would do if I were Education Secretary appeared first on Arbor.

And we are proud to be the UK’s most-loved MIS for the third year running

Showing our 100% commitment to transforming the way schools work for the better

See the survey results of over 1,000 UK schools on what they think about their MIS

More of a words person? You can read what our customers have to say about us here. 

Follow us on X/Twitter and LinkedIn for more insights and weekly customer testimonials. 

–

Sources include: NPS survey, MIS survey carried out and published by The Key and Finnemore Consulting

The post Arbor by numbers appeared first on Arbor.

This is the third blog in our cybersecurity series from Lloyd Passingham, Arbor’s Senior DevSecOps Engineer. Before joining Arbor, Lloyd served in the military, bringing a unique perspective to his work in security. Passionate about safeguarding information and empowering others, Lloyd is dedicated to protecting Arbor’s data and fostering a strong culture of security both within the organisation and beyond.

Running a school throws enough curveballs; worrying about whether your MIS data is safely backed up shouldn’t be one of them. Your MIS holds the vital information at the operational core of your school. Let me lift the bonnet and show you how Arbor ensures your school’s information is safe, secure, and ready to be recovered if needed.

–

Encrypted: In-transit and at-rest

Just like we use modern TLS 1.3 encryption to secure your data in-transit to Arbor, we also protect it when it’s stored. All your school’s information rests securely within our virtual private cloud, encrypted using industry standard AES-256 encryption. Our comprehensive approach to data security and backups is independently audited to meet the ISO 27001:2022 standard.

–

Multiple layers of protection

We believe in a “belt and braces” approach. Relying on a single backup method isn’t enough, so we employ multiple, overlapping strategies to ensure your data is protected from different angles as well as aligning with the DfE and NCSC recommended 3-2-1 backup approach:

• Daily Snapshots: Imagine taking a photograph of your database every 24 hours. That’s essentially what our daily snapshots do. They provide a complete picture, allowing for a quick rollback to a recent state. While effective, the worst-case scenario could mean losing up to 24 hours of work – if we only relied on this method – which is why, unlike other MIS providers, we don’t stop here!
  
• Continuous Point-in-Time Recovery (PITR): This is where things get really clever. Alongside snapshots, we continuously stream backups, logging changes as they happen. This powerful system allows us to restore your Arbor MIS not just to a specific day, but to any specific second within the last 30 days. Accidentally overwritten the year’s timetable five minutes ago? With PITR, it’s highly likely we can wind the clock back and retrieve it precisely.
  
• File Versioning: What about all those important documents, reports, and policies you upload? We’ve got that covered too. Arbor automatically keeps previous versions of your uploaded files. If a file gets accidentally overwritten or deleted, you can breathe easy knowing we can restore an earlier version.
  
• Comprehensive Audit Logs: While not strictly a backup it’s worth talking about our database audit logs. Turning back time to revert a change, even just a few hours, could still be disruptive if you have to re-do your work. Have a chat with our support team who may be able to surgically undo some changes without needing to rollback your whole MIS.

–

Location, location, location

Having backups is great, but what if something happens to the place they’re stored? We’ve planned for that. All your backups are securely copied to three separate, geographically isolated data centres across the UK. This means they are physically distant from each other, safeguarding them against localised issues like fires, floods, or major power outages. Even if a significant incident impacts one location (which is extremely unlikely), your data remains secure and accessible from the other two.

–

Built to last

Once backups are created we’ve layered protections to make sure they stay safe and secure. Backups are stored using a tamper-proof Write-Once-Read-Many (WORM) format. This clever technology means that once a backup is written, it cannot be altered or deleted (until its planned expiry) protecting against accidental changes and malicious tampering.

Backups are stored in an environment that is logically separate from the live Arbor service. This is a vital defence against threats like ransomware, ensuring that even if the live system were compromised, the backups remain unaffected and available for recovery.

–

Tried and tested

A backup plan is only useful if you know it works. That’s why regularly testing our restore procedures is a standard part of our operations. We don’t just hope it works; we actively practice recovering data to ensure that if the worst happens, we can restore your service quickly, efficiently, and correctly.

–

Always on

You have a school to run; you shouldn’t need to worry about triggering backups. Our entire backup process is fully automated. Furthermore, we have sophisticated monitoring tools constantly watching over these systems. If any issue arises – whether it’s a hiccup in creating a backup or a problem during a test restore – our dedicated engineers are alerted immediately, ready to investigate and resolve it.

Behind the scenes, our DevOps team refines and tests our backup and recovery strategies. They ensure our approach not only meets today’s best practices but is also ready for tomorrow’s challenges. This all adds up to a robust system designed to give you confidence that your school’s data is safe, secure, and recoverable, letting you focus on your school.

The post How Arbor keeps your data backed up appeared first on Arbor.

This is the second blog in our cybersecurity series from Lloyd Passingham, Arbor’s Senior DevSecOps Engineer. Before joining Arbor, Lloyd served in the military, bringing a unique perspective to his work in security. Passionate about safeguarding information and empowering others, Lloyd is dedicated to protecting Arbor’s data and fostering a strong culture of security both within the organisation and beyond.

Cybersecurity is no longer just an IT issue; it’s essential for safeguarding students and keeping schools running smoothly. In fact, the 2024 Government Cyber Survey revealed that 71% of secondary schools and 52% of primary schools identified a breach or attack within the last year, considerably higher than the average UK business (50%) or charity (32%). With threats like ransomware, extortion, and insider breaches on the rise, schools must take a proactive approach to security.

In this document

Why is cybersecurity so critical for schools right now?

Our reliance on digital learning tools and the vast amounts of sensitive data schools hold make them increasingly attractive targets for cybercriminals. The potential disruption to learning, exposure of student and staff information, and significant financial and legal repercussions underscore the urgent need for robust cybersecurity measures.
The impact isn’t just financial; it disrupts education and raises serious safeguarding concerns.

In this post, I’d like to share my experience of how I strengthened the security culture at Arbor and offer some ideas you can implement within your school to help protect students.

Cybersecurity, child safeguarding, and the growing threat landscape

Over the years, I’ve seen first hand how schools are increasingly targeted by cybercriminals. Educational institutions store vast amounts of sensitive data – student records, financial information, and staff details – yet often have limited cybersecurity resources, making them attractive targets.  When an attack hits, it disrupts learning, exposes sensitive data, and can have serious legal and financial repercussions.  Here are some of the key threats schools face today (scroll through by dragging with your mouse):

Ransomware

Attackers use malicious software to encrypt school systems and demand a ransom for their release. These attacks can cripple administrative operations, delay teaching, and force schools into costly recoveries whether they pay the ransom or not. ( Watch GovernorHub’s interview with The Harris Foundation Trust’s CEO Sir Dan Moynihan. “The whole thing cost us three quarters of a million pounds.”) Some more recent examples show the devastating impact: Blacon High School in Chester faced temporary closure in January 2025, Charles Darwin School in London sent 1,300 students home in September 2024, and the Fylde Coast Academy Trust saw all ten of its schools affected, leading to ransom demands.

Extortion

Cybercriminals don’t always just lock data; sometimes, they threaten to leak sensitive student or staff information unless their demands are met. The exposure of sensitive data can have lasting consequences for individuals and severely damage a school’s reputation.

Fraud

Attackers impersonate trusted figures such as school leaders, governors, Ofsted inspectors, or suppliers to trick schools into transferring money or sharing login credentials. Phishing emails – the most common attack vector reported by 92% of primary and 89% of secondary schools – can lead to unauthorised access, payroll fraud, or even fake invoice payments. Wembley Multi-Academy Trust tragically lost almost £400,000 through such a scam targeting a supplier’s email.

Denial of Service (Dos) Attacks

By overwhelming a school’s network with traffic, attackers can knock key systems offline for hours or days. These attacks disrupt both day-to-day operations and long-term planning. Arbor MIS monitors and mitigates against denial of service attacks and has seen a growing trend in the frequency and severity of denial of service attacks targeting individual schools.

Insider threats

Not all threats come from outside. A well-meaning staff member clicking on a malicious link, leaving a computer unlocked or keeping passwords on a sticky note can open the door to attackers. Meanwhile, disgruntled employees or students with access to internal systems may misuse their privileges, either for financial gain or out of frustration.

What measures should you put in place?

By putting robust cybersecurity measures in place and building a strong culture of cyber security safety, we can protect critical assets like student data and essential systems. Here’s what I recommend:

• Adopt a secure, cloud-based MIS

A modern, cloud-based Management Information System offers significant security advantages beyond just off-site storage. Solutions like Arbor are designed with security in mind, benefiting from:

• Automatic security updates
• End-to-End encryption
• Built-in compliance and access control features
• Disaster Recovery

• Regular security training

Make sure both staff and students know how to spot potential threats and how to respond. Training should be ongoing and cover identifying phishing emails, strong password practices, multi-factor authentication, malware risks, social engineering, and secure data handling. Make it engaging and relevant to your context; examples from your school go a long way to making it ‘real’. Consider running simulated phishing exercises – research shows repeated simulations can decrease susceptibility and positive reporting indicates increased awareness.

• Implement strict access controls

Limit who can access sensitive information using Arbor’s role-based access permissions and implement strong network security like firewalls. Follow the principle of least privilege, granting users only the minimum level of access required to perform their job duties.

• Keep software up to date

Software updates are essential for system security as they often patch vulnerabilities. Software vendors like Arbor can handle much of this for you but it’s important to consider the software and devices that you have running in your school like desktop PCs and smart classroom tech.

Building a security culture at your school

In my experience, a strong security culture isn’t built on policies or technology alone – it’s about people. A truly secure school starts with an open, whole-school approach, where cybersecurity isn’t just the IT team’s responsibility. Leadership buy-in is fundamental; when MAT leaders, governors and headteachers champion security, it sets the tone. Staff, students, and even guardians all play a role.

The key to making this work is an open and inclusive culture. When people feel comfortable talking about cybersecurity, reporting concerns, and asking questions, security stops being a hidden problem and becomes part of the school’s everyday thinking. Fear of blame often discourages reporting, but silence makes things worse. A security issue ignored today can turn into a crisis tomorrow.

That’s why at Arbor I focus on empowering people, not just enforcing rules. Recognising and celebrating good security behaviour makes a difference; every small act of vigilance counts. We introduced a phishing report leaderboard, turning cybersecurity awareness into something positive and visible for the whole company. Instead of making security feel like an obligation, it becomes something people engage with.

But awareness alone isn’t enough. Security needs to be practical and relatable. Regular training helps, but it can feel disconnected from reality. 

We have found it demonstrably more effective making security personal. When starting discussions of threats, I ask people to think like an attacker:

“If you wanted to break into your school, how would you do it?” 

This shift in perspective makes security real. It encourages people to recognise risks in their own environment rather than treating cybersecurity as an abstract concept.

Security threats don’t go home when the bell rings. Poor personal security habits, such as password reuse or neglecting multi-factor authentication, can inadvertently introduce risks. You can reframe security guidance as not merely a technical defense, but a tangible resource that empowers staff to understand and implement security measures that keep them safe.I like to think of security awareness as an employee benefit. By following best practices, staff can protect their personal assets like banking and email security, too.

Continuous improvement

The final piece I want to talk about is continuous improvement. Security isn’t a box to check once a year to pass an audit but an ongoing, whole-team commitment.

Cyber threats evolve, so must we. Strong feedback loops allow us to monitor how quickly we can detect and respond to incidents, reflect on what’s working (or what isn’t), and adapt accordingly. 

“The price of freedom is eternal vigilance.” – Thomas Jefferson

Activity recommendations for students, staff and parents

I’ve collected a handful of resources you might find useful for running lessons, workshops or engagement sessions at various levels in your school to get your people thinking about security and their role within your security culture:

KS1

Smartie the Penguin – an engaging storytelling collection of six stories exploring life online for 3-7 year olds. Teaching children the foundations of security culture behaviour, notably speaking up if something doesn’t seem right and seeking help from a trusted adult; you might incorporate these stories as a whole class exercise during circle time. The song can be a real earworm!

KS2

NCSC CyberSprinters – Award-winning gamified online security resources for 7-11 year olds. These resources include a game that can be played on mobile, tablet or desktop. Mini-games focus on essential topics such as identifying phishing emails, creating strong and memorable passwords, and understanding the importance of regularly updating their devices. Personally I am a fan of the practitioner-led exercises – in particular lesson 2 “Protecting your devices”. The security mapping exercise has 105 combinations allowing plenty of room for novel and open discussions as well as opportunities to correct misconceptions.

KS3

Another excellent resource from the NCSC is their CyberFirst Navigators series. Highlighting to students common cyber scams and malicious activity that they might come across online. Many students this age may have their own personal mobile devices and begin exploring the internet on their own. Communicating with friends and others online presents new risks where protections like strong passwords, multi-factor authentication and general Cyber Hygiene are vital to staying safe. You might look to incorporate authentication lessons such as choosing a strong password during new year intakes where students are first set up on your school’s IT systems.

Parents & Guardians

Providing parents and guardians with a clear and easy way to report security concerns or suggestions is essential; this could be a dedicated email inbox or submission form. Additionally, internetmatters.org Parental Controls Guides give guardians quick access to simple guides on how to implement parental controls on a huge number of different platforms. From Roblox and Fortnite to WiFi routers and mobile devices.

Staff

Organise a staff workshop where you collaborate and “think like an attacker” to identify security vulnerabilities. Divide staff into small teams and assign each team a specific area of focus, such as email, MIS, or IT networks. Have each team mind map potential threats or ways to exploit vulnerabilities within their assigned area. For example, a team focusing on email might consider a phishing attack scenario, while a team focusing on MIS might consider unauthorised student access. After identifying potential threats, have each group discuss and develop preventative measures, and then share their ideas with the group. Identify 2-3 actionable steps that can be taken in the short term to address some of the vulnerabilities and give updates on the progress to address them, ensuring continuous improvement.

Leaders

Put your security culture to the test and run a tabletop exercise from NCSC’s Exercise in-a-box. These are valuable and immersive ways to find out how well protected (or not) your organisation is and identify opportunities to improve your response to disasters before it becomes a reality. There’s plenty of choices and they range from micro-exercises that take a few minutes to an afternoon’s investment to see how you would handle a ransomware attack. These exercises provide practical scenarios for leadership teams to evaluate and refine their security strategies.

Tracking success of your school’s cybersecurity measures

A good cybersecurity culture is measurable and the results of measuring the attitudes and behaviours of the people in your culture will enable you to make informed decisions and take the right actions to improve your security posture. If you are concerned that your security culture isn’t good right now – don’t be. By measuring the current state you can establish your baseline to measure improvement and then report it back to staff (which in-turn motivates them to do better).
Some easy metrics you can start gathering:

• Number of phishing emails reported
• Number of security incidents reported
• Patch management compliance %
• Security training completion rates
  

Notice how I have focused on metrics that demonstrate positive behaviour – if you are seen to value the absence of problems then staff are encouraged to keep quiet to keep the metrics looking good. Consider how you can formulate your security metrics in terms of success.

Key takeaways

• Cybersecurity is critical for safeguarding students and school operations, with UK schools being prime targets
• Understanding specific threats (ransomware, phishing, fraud) is crucial
• Building a strong, open cybersecurity culture involving everyone – led from the top – is essential
• Proactive measures like regular, engaging training (for staff and students) and investing in secure systems (like cloud-based MIS) are vital
• Cybersecurity is a shared, ongoing responsibility requiring continuous improvement and measurement

If you’re looking to boost your school’s cyber resilience, I’d urge you to check out the latest guidance for schools from the National Cyber Security Centre (NCSC). They offer a wealth of tailored resources, including specific advice for governors and trustees, staff training packages, technical guidance for IT teams, and even resources for engaging students.

Final ask

Don’t wait for a cyber incident to happen to your school. Take the first step today by having an open conversation with your team about your current security posture and how you can collectively strengthen your school’s defenses.

Also, turn on multi-factor authentication!

–

The post How to build a strong cybersecurity culture in your school appeared first on Arbor.

–

–

Schools & Academies Show

When: 15 May 2025

Where: Excel, London

Meet us at the Schools & Academies Show, Stand I23 and see a demo of the UK’s most popular cloud MIS in action.

–

–

ArborFest

When: 21 May 2025

Where: The Repetory Theatre, Birmingham

If you’re already a member of the Arbor community, don’t miss out on our biggest annual conference to date! Get your tickets here for a day filled with thought leadership talks, workshops, and the chance to chat with our Product and Support Teams.

–

–

MATPN Midlands

When: 24 & 25 June 2025

Where: EMCC, Nottingham

MATPN brings together over 300 leaders from across the country to look at innovative technologies and drive change in the sector. If you’re thinking about switching MIS, have got questions about procurement or simply what to find out a bit more about Arbor, we’d love to see you there. Find out more here.

–

–

Confederation of School Trusts Conferences

CST Data and Insights Conference

When: 19 June 2025

Where: Birmingham Conference and Events Centre

–

CST CEO Leadership Summit

When: 7 & 8 July 2025

Where: Park Regis Hotel, Birmingham

We are proud to be Confederation of School Trusts’ Platinum Partners, and would love to see you at these conferences to chat about Arbor will transform the way your trust works.

–

–

TransforMATive AI Conference

When: 23 June 2025

Where: EMCC, Nottingham

Details to come – we’re excited to see you there!

–

The Arbor Roadshow

When: May, June and July 2025

Where: All over the UK

We’re excited to announce that the Arbor Roadshow is back for Summer Term!

See the UK’s most popular MIS in action and hear from local schools who’ve already made the move.

Find out where we’re headed first and register your interest here.

–

–

Our webinar series!

When and where: Live or on-demand – whatever suits you

If you can’t make it to any of these in-person events, don’t worry! See Arbor in action and ask any questions you might have in our free webinar series. And if those times don’t suit you, you can always watch our webinars on demand too. 

Find all of our webinars here. 

–

And for MAT leaders, join our MAT Strategy Series. This is a free programme of events and webinars exclusively for MAT leaders and medium-sized trusts exploring sustainable growth. From assessing your operating model and exploring the routes to growth, to managing change and deciding what your central team should look like, this series will give you the chance to hear from your peers, share ideas and leave with practical tips to take back to your trust. Book onto the next webinar in the series here. 

The post How to meet us in Summer Term! appeared first on Arbor.