Cyber security is no longer just an IT issue for schools. It now sits firmly alongside safeguarding, operational resilience, and financial planning as one of the key risks' schools need to manage.
Peter Passam and Rob Wright, Principal IT Engineers at SBS, explored the common gaps schools are facing, the misconceptions that still exist around cyber security, and the practical steps schools can take to strengthen both security and infrastructure planning in our recent ICT-focused webinar
If you missed our Cyber Security & ICT Strategy for Schools Webinar, you can now view the recording below.
Cyber Security in Schools: Are You as Protected as You Think?
Schools are expected to follow the Department for Education’s cyber security standards, covering areas such as passwords, backups, filtering, and access controls. However, many schools may not realise there are gaps in their current provision.
As Peter explained during the webinar:
“On the surface schools often believe they are compliant; it is only when you really look closely that schools find out they are not as compliant as they think…Not many schools have an IT expert working for them or someone who has time within their role to look at every small detail to make sure they are complaint.”
The discussion recognised that schools are often working without dedicated in-house expertise, relying on external advice while balancing already stretched operational responsibilities.
Schools Most Cyber-attacks are Opportunistic
The webinar also challenged the misconception that schools are unlikely targets for cyber-attacks because of their size.
“Most attacks are opportunistic. If a school has weak security, like no MFA or poor email protection, they’re easier targets.”
Multi-factor authentication (MFA) remains one of the simplest but most effective ways to strengthen account security. It was highlighted as one of the simplest but most effective protections schools can implement. The discussion also addressed practical concerns schools often raise around mobile phone restrictions for staff and how conditional access policies can help balance usability with security.
Another key issue raised was the continued presence of old or unused accounts with elevated permissions. These accounts can create significant risk if left unchecked, particularly where administrator privileges remain active long after they are needed.
Email security was another major focus. Many schools still lack protections such as SPF, DKIM, and DMARC which are technical controls designed to prevent attackers impersonating school email accounts. While often overlooked, these settings are relatively straightforward to implement and can significantly reduce phishing risks.
Backups: Are Schools Covering Everything?
One of the key parts of the webinar focused on backups particularly the misconception that cloud platforms automatically protect school data.
While many schools back up on-site servers, cloud platforms such as Microsoft 365 and Google Workspace are frequently left unprotected.
The webinar explored the importance of the DfE’s recommended 3-2-1 backup rule, ensuring schools maintain multiple copies of data across separate locations, including offsite storage.
Rob highlighted that responsibility for backing up cloud data still sits with the organisation itself and stressed that backups alone are not enough if they are not actively monitored and tested:
“It is good to have a backup solution but if it is not monitored and checked to make sure all is successful it is not there.”
The discussion highlighted the importance of regular restore testing to ensure schools can recover quickly if systems fail or data is lost.
Everyday Habits Still Create Risk
Not all cyber risks are complex technical issues. In many cases, everyday habits continue to expose schools unnecessarily.
Shared passwords, unlocked screens, and unencrypted USB devices remain common concerns. With cloud-based systems now widely available across schools, the webinar questioned whether removable USB storage is still necessary at all.
The wider message shared by our experts was that good cyber security is often about consistency and awareness as much as technology.
Infrastructure and Long-Term Planning
The session also explored how ageing infrastructure can quietly increase both security and financial risks.
Older servers and hardware may continue functioning perfectly well day-to-day, but once systems reach end-of-life they stop receiving critical security updates, leaving schools exposed and potentially non-compliant with DfE guidance.
Microsoft Server 2016 was highlighted as a particular concern, with support ending in January 2027. Schools still operating these systems will need to begin planning upgrades sooner rather than later.
Download our free guide to Windows Server 16 end of life support here.
The conversation naturally moved into ICT budgeting and long-term planning, an area where many schools still find themselves operating reactively.
As Peter explained:
“Schools often see the if it isn't broken don’t fix it approach.”
However, waiting until systems fail can create far greater disruption and financial pressure later down the line.
Developing a clear 3-5 year infrastructure plan allows schools to spread costs, prioritise risk, and avoid emergency replacement decisions under pressure.
Understanding Your Current Position
A recurring piece of advice throughout the webinar was that schools cannot effectively plan improvements without first understanding where they currently stand.
This is where cyber security and infrastructure audits can play a valuable role.
SBS’s cyber security audits are designed to review a school’s current position against DfE guidance, helping identify both strengths and overlooked gaps. Infrastructure audits provide schools with a clearer picture of hardware lifecycle, future upgrade requirements, and areas of operational risk.
The experts stressed that these reviews are designed to work alongside a school’s existing ICT support arrangements, not against them.
As Peter reflected during the session:
“No one is perfect after all, most schools are around where they should be, with just a few areas to improve on.”
For schools looking to improve cyber resilience, strengthen infrastructure planning, or simply gain a clearer understanding of their current position, starting with an audit can often provide the clarity needed to make informed decisions.
Click here for more information on our ICT services, or get in touch for more information on what our Cybersecurity Audits entail, and how we can work alongside you to protect your school or trust data from cyberattacks.
Get sector Insights delivered straight to your inbox.
Subscribe to to the SBS Blog and never miss an update.