This post includes examples from Insight, our own pupil tracking platform.
October is Cyber Security Awareness Month, and the latest UK data highlights why schools need to stay alert.
According to a Home Office report, between August and December 2024, 44% of UK primary schools experienced a breach or attack, with phishing the most common route in. Meanwhile, the ICO has warned that insider risks are rising, with over half of insider attacks being caused by students, including one case involving a seven-year-old child.
Phishing is when cyber criminals send emails or messages that look like they come from a trusted source – such as your headteacher, the local authority, or a cloud service like Microsoft 365 – to trick staff into clicking a link or sharing login details. In a school, this could mean attackers gaining access to pupil records, staff payroll information, or safeguarding notes.
The recent ransomware attack on the Kido nursery chain underlines how even early-years settings are now being targeted by cyber criminals. With schools increasing reliance on cloud-based software, it is more important than ever to put robust safeguards in place to protect the personal data of those least able to protect themselves.
By embedding a few simple practices, schools can significantly reduce their exposure.
Improve Access Controls
The ICO report highlights that almost a third of insider attack incidents were caused by students simply guessing weak passwords or finding them written down on bits of paper.
According to NCSC guidance you should:
- Use a password manager to create and store strong passwords.
- Create unique passwords for all your important online accounts.
- Enable 2-step verification (or 2-factor authentication) to protect your accounts.
Many cloud-based providers, including Insight, offer the option to enforce 2FA at the account level. This simple change will greatly enhance your security posture, because even if a password is compromised, the account cannot be accessed without the users device.
Regularly Review Accounts
In UK schools, weak account governance is a real risk. The ICO’s analysis of 215 insider incidents found 17% were caused by incorrect access rights (for example, staff or students having permissions they shouldn’t).
Schools can mitigate this risk by:
- Regularly reviewing and disabling unused or outdated accounts.
- Applying least privilege principles – users should only have the access they need.
Insight offers Admin users a quick view of any potential issues with user accounts. If a user hasn’t logged in for a while, you should consider removing their access.

Assess Providers with DPIAs
Schools rely on a growing number of third-party software providers. While these services bring clear benefits, they also introduce risk if personal data is not handled securely.
Under UK GDPR, schools must carry out a Data Protection Impact Assessment (DPIA) before introducing any system that processes personal data. A DPIA helps leaders ask the right questions about a provider’s security, data handling and compliance.
For customer who are assessing Insight, we have put together a Data Protection & Security Help Guide which contains the information needed to complete a DPIA.
Share Data Securely
Schools have a responsibility under GDPR to protect personal data. A key component of this is using secure channels when sharing data with third parties.
In practice, this means avoiding email for attachments containing personal data. Email is not a secure channel: it is difficult to track, often excluded from retention policies, and remains a frequent source of breaches in education.
To share data securely, consider:
- Using secure file upload areas built into third party software, or document sharing platforms (such as Microsoft 365).
- Encrypting files before transmission if external sharing is unavoidable (and share passwords via a separate channel).
- Training staff on the risks of sending email attachments, explaining how they can be intercepted or sent to the wrong recipients.
Build a Culture of Awareness
Technology is only as secure as the people who use it.
Schools can foster safer practices by:
- Running regular cyber awareness training for staff.
- Sharing examples of real incidents and threats.
- Reinforcing to the new starters the importance of core data protection principles.
Resources
The National Cyber Security Centre (NCSC) provide a list of practical resources for schools.
The government approved Cyber Essentials scheme can help schools implement technical controls that help protect from the most common cyber threats.
Leave a Reply