Cybersecurity for school leaders; 10 top priorities

Cyberattacks on schools are becoming increasingly frequent and we’ve seen how challenging it can be to stay ahead of the ever-evolving cyber threat.

Read time: 5 mins  Added: 17/04/26

Image of cybersecurity reaching around the globe.

Staying ahead

Schools often don't have the same cybersecurity resources as large corporates, but the risk they face is just as real - if not more so. Schools are increasingly digitally connected, so a cyberattack can take down systems controlling everything from door entry systems to CCTV, telephones, fire alarms and even catering. And the impact of a successful cyberattack isn’t just financial; the disruption and stress it can place on staff and students are hard to put a price on.

Drawing on real-world experience, Phil Herriott, Director of Education, and Giles Taylor, Head of Resilience and Security, outline 10 essential steps to protect your school or trust, and recover if the worst happens.

Ongoing best practice

Everyone must be aware of the day-to-day checks and measures in place to prevent a cyberattack and this messaging must be regularly revisited. This should include procedures for verifying any requests to change payment details, which must include follow ups to confirm their authenticity, for example with a face-to-face video call.

To further protect data, default settings on hardware and software must be configured to reduce any vulnerabilities, including tightening device access controls and multi factor authentication. Systems should only be accessible from company devices or personal devices that have been registered within a Trust building or by the Trust IT team.

And public Wi-Fi networks are a particular danger; one recent school cyberattack we are aware of was traced to an employee who inadvertently connected a personal device to a fake network. A hacker was then able to gain unauthorised entry to their work email account.

An up-to-date action plan

 

A cybersecurity action plan is at the cornerstone of every organisations’ ability to react and recover from a cyberattack. This should be informed by a comprehensive cyber audit, which may involve bringing in external expertise. Crucially, the plan must be stored somewhere it can be easily accessed if systems are compromised, which may be in the cloud or as paper copies.

It may be worth ‘war gaming’ different scenarios to inform your plan, which should be revisited on a regular basis to ensure it is still fit for purpose.

A cybersecurity action plan is at the cornerstone of every organisations’ ability to react and recover from a cyberattack. This should be informed by a comprehensive cyber audit, which may involve bringing in external expertise. Crucially, the plan must be stored somewhere it can be easily accessed if systems are compromised, which may be in the cloud or as paper copies.

It may be worth ‘war gaming’ different scenarios to inform your plan, which should be revisited on a regular basis to ensure it is still fit for purpose.

Considering the cloud

Storing vital information in the cloud can help protect it from hackers and enable it to be retrieved during or after an attack. Again, don't just accept the default security settings that managed cloud services offer; it’s important that IT teams understand the right risk managed configuration for you and your colleagues.

This will entail necessary trade-offs with usability and practicality, but applying additional lockdown steps such as multi factor authentication is crucial for securing sensitive data.

Make sure you’re insured

 

Insurance, either through a commercial insurer or the government’s Risk Protection Arrangement, will be fundamental to any cyberattack response. Indeed, one of the first steps in your cyber action plan will be to contact your insurer. They should be able to connect you with cyber incident response teams who will be able to help you contain any damage, preserve any evidence and support your recovery, rebuild and ongoing resilience.

So, it’s worth interrogating your policy to ensure it includes comprehensive cybersecurity cover. And it's not just about the financial cover the policy provides; the response and recovery services can be where the real value lies. But it’s worth noting that insurance will only restore your systems to where they were before the attack. You may need to make additional investments to enhance security going forward.

Insurance, either through a commercial insurer or the government’s Risk Protection Arrangement, will be fundamental to any cyberattack response. Indeed, one of the first steps in your cyber action plan will be to contact your insurer. They should be able to connect you with cyber incident response teams who will be able to help you contain any damage, preserve any evidence and support your recovery, rebuild and ongoing resilience.

So, it’s worth interrogating your policy to ensure it includes comprehensive cybersecurity cover. And it's not just about the financial cover the policy provides; the response and recovery services can be where the real value lies. But it’s worth noting that insurance will only restore your systems to where they were before the attack. You may need to make additional investments to enhance security going forward.

Supporting your people

 

One of the impacts you might not be aware of is the stress a cyberattack places on staff. They might be thinking: “Could it have been me who triggered this attack? Was it my fault?”

So, it’s important to provide reassurance as quickly as possible. Of course, the ultimate objective of any school or Trust is to provide the best possible outcomes for students. If a school has to temporarily close its doors, or even if services like catering, or breakfast and after school clubs, are disrupted, schools can work with local authorities to identify the most vulnerable pupils and put coordinated safety plans in place.

One of the impacts you might not be aware of is the stress a cyberattack places on staff. They might be thinking: “Could it have been me who triggered this attack? Was it my fault?”

So, it’s important to provide reassurance as quickly as possible. Of course, the ultimate objective of any school or Trust is to provide the best possible outcomes for students. If a school has to temporarily close its doors, or even if services like catering, or breakfast and after school clubs, are disrupted, schools can work with local authorities to identify the most vulnerable pupils and put coordinated safety plans in place.

Consistent comms

It’s vital to keep the school community informed, but when normal communication systems like phone and email are down, sharing information will be much harder. Contact information for pupils and their guardians must be securely stored, and you should have recourse to a separate communications network that can be enabled while you are responding to and recovering from any attack.

Communication may be more infrequent than you might like, so any messaging must be clear and consistent to provide certainty and reassurance to parents and pupils.

Learning continuity

Teachers are unlikely to be able to access digital resources for lessons. One school we spoke to shared a work around, which was for teachers to download their resources either onto a personal laptop, which wasn't compromised, or a mobile phone, which can then be connected to interactive whiteboards until the network is secured. Give consideration to the problem of centralised printing as well; staff may want to print out handouts and worksheets, which will mean having to reprogram networked printers to enable local printing.

Rebuilding systems

 

The time to restore and rebuild systems should not be underestimated; it will likely take several weeks and even months. Even when you get back online, time pressures will mean the usual implementation and optimisation processes may not be possible, causing inefficiencies that can mean further disruption.

So, consider the additional IT support time and staff overtime that will be needed - these indirect costs are quite hard to quantify. Also, in terms of a school or Trust’s ongoing IT strategy, a cyberattack can cause longer term delays because everyone is distracted and diverted onto the crisis.

The time to restore and rebuild systems should not be underestimated; it will likely take several weeks and even months. Even when you get back online, time pressures will mean the usual implementation and optimisation processes may not be possible, causing inefficiencies that can mean further disruption.

So, consider the additional IT support time and staff overtime that will be needed - these indirect costs are quite hard to quantify. Also, in terms of a school or Trust’s ongoing IT strategy, a cyberattack can cause longer term delays because everyone is distracted and diverted onto the crisis.

Data fallout

If hackers carry out their threats and publish data that they have stolen from a school or Trust on the dark web, you may need a separate project team to deal with that. There will be important legal considerations regarding personal data and the Information Commissioner's Office will need to be notified, as well as everyone whose data has been compromised.

While experience tells us that most people are generally understanding, schools have been sued by people whose data has been made public. So, be sure that you are not storing sensitive information that you do not need to, such as details for former members of staff.  Regular clean outs to erase any data that could be an unnecessary liability in the event of a cyberattack are recommended.

Banking and business recovery

 

A good banking partner is vital to your cyber resilience and recovery. If accounts systems are encrypted and you're not able to pay your staff after an attack, for example, that can be highly disruptive and stressful for colleagues.

Be aware that your bank can help you by providing information like previous payroll runs, which can help ensure payments to staff and vital regular suppliers are not interrupted.

To request a free cyber defence check from Gallagher Insurance, please do reach out to your Relationship Manager.

A good banking partner is vital to your cyber resilience and recovery. If accounts systems are encrypted and you're not able to pay your staff after an attack, for example, that can be highly disruptive and stressful for colleagues.

Be aware that your bank can help you by providing information like previous payroll runs, which can help ensure payments to staff and vital regular suppliers are not interrupted.

To request a free cyber defence check from Gallagher Insurance, please do reach out to your Relationship Manager.

You may also be interested in

Cyber Insurance

Cyber Insurance can protect your business by providing cover for threats such as malicious cyberattacks and data breaches. Find out how you can get cover.

Learn more

Education sector hub

For more tailored guidance for the Education sector visit our specialised support hub.

Visit the Education hub

Lloyds Bank Business Insurance services are arranged and administered by Arthur J. Gallagher Insurance Brokers Limited. When getting a quote online, you will be taken to Gallagher’s online site with a new privacy and cookie policy.