Are We Missing a Trick with Young Hackers? A GRC Perspective

• by Olivia Lawlor-Blackburn
• Advent IM Blog Advent IM News

The Information Commissioner’s Office (ICO) recently highlighted a worrying rise in cyber incidents across UK schools and colleges. In many cases, the perpetrators aren’t organised criminals or external threat actors, but students themselves. The BBC reports that since 2022, the ICO has investigated over 215 incidents, with 57% involving children. Some of these “attacks” were the work of seven-year-olds experimenting with access; others involved older teenagers accessing or altering thousands of records. 

For the young people involved, the motivation is often described as “fun”, a dare, or simple curiosity. But from a Governance, Risk and Compliance (GRC) perspective, the implications are serious. 

Governance and the Insider Threat 

Insider threats are not new, but in education they are often underestimated. Schools tend to view risks in terms of safeguarding and physical security, yet the governance of digital assets and systems is just as critical. When students access teacher accounts or manipulate records, it undermines the integrity of institutional governance. 

The challenge here is not just technical. Policies, controls, and oversight mechanisms are needed that recognise insiders can be pupils as well as staff, and that governance frameworks must reflect this reality. 

Risk: From “Fun” to Future Threat 

The escalation pathway is clear. What begins as curiosity—downloading a free hacking tool, experimenting with a guessed password—can grow into deliberate exploitation. Without early intervention, behaviours that may start as trivial rule-breaking risk maturing into serious criminality. 

The ICO has warned of the danger that these activities could scale into attacks on businesses, local authorities, or even critical national infrastructure (CNI). That is not alarmist—it is a reminder that today’s curious teenager could become tomorrow’s insider or external attacker if left unchecked. 

Compliance and Awareness Gaps 

Another striking issue is the lack of awareness among young people of the legal and compliance frameworks that govern information use. Under UK GDPR and the Computer Misuse Act, unauthorised access is unlawful—no matter the intent. Yet many students appear unaware of this, and some institutions may not be equipping them with the understanding they need. 

This gap is as much educational as it is legal. Schools have a role in embedding digital ethics and responsibility alongside coding and digital skills. Without this, governance and compliance risk being applied only after the damage is done. 

Opportunity as Well as Threat 

Here lies a paradox: the very skills that make these students a risk could also make them invaluable defenders. Technical curiosity, persistence, and lateral thinking are core attributes of cyber security professionals. 

There are established examples elsewhere. The US and parts of Europe have invested in “cyber cadet” and ethical hacking programmes that channel young talent into legitimate, well-structured paths. In the UK, initiatives such as CyberFirst (led by the National Cyber Security Centre) already provide this kind of guidance—but they are not yet embedded across the education system. 

A GRC Call to Action 

From a GRC perspective, several steps stand out: 

• Governance: Institutions should adopt governance frameworks that treat insider threats holistically—including the reality of pupil access. 

• Risk: Early-stage behaviour should be flagged as a risk signal, not just a disciplinary problem. Intervention at this point can prevent escalation. 

• Compliance: Digital ethics, legal boundaries, and responsible behaviour should be part of the curriculum, not optional extras. 

• Opportunity: Pathways must be available for students with technical curiosity to develop those skills positively, through mentoring, competitions, and industry partnerships. 

The Big Question 

Are we missing a trick? Instead of treating every young hacker as a problem to be punished, could we also see them as potential allies? With the right frameworks, many of these children could be guided away from the “dark side” and towards careers that protect rather than harm. 

In the long run, the organisations that understand this duality—risk and opportunity—may find themselves better placed not just to prevent breaches, but to cultivate the next generation of defenders. 

Case Study: CyberFirst – Nurturing Young Talent in the UK 

Run by the National Cyber Security Centre (NCSC), CyberFirst offers courses, bursaries and competitions for students aged 11–17. It’s designed to channel technical curiosity into ethical and professional cyber pathways. 

Students get hands-on training in ethical hacking, coding, and digital forensics. 

Ellie Hurst, Commercial Director