Schools Are Engaged – But Not Fully Prepared

• by Anthony Orjally
• Advent IM Blog

Cybersecurity is now on the agenda for almost every UK school, with 95-98% of schools that took part in the ‘Cyber security breaches survey 2025: education institutions findings’ understand that cybersecurity is discussed at board or governor level. However, in this same report, there’s suggestions that awareness and preparedness don’t always keep up with the enthusiasm. Schools are engaged, but not fully prepared!

Even though cybersecurity is a topic discussed in nearly every school, less than 50% are aware of free resources and frameworks designed to help them, such as the National Cyber Security Centre (NCSC) resources and the government’s Cyber Essentials scheme. This means that many schools believe they’re following best practices when it comes to data protection, however that isn’t necessarily the case – with over half not knowing they have access to the best guidance to keep their school protected. This is like buying a new desk from Ikea but attempting to build it without the instructions.

Having an incident response plan is a very strong start, with nearly 75% of schools (71% primary, 74% secondary) having a formal incident response in place. On the contrary, the report suggests that some of the deeper readiness plans, such as using approved incident response, are less widespread. Effective penetration testing/red teaming services help with this, as it gives peace of mind that the incident response plan for a school is either effective or needs working on (with a detailed list of improvements).

But before you can put plans into action, it’s important to understand how to make them work. This is why the Government guidance is essential to helping the education sector stay secure. Positively, further education colleges (88%) and higher education institutions (87%) had heard of Cyber Essentials – in contrast, just 43% of secondary schools and only 20% of primary schools were aware of the scheme. Awareness can be achieved through various methods, such as including cybersecurity in OFSTED checklists and creating training sessions that don’t need to be overly technical.

Schools care deeply about cybersecurity, but the level of awareness and preparedness can still improve. In the Cyber security breaches survey 2025: education institutions findings it’s mentioned that nearly 100% of educational institutions report a higher level of board engagement with cybersecurity, showing the excellent intent and initiative. Turning intent into practical action, however, remains a challenge for many schools – therefore, effective solutions need to be in place, such as testing current security measures and having a delegated cybersecurity lead. With the right guidance and collaboration, schools can improve their security posture and remain prepared.