Teachers in schools in England are not receiving sufficient cybersecurity training, a new poll has revealed. A third of teachers haven’t completed any in the last academic year, while only 66% of those who did found it useful.
These results come from a Teacher Tapp survey of teachers across England from the Office of Qualifications and Examinations Regulation, or Ofqual. It also revealed the prevalence of cyber attacks within the education sector in the U.K.
Over a third (34%) of schools and colleges experienced a cyber incident during the last academic year, and the north-west was most targeted with 40% of institutions hit.
Recovering from such attacks was not always trivial, with a fifth of respondents saying they could not recover immediately. Four percent of teachers said it took them longer than half a term — about six weeks — and 9% of headteachers described their attack as “critically damaging.” The most common type of cyber attack experienced by schools was a phishing attack, cited by 23% of respondents.
SEE: 87% of UK Businesses Are Unprepared for Cyberattacks
The exam watchdog asked some of the teachers how these attacks have impacted their workplace.
One teacher said: “[It happened] last summer before results days. From then on, all teaching staff were unable to access anything, so could not prepare for the year.
“When back in school, we could not use the desktops and there were not enough laptops. This went on for weeks and was utter chaos.”
Another said: “[It] caused a dip in belief about the security of our systems and led to difficult conversations with parents.”
Ofqual’s Executive Director of General Qualifications, Amanda Swann, said: “Losing coursework that is the result of many hours of hard work is every student’s nightmare. Even more distressing is losing a whole class or year group’s coursework because of weak cyber security on a school or college IT system.
“Many schools and colleges take cyber security seriously, but this poll highlights that there is more to be done. I would encourage schools and colleges to visit the National Cyber Security Centre’s school resource guide to learn how to defend against cyber attacks.”
Schools are popular targets for cyber criminals, with education being the fourth most targeted sector for ransomware, according to cybersecurity firm Jumpsec.
According to this year’s Cyber Security Breaches Survey, 71% of secondary schools and 52% of primary schools identified breaches or attacks in 2023. In comparison, the proportion of U.K. businesses as a whole that experienced cyber incidents was 50%.
In 2024 alone, there have been reports of major incidents in secondary schools in London, Kent, Essex, Lancaster, Buckinghamshire, and at an Essex primary school. Trusts in Cambridgeshire and Lancashire, which manage multiple schools and academies, have also been targeted for maximum impact.
A significant portion of the reported attacks occur in September, at the start of the U.K. academic year. This is a particularly busy period for staff, especially in administrative departments, as payments for annual bills, including new contracts, software licence renewals, and other operational expenses, are being made.
SEE: Global Cyber Attacks to Double from 2020 to 2024, Report Finds
Cyber criminals aim to intercept payments or demand ransoms during a time when financial systems are especially active and personnel are overwhelmed.
School networks are also often accessible to a large number of people and devices, including children. This openness makes them more difficult to protect, leading to a higher number of attacks.
They also tend to harbour a lot of sensitive data about staff and students, which can be valuable to attackers, while schools have a limited budget for preventative cyber security measures.
“It was clear during the interviews with education institutions that funding and restricted budgets were a big issue, making it difficult for them to increase their investment in cyber security,” the researchers behind the Cyber Security Breaches Survey wrote.
In the U.K., teachers are under pressure due to staff shortages, funding issues, pupil hardship, and worsening behaviour, meaning that investing in cyber security measures and staff training are often not a top priority. Tight budgets also mean schools often still run legacy software and cannot employ security experts to train staff or protect their systems.
Hackers often target public services and critical infrastructure, such as utilities, transport, telecommunications, healthcare, and education, because it leads to the largest amount of disruption. The more essential uptime is, the more likely a ransom will be paid, and the greater publicity the criminal gang will get.
SEE: 80% of Critical National Infrastructure Companies Experienced an Email Security Breach in Last Year
Suzan Sakarya, senior manager of EMEIA Security Strategy at device management company Jamf, told TechRepublic in an email: “Poor cyber hygiene found in schools by Ofqual is no shock at all. On account of continually squeezed budgets, schools lack the means to upgrade devices or systems that contain unpatched vulnerabilities, let alone purchase the latest technology.
“The education sector is increasingly susceptible to attacks as more devices enter schools, more services move to the cloud, and more time is spent online. There is a dire need for security awareness education and support for both staff and students.
She warned: “Schools need to immediately assess their risks — only by understanding what types of threats affect the items in their networks can they properly address the problem. Schools should then build an internet safety framework, which includes content filtering to automatically restrict inappropriate content and threat prevention software to mitigate and prevent cyber threats.”