UK schools have been a top-ten cyber-attack sector every year since 2020, with academy trusts and large secondary schools particularly exposed. The 2022 Vice Society ransomware attacks against multiple UK schools, the 2023 attacks on a number of multi-academy trusts, and the steady stream of phishing-led incidents in 2024–25 have made cyber security a board-level concern for trustees and governors. The DfE’s response has been increasingly prescriptive: a published set of cyber security standards, mandatory adherence to digital and technology standards for grant funding, and explicit expectations around Cyber Essentials.
This guide explains what UK schools, academies and FE colleges actually need to do in 2026 to meet DfE expectations, satisfy ICO obligations for pupil data, and defend against the ransomware and phishing attacks specifically targeting the education sector.
What the DfE actually expects from UK schools in 2026
The DfE Digital and Technology Standards
Published April 2022, refreshed 2024. The standards cover broadband, network switches, wireless networks, servers, cloud services, devices, filtering and monitoring, digital leadership, and crucially, cyber security. They are the basis for ESFA spending decisions and increasingly cited in inspection regimes.
The 9 cyber security standards
- Protect all devices on every network with a properly configured firewall.
- Enforce up-to-date Microsoft / Apple / Google operating system, app and browser patches.
- Have anti-malware (antivirus or EDR) on all devices.
- Restrict admin accounts and accounts with elevated privileges.
- Use multi-factor authentication for all admin and privileged accounts, and increasingly for all staff accounts.
- Train all staff on basic cyber hygiene and how to spot phishing.
- Have backups, including offline or immutable copies, and test restoration.
- Have a cyber response plan, with a documented procedure for staff to report incidents.
- Achieve Cyber Essentials annually, and Cyber Essentials Plus where appropriate (typically larger MATs and schools handling sensitive workloads).
ESFA / Academy Trust Handbook
The Academy Trust Handbook (ATH) requires academy trusts to maintain proper governance of risk, including cyber risk. Academy boards are expected to discuss cyber security at audit committee level at least annually and to confirm that DfE standards are met. ESFA scrutiny of trust risk management has tightened post-2023.
Keeping Children Safe in Education (KCSiE)
KCSiE 2024 incorporates online safety expectations and (by reference via the DfE digital standards) cyber security expectations. Filtering and monitoring duties (Standard 8 of the DfE digital standards) sit alongside child-protection obligations.
UK GDPR and pupil data
Pupil personal data is heavily regulated. SEND data (special educational needs and disabilities) is special-category data under UK GDPR Article 9. Free school meals data, behavioural records, safeguarding records and parental contact details all fall within scope. The ICO has fined several UK schools and academy trusts for data-protection failures, with awards from £10,000 to £120,000.
CCS / DfE procurement requirements
Many DfE and Crown Commercial Service procurement frameworks expect Cyber Essentials Plus from suppliers, which cascades into school IT supplier selection. Schools using framework-listed MIS, payment, comms and learning-platform suppliers should already be benefiting from this.
The threats UK schools actually face
1. Ransomware on Management Information Systems (MIS)
SIMS, Arbor, Bromcom, ScholarPack and similar MIS hold pupil records, attendance, behaviour, SEND data, finance, payroll and parent contacts. Ransomware encryption of MIS can stop a school operating — staff can’t take attendance, communicate with parents, or process safeguarding referrals. Vice Society’s 2022 UK school campaigns specifically targeted MIS data for double-extortion (encrypt + leak) tactics.
2. Phishing of senior leaders and finance staff
Headteacher / business manager / SBM mailbox compromises lead to BEC fraud against suppliers and PTAs. Several UK academy trusts have suffered five- and six-figure losses to invoice-redirect scams over the last 18 months.
3. Pupil-targeted social engineering
Increasingly, attackers use compromised pupil accounts (often re-used passwords from breached gaming or social-media services) to pivot into school networks. Pupils often don’t enable MFA on their school accounts.
4. Third-party / supply-chain compromise
Most UK schools rely on 30+ external SaaS providers (Google Workspace for Education, Microsoft 365 for Education, ClassCharts, ParentPay, Google Classroom, Showbie, Seesaw etc.). Compromise of any of these can affect pupil data. More on supply-chain attacks.
5. Insider misuse and password sharing
Schools have an unusual insider risk: staff frequently share accounts with cover supervisors, students share passwords with peers, and trainee teachers retain access years after they leave. Strong access governance and quarterly access reviews are essential.
The cyber controls UK schools should have in 2026
Identity and access
- MFA enforced for every staff account — no exceptions for headteachers or SBMs.
- MFA encouraged or required for sixth-form pupils with admin-adjacent access (head students, IT prefects).
- Conditional access blocking unusual locations.
- Quarterly access reviews aligned with leaver lists.
- Privileged access management for IT-team admin accounts.
Endpoint protection
- EDR on every staff device (Microsoft Defender for Business is sufficient and free with M365 A3/A5 for Education).
- Centrally-managed pupil device protection via Intune for Education or Google Workspace for Education.
- BitLocker / FileVault encryption on every staff and 1:1 pupil device.
Email security
- Microsoft Defender for Office 365 P1 or P2 (included in M365 A3/A5).
- SPF, DKIM, DMARC at p=reject for the school domain.
- Anti-impersonation rules detecting headteacher / SBM display-name spoofing.
- External-sender warning banners.
Filtering and monitoring
- Compliant with the DfE filtering and monitoring standards (April 2024 update).
- DNS-level filtering (Smoothwall, Cisco Umbrella, Sophos DNS).
- Monitoring system flagging child-protection concerns to designated safeguarding leads.
MIS & backup
- 3-2-1-1 backup including MIS, finance, comms platforms.
- Immutable backup storage to defeat ransomware encryption of backups.
- Tested MIS restore quarterly — not annually.
Detection and response
- MDR or SOC alerting (24/7 for MATs; business-hours acceptable for single-school primary).
- Incident response plan covering DfE / ESFA / ICO / parent notification.
- Pre-arranged DFIR firm via incident retainer or insurer panel.
- Annual tabletop exercise with senior leadership and trustees.
Governance and certification
- Cyber Essentials annually as a minimum.
- Cyber Essentials Plus for MATs and large schools.
- Annual cyber awareness training tracked per-individual; specific modules for finance staff and SBMs given the BEC risk.
- Audit committee review of cyber risk register at least annually.
Realistic cyber security budget for UK schools
Small primary school (250 pupils, 30 staff)
- Microsoft 365 A3 for Education (free for staff): £0
- EDR via Defender for Business (included): £0
- Cyber Essentials managed: £750/year
- Awareness training: £600/year
- MIS-aware backup beyond M365 retention: £1,500/year
- Filtering & monitoring (per DfE standards): £2,500/year
- Pen test (every 2 years amortised): £1,750/year
- Total: ~£7,100/year
Secondary school (800 pupils, 80 staff)
- M365 A3 staff: £0
- Standard tier MDR (business-hours plus on-call): £9,500/year
- Cyber Essentials Plus: £3,500/year
- Awareness training: £1,800/year
- Backup add-on: £3,000/year
- Filtering & monitoring: £5,500/year
- Annual external pen test: £5,000
- Cyber insurance: £3,500/year
- Total: ~£31,800/year
Multi-Academy Trust (10 schools, ~5,000 pupils, 500 staff)
- Premium tier managed cyber including SIEM & threat hunting: £30 × 500 × 12 = £180,000/year
- M365 A3/A5 mix: £48,000/year
- Cyber Essentials Plus across the trust + ISO 27001: £25,000/year
- Awareness training + role-specific modules: £8,000/year
- Pen testing programme: £25,000/year
- Filtering & monitoring centralised: £30,000/year
- Cyber insurance: £14,000/year
- IR retainer: £10,000/year
- Total: ~£340,000/year
Frequently Asked Questions
The DfE’s digital and technology standards explicitly state that schools should achieve Cyber Essentials, with Cyber Essentials Plus where appropriate. ESFA-administered grant funding increasingly references the standards as a condition. While not yet universally mandatory, MATs and schools that don’t hold CE face increasing scrutiny from auditors, the ESFA, and trustees. Practical answer: certify it — the cost is small (£500–£1,500/year), the diagnostic value is significant, and it removes a recurring audit question.
The DfE filtering and monitoring standards (April 2024 update) require schools to: have appropriate filtering and monitoring systems in place, designate a senior leader and a governor responsible for filtering & monitoring, review systems annually, and respond to safeguarding incidents identified by monitoring. Use IWF-aligned filter providers (Smoothwall, RM SafetyNet, Securly, Sophos DNS) and ensure monitoring alerts go to designated safeguarding leads, not just IT. The standards apply to school-issued devices and any device used to access school systems.
Ransomware on Management Information Systems remains the highest-impact risk — an MIS lockout stops the school operating, prevents safeguarding referrals, halts attendance reporting, and exposes pupil data via double-extortion leak threats. Defence: immutable backups specifically configured for MIS data, MFA on every MIS administrator account, EDR on every staff endpoint, network segmentation separating pupil and staff networks, 24/7 detection during term-time. The 2022–2024 wave of UK school ransomware events was almost entirely preventable with these controls.
Notification routes for UK schools: ICO within 72 hours where personal data is affected (most school incidents); Action Fraud for any financial fraud; the police (101 or Action Fraud) for any criminal offence; the DfE Sector Cyber Team via the Education Cyber Resilience Programme; the local authority designated officer if safeguarding data is involved; parents and pupils where required by ICO advice. Most academy trusts also notify ESFA and DfE governance as part of their risk reporting. Build a single incident-response runbook covering all these routes — trying to remember during a real incident never works.
Realistic 2026 budget for an 800-pupil UK secondary school: ~£25,000–£35,000/year. Most of the spend goes on managed detection & response (~£10,000), Microsoft 365 / Google Workspace tooling (often subsidised or free for staff), Cyber Essentials Plus (~£3,500), filtering & monitoring (~£5,500), backup, awareness training and an annual pen test. Multi-academy trusts benefit from significant economies of scale — per-pupil cyber cost in a 10-school MAT is typically 30–50% lower than in a stand-alone school of the same size.
MFA is mandatory for staff under the DfE standards. For pupils, the picture is more nuanced: full MFA for all pupils (including primary) is operationally challenging and isn’t currently DfE-mandated. Reasonable practice: MFA for sixth-form pupils with elevated access (head students, IT volunteers, exam-platform admins), strong unique passwords for all pupils, and tightly controlled scope — pupil accounts should never be local administrators on devices, and pupil access to staff systems should be impossible regardless of password compromise.
Need DfE-aligned cyber support for your school or academy trust? Request a free DfE cyber standards gap analysis — we’ll cover all 9 cyber security standards, the filtering & monitoring expectations, and the controls needed for Cyber Essentials Plus. See also our best UK cyber security companies guide.
Related Reading
More from the Connection Technologies blog.