03 October 2022

Half of schools’ cyber security experts receive little or no training annually, despite the education sector being at most risk of cyber threats

Half of schools’ cyber security experts receive little or no training annually, despite the education sector being at most risk of cyber threats

  • Schools largely unaware of cyber security threat. 94% of primary schools and 72% didn't know that, alongside healthcare, education is the most cyber-attacked sector
  • Primary schools lag behind secondary schools when it comes to staying updated with cyber security advice from the National Cyber Security Centre (NCSC)
  • 63% of primary schools and 53% of secondary schools in England believe the responsibility sits with the local authority, 15% less than other nations on average

London, Monday 03rd October 2022 – One-in-ten UK primary schools (11%) have taken no steps to minimise the impact of a cyber-attack, despite almost all (96%) understanding the risk they pose. Conversely, 89% of secondary schools have made attempts to address the cyber-attack threats they face.

The research, from RM’s Schooling Yourself on Cyber report identified some real concerns. While 64% of secondary schools claim to be members of the RPA with regards to Cyber, only 24% have completed the NCSC training, 5% have registered for Police CyberAlarm and 49% have a response plan. Those are three of the four mandatory requirements (the fourth being offline backup).

Elsewhere, the report shows that over half (53%) of primary schools striving for cyber security best practices focus on introducing new policies online and on-premise – rather than upgrading their technology software or hardware. While the majority (84%) of secondary schools prioritise their cyber security strategy in the same way, they are much more action-orientated overall – with over half (54%) upgrading software (54%).

More than any other nation, schools in England understand that the responsibility for cyber security sits with themselves. Although more than two-thirds (63%) of primary schools and over half (53%) of secondary schools in England believe cyber security practices should be initiated by the local authority, school trusts, or Academy Trust, that number increased to almost three quarters (73%) of schools overall outside of England.

Phishing remains the top concern

When it comes to specific worries, two-thirds of primary schools (66%) highlight phishing attacks as their single greatest concern. Similarly in the secondary sector, nearly all (99%) are concerned about phishing attacks. However, and perhaps pointing to a larger complexity of security threats, secondary schools listed ransomware (57%), information security (63%), and DDOS (35%) as leading threats.

Yet while the threat of a phishing attack is a concern to all schools, one-in-twenty (6%) primary schools and a third (34%) of secondary schools are unaware that most ransomware attacks begin with a phishing attack.

Worryingly, Multi-factor Authentication (MFA) sat very low on schools’ list of priorities. 97% of primary schools and 76% of secondary have not introduced MFA. What’s more, 57% of primary schools listed a lack of awareness as one of the most significant challenges to minimise cyber security risk, while nearly half (48%) also feel that money and budget is a major challenge, a similar figure (43%) for secondary schools.

Schools are left in want of security training

A lack of awareness and a lack of training seem to correlate. In fact, 56% of primary schools stated that the people responsible for cyber security receive training less than once a year, while almost one-in-five (18%) receive no specific training at all; DCMS’ latest cyber security breaches report revealed 41% of primary schools had identified a breach.

The attack threat for secondary schools is higher than amongst primaries, so while 42% claim that those responsible for cyber security receive training more than once a year, only 43% have received training once a year or less.

On the flip side, pupil training in secondary school appears to be more regular according to half (48%) of secondary schools. Meanwhile, primary schools regularly train a mere one-in-twenty (5%) pupils.

Disparities between primaries, secondaries and academies

Comparatively, academies offer more cyber security training to their staff than authority schools and seem to have a greater knowledge of cyber security and offer more training. In fact, academies are more than twice as likely to offer training across the board than state-maintained schools.

There are clear differences in the frequency of training between primary and secondary schools too. Only 11% of primary schools completed NCSC training and 25% review their advice. Secondary schools are much better at this – 24% have completed the training and 57% review the NCSC advice.

It may then come as a surprise that over four in ten (44%) primary schools offer parent training, 13% more than secondary. More disparities arise in the responsibilities category as over two-thirds (69%) of the SLT in secondary school’s report that there is an in-house technical support team responsible for managing cyber security, dropping sharply to 21% in primary schools. This points to why more primary schools (44%) rely on third-party providers, as opposed to 35% of those in secondary schools.

Nelson Ody, Product Manager, Cyber Security at RM:

“For many in education, just ‘keeping the lights on’ is hard enough. A lack of resource and complex demands don’t allow for schools to keep on top of the ever-changing challenges. What’s more, cyber security skills are in short supply, placing pressure on sectors like education that can’t afford such talent. And schools are already struggling to know what’s required from them, particularly when the RPA scheme findings show that while nearly two-thirds of secondary schools claim to be members, just 5% have implemented all of what they are required to do.

In the coming months, money and budget are going to come under extreme pressure. Energy bills for schools are going to rise dramatically, but schools can’t forget the risk and monetary pressure a cyber-attack can have. This is where managed services and trusted partners can be of huge value - whether that’s upgrading existing systems, adding lower cost extra layers to reduce risks or being pointed towards training. Preparation is essential and that’s why we should treat cyber security in a same manner as we do with a fire; training, regularly checking the alarms and running drills.

Finally, with Ofsted toughening their guidance for school inspectors from earlier this month – they will now be checking whether schools have addressed all that they reasonably can to limit children’s exposure to any risks from the school or college’s IT system –it is clear there is much that still needs to be taught in the school of cyber security."

- Ends -


Commissioned by RM and operated by C3 Education who compiled from data collected from opted-in members of the National Education Research Panel (NERP). The online survey was issued to panel members through June 2022 where 1082 school leaders across the UK responded.

About RM

RM plc is a £211m turnover British business, with c. 1,990 employees globally. Established in 1973, RM provides market-leading products and services to educational institutions, exam bodies and international governments which improve, simplify and support education and learning. rm.com

RM’s Technology division (RM.com/education) is a market-leading supplier of ICT software, technology and services to UK schools and colleges to deliver a technology environment that improves learning outcomes and makes the most of IT investment.

Media Contact

For more information, quotes, or images on this story, please contact:

Simon Carter


Charlotte Firth
Harvard PR

back to top button
back to top button