The 10 Biggest Cybersecurity Gaps in UK Schools (And How to Fix Them in 2026)

Introduction

UK schools have quietly become one of the most heavily targeted sectors for cybercrime. The numbers tell a sobering story.

The government’s Cyber Security Breaches Survey 2025 found that 44 per cent of primary schools and 60 per cent of secondary schools identified at least one cyber breach or attack in the previous 12 months. That’s actually higher than the 43 per cent figure for UK businesses overall. Further education colleges and higher education institutions were hit even more frequently, at 85 per cent and 91 per cent respectively.

At the same time, the Department for Education has updated its cyber security standards for schools and colleges, and the 2025 update to Keeping Children Safe in Education now explicitly reinforces those standards as part of safeguarding.

So the threats are rising and the bar for compliance is rising with them.

Below are the ten biggest cybersecurity gaps we see in UK schools going into 2026, backed by current data and guidance, along with practical steps to close each one.

1. Breaches have become normal in schools

As we highlighted in the introduction, breaches have become extremely common in UK schools, with only Primary Schools falling sub 50%.

And these trends aren’t new. We can go back over several years to find similar patterns so, at this point, you have to say that breaches have become normal.

Put simply, a cyber incident in your school is not a rare event. It’s something your organisation should expect and be ready to manage.

How to fix this in 2026

Treat cyber as an operational risk, not just an IT issue. Make cyber risk a standing item for SLT, governors and trustees, in line with the NCSC’s guidance for school leaders.

Define your “crown jewels”. Identify the systems and data that matter most: your MIS, safeguarding records, payroll, assessment data, remote learning platforms and exam materials.

Add cyber to your risk register. Map likely scenarios such as ransomware on the admin network, loss of cloud MIS, or compromise of a staff email account. Document the impact and mitigations for each.

The unfortunate reality is that breaches are inevitable, mostly due to next point on this list, phishing, and so cyber security should be more focused than ever on preventing breaches from becoming uncontrollable.

Hackers are going to get in, just don’t let them get any further than the front door.

Related Reading: How Multi-Academy Trusts Can Standardise Cyber Security Without Overloading School IT

2. Phishing still opens the door

Among schools that had experienced a breach or attack, phishing was by far the most common incident type. The 2025 Breaches Survey shows it affected 89 per cent of primary schools, 89 per cent of secondary schools and 97 per cent of FE and HE institutions combined.

Other attacks like impersonation and malware sit on top of this, but phishing emails remain the main entry point.

How to fix this in 2026

Run regular phishing simulations and follow up with targeted training, not just one annual session. The Breaches Survey shows that schools which test staff awareness are significantly more proactive than the average business.

Harden your email. Enable anti-phishing and URL protection tools in Microsoft 365 or Google Workspace, and consider the NCSC’s free Mail Check service where appropriate.

Standardise reporting. Make it easy for staff to report suspicious emails with a single “Report phishing” button, then feed what you learn back into training.

Phishing emails are going to be clicked. It’s vital that use employ a system of least privilege. Accounts should have access to as little as they need to carry out their work effectively.

Related Reading: Phishing and Social Engineering: A Guide to Protect Higher Education

3. Incident response and backup are still patchy

A cyber attack in a school is primarily a business continuity problem. Yet many schools still have incomplete plans.

The NCSC-backed Cyber Security Schools Audit 2022 found that whilst 78 per cent of schools had experienced at least one incident, 21 per cent had suffered malware or ransomware, 18 per cent had periods where staff couldn’t access important information, 26 per cent had not implemented multi-factor authentication on important accounts, and 4 per cent had no backup facilities at all.

That same audit found that around 50 per cent of schools lack an effective cyber incident response plan, or have plans missing critical details such as access to admin passwords and encryption keys.

How to fix this in 2026

Create a clear incident response plan that covers who leads, who you call, which systems have priority, how you communicate if email is down, and when to involve local authorities, police, the ICO and insurers.

Follow the 3-2-1 backup rule recommended by NCSC-aligned guidance: three copies of important data, on two types of media, with one copy stored offsite or in a separate cloud environment.

Test the plan. Run at least one tabletop exercise a year with SLT and governors so that the first time you work through the plan isn’t during a real attack.

Related Reading: How to Develop an Incident Response Plan

4. Multi-factor authentication and account security are not universal

Despite years of warnings, many schools still rely heavily on passwords alone. The Cyber Security Schools Audit found that 26 per cent of schools had not implemented multi-factor authentication for important accounts.

The 2025 Breaches Survey also shows that unauthorised access by staff or students is a recurring issue, and that takeovers of organisational user accounts are more common in education than in many businesses.

How to fix this in 2026

Make MFA mandatory for staff email, admin accounts, your MIS, remote access solutions and any cloud service that holds sensitive data.

Reduce shared accounts. Move towards named accounts for staff and contractors, with proper joiner, mover and leaver processes.

Tighten password policy and monitoring. Use password filters, monitor for credential stuffing, and enable sign-in risk alerts for unusual locations or impossible travel.

5. Staff cyber training is still inconsistent

Training has improved since 2021, but the picture is still mixed. The Breaches Survey 2025 shows that in the last 12 months, 66 per cent of primary schools and 72 per cent of secondary schools had carried out some form of cyber security training or awareness raising, compared with over 90 per cent of FE and HE institutions.

Many settings still treat training as an occasional compliance exercise rather than an ongoing behaviour change programme.

How to fix this in 2026

Shift from “one and done” to “little and often”. Use short, regular micro-modules for staff, not just an annual inset slide deck.

Include all staff, not only teachers and IT. Office staff, pastoral teams, catering, site and supply staff all handle data or have access to systems.

Tie training into real incidents. Whenever you handle a phishing attempt or data near-miss, anonymise the details and share them as a learning story with staff.

Related Reading: 5 Reasons Why Cyber Security Training is Important

6. Student insider threats are rising fast

In 2025 the Information Commissioner’s Office sounded the alarm: children are increasingly hacking their own schools’ systems.

The ICO analysed 215 personal data breach reports caused by insider attacks in the education sector between January 2022 and August 2024. It found that 57 per cent of these incidents were caused by students. In cases involving stolen login details, students were responsible in 97 per cent of incidents.

These are often framed as dares or “a bit of fun”, but the impact can be serious: manipulation or exposure of safeguarding data, mass deletion of files, or disruption to exams and teaching.

How to fix this in 2026

Segment the network. Make sure pupil devices and accounts are properly separated from admin and safeguarding systems.

Apply least privilege, as mentioned earlier. Students should only have the minimum access required for learning. Remove historic or overly broad access rights.

Treat cyber behaviour as part of safeguarding and behaviour policy. Talk explicitly about hacking, data misuse and digital ethics in PSHE or computing lessons.

Detect unusual activity. Use audit logs to spot patterns such as repeated login attempts, access to staff folders, or large data exports from pupil accounts.

Related Reading: Social Engineering Attacks: Understanding the Psychology Behind It

7. Legacy systems and unsupported software are still in use

Many schools are still running hardware and operating systems that are approaching or past end of support. As products like Windows 10 reach end of support, security vendors are likely to increase costs for extended coverage, whilst the systems themselves become more vulnerable to new exploits.

Attackers actively search for known vulnerabilities on systems that are no longer receiving patches, and education is an attractive target because of budget constraints and long hardware refresh cycles.

How to fix this in 2026

Create a full asset register, as required by DfE digital and technology standards, so you know exactly which devices and systems you have, who uses them and which are near end of life.

Prioritise replacement of unsupported systems that host sensitive data or provide internet-facing services.

Harden what you cannot immediately replace. Restrict legacy systems to segregated network segments, remove direct internet access where possible and lock down accounts.

Related Reading: Legacy Equipment: Understanding the Risks and Challenges

8. Supply chain and cloud services are not always governed properly

Schools increasingly depend on third-party cloud services: MIS vendors, safeguarding platforms, communication tools, finance systems, content filters and educational apps.

The 2025 Breaches Survey notes that whilst education institutions are more active than businesses in reviewing supplier risks, only around 26 per cent of primary schools and 38 per cent of secondary schools have reviewed cyber risks from their immediate suppliers or partners, compared with 69 per cent of higher education institutions.

At the same time, ICO data shows that over 3,000 cyber breaches were reported to the regulator in 2023, with education accounting for 11 per cent of these incidents.

How to fix this in 2026

Maintain a list of all third-party systems that process staff or pupil data, including where data is stored, who has admin access and what happens if the supplier goes offline.

Build basic security checks into procurement. Ask vendors about Cyber Essentials, penetration testing, incident response and data export options before you buy.

Include security clauses in contracts, covering breach notification timescales, right to audit, data retention and support in the event of an incident.

Related Reading: Supply Chain Cyber Attacks: Why Your Supplier’s Problem Becomes Yours

9. DfE cyber security standards are not fully embedded

The DfE’s cyber security standards for schools and colleges are now embedded within the wider Meeting digital and technology standards guidance, and 2025 updates to both that guidance and KCSIE emphasise that these standards exist to help schools improve resilience to cyber attack.

However, there’s still a gap between awareness and full implementation, particularly in smaller schools and stand-alone academies that lack in-house IT security expertise.

How to fix this in 2026

Use the DfE standards as your checklist. Work through each section and rate yourself red, amber or green. Prioritise reds that relate to safeguarding or data protection.

Align with Cyber Essentials where possible. For colleges, Cyber Essentials is now a funding requirement under ESFA, and it offers a useful baseline for schools too.

Report progress to governors and trustees at least once a year, and link it to KCSIE duties so that cyber is seen as part of safeguarding, not an optional extra.

Related Reading: Cyber Essentials vs Cyber Resilience: Moving Beyond Tick-Box Security

10. Testing and assurance are still limited

Many schools have invested in tools such as firewalls, endpoint protection and filtering, yet relatively few are regularly testing how well those controls actually work.

The 2025 Breaches Survey notes that only 23 per cent of primary schools and 31 per cent of secondary schools reported having carried out penetration testing in the last 12 months. By contrast, 65 per cent of FE colleges and 69 per cent of HE institutions had done so.

At the same time, the survey shows that schools which carry out vulnerability audits, testing of staff awareness and penetration testing have a stronger overall security posture.

How to fix this in 2026

Schedule regular vulnerability assessments at least annually, and after major changes to your network or systems.

Use external penetration testing to validate your defences and highlight weaknesses that attackers could exploit, such as misconfigured cloud services, exposed remote access or insecure legacy systems.

Follow up with remediation. The value comes from closing the gaps identified, not just receiving a report.

If you want to take this a step further, once all remediation advice has been actioned, get a second pentest to check whether the fixes have worked.

Related Reading: Penetration Testing: A Comprehensive Guide

Bringing it together for 2026

The good news is that UK education is no longer asleep at the wheel. The latest government data shows that schools are more likely than the average business to have written policies and to be taking some action on risk assessment and technical controls.

The challenge for 2026 is to close the remaining gaps:

• Make breaches a planned-for scenario rather than a surprise
• Address phishing, MFA and backup as non-negotiables
• Take student insider threats seriously
• Bring suppliers, legacy systems and governance into scope
• Move from “we bought tools” to “we test our security and improve it every year”

At Fortifi, this is where we typically partner with schools and multi-academy trusts: combining penetration testing, red teaming and security advisory work with practical, education-specific guidance on what to fix first and how to align those improvements with DfE standards and KCSIE obligations.

If you’d like a school-specific view of where your biggest weaknesses are, and a prioritised plan to fix them, we can help.