top of page

Your Governors Are a Cyber Attack Waiting to Happen — Here’s the Proof

  • Feb 24
  • 5 min read

Schools across the UK are being hit by ransomware, data breaches, and Ofsted failures. In almost every case, the same root cause appears: a governing board that didn’t know what it didn’t know.


 

In September 2024, Fylde Coast Academy Trust in Blackpool was hit by a ransomware attack carried out by the Rhysida group — a criminal gang believed to originate from Russia. The attack infected the IT infrastructure of all 10 schools in the trust, cutting off access to computers, laptops, printers, even photocopiers. Staff reverted to paper registers and textbooks. Full restoration of systems took several weeks. The hackers demanded a ransom of £1.2 million, threatening to sell stolen staff data — including names, addresses, national insurance numbers, and bank details — on the dark web.

The governors were not negligent people. They were a well-intentioned board — with a dangerous blind spot.


That blind spot has a name: untrained governors.


The World Has Changed. Governance Hasn’t Kept Up.


School governance has transformed faster than most boards have been able to absorb. Technology now sits at the centre of safeguarding, financial planning, Ofsted readiness, and the daily wellbeing of staff and pupils.


Yet the majority of governing boards still treat IT and cyber security as background noise — something “the IT person handles”. A box on an agenda. A report they nod through.


That approach isn’t just outdated. In 2026, it’s a liability. Here’s what’s actually at stake.

The Threats Are Real, and They’re Getting Worse

1. Cyber Attacks Are Hitting Schools Every Week

The Government’s own Cyber Security Breaches Survey 2025 — published by the Department for Science, Innovation and Technology — found that 60% of secondary schools and 44% of primary schools identified a cyber breach or attack in the last 12 months. Secondary schools are now more likely to suffer an attack than the average UK business.


Phishing is the most common entry point, identified by 89% of secondary schools and 92% of primary schools that experienced a breach. But the consequences go far beyond a suspicious email. The Fylde Coast Academy Trust attack is one of many documented examples of ransomware causing multi-week disruption across entire trusts.


When governors aren’t trained on cyber risk, the consequences stack up quietly:

•       Outdated systems stay in place because no one on the board knows to challenge them

•       Backups are assumed to be working — because nobody has asked for evidence they’ve been tested

•       The school drifts away from DfE cyber security standards without realising it

 

And when an attack does happen, the consequences are severe: lost data, weeks of disrupted learning, reputational damage, and significant recovery costs.


2. Safeguarding Is Now a Digital Responsibility

Keeping Children Safe in Education is explicit. Governors are expected to understand the digital risks pupils face — not just the pastoral ones. Filtering, monitoring, AI misuse in classrooms, harmful online behaviour: these all fall under the safeguarding umbrella.

Ofsted inspectors now ask governors directly about the school’s approach to online safety — including whether governors understand how the school’s monitoring solution is used, and how the school educates pupils about digital risks. Without training, governors cannot answer those questions with confidence. Weak responses are recorded.


Digital safeguarding failures are becoming a documented cause of negative inspection outcomes. This is not a future risk. It is happening now.


3. GDPR Enforcement Is No Longer Theoretical

Schools hold some of the most sensitive personal data that exists: medical records, safeguarding files, family information, financial details. Governors play a critical role in ensuring it is stored, shared, and disposed of correctly.


The Information Commissioner’s Office has taken formal action against schools for exactly these failures. In December 2023, Finham Park Multi Academy Trust in Coventry was formally reprimanded after an unauthorised third party used compromised credentials to access and encrypt its systems — exposing data on 1,843 people. The ICO noted that this was a repeat offence: the trust had been warned three times previously and failed to act on the guidance it received each time.


A separate ICO reprimand was issued to Chelmer Valley High School for introducing facial recognition technology for cashless catering without first completing a Data Protection Impact Assessment — a basic legal requirement.


“Someone else is dealing with it” is no longer an acceptable position — legally or reputationally.


4. Ofsted Now Asks Governors Directly About Digital

Published Ofsted guidance confirms that inspectors ask governors specific questions about cyber security, online safety strategy, infrastructure reliability, and how digital safeguarding is monitored. Governors who cannot answer with confidence — or who rely on “I’ll have to check with our IT person” — leave an impression that is noted in inspection records.


Weak digital oversight reflects on leadership as a whole. Inspectors do record it.


5. The DfE’s 2030 Digital Standards Are Not Optional

The Department for Education’s Digital and Technology Standards set clear expectations across broadband resilience, network management, Cyber Essentials alignment, filtering and monitoring, and digital leadership. Schools are expected to be working towards full compliance by 2030.


Without a board that understands what those standards require, schools drift off track — often without realising it until a visit, a breach, or a budget crisis makes the gap impossible to ignore.


6. Poor IT Oversight Is Costing Schools Money

Most governors significantly underestimate the financial risk of weak IT oversight: unplanned hardware failures, software running on unsupported systems, licensing sprawl, reactive device replacement at crisis point rather than through a planned procurement cycle.


A board with no IT training isn’t just a governance risk. It’s an ongoing and entirely avoidable financial drain.


What Good Training Actually Changes

The goal is not to turn governors into IT experts. It’s to give them enough confidence and clarity to ask the right questions, challenge the right decisions, and recognise when something isn’t good enough.


At The Tech Shepherd, that’s exactly what we focus on. No jargon. No unnecessary technical depth. Just practical, governor-specific training built around real schools and real situations.


Boards we work with come away able to:

•       Challenge SLT on cyber risk — with evidence

•       Explain how digital safeguarding is monitored in their school

•       Hold a confident conversation with Ofsted about IT strategy

•       Understand their GDPR responsibilities well enough to spot a problem before it becomes a formal complaint

•       Build and oversee a realistic, costed IT plan that stops technology spending from becoming a series of unpleasant surprises

 

That’s not a small shift. For many schools, it’s the difference between resilience and serious risk.


The Question Worth Asking Your Board Today


Could your governors confidently answer an Ofsted inspector’s questions about your school’s approach to cyber security?


Could they explain, with evidence, how digital safeguarding is monitored?


Could they tell you when the backups were last tested?


If the answer to any of those is “I’m not sure”, the gap is real — and the right training closes it faster than most boards expect.

 

The Tech Shepherd provides governor training on cyber security, digital safeguarding, GDPR, DfE Digital Standards, and IT strategy. Sessions are tailored specifically for governing boards, delivered in plain English, and built around practical oversight rather than technical detail.

 

Sources:

Cyber Security Breaches Survey 2025, DSIT — gov.uk/government/statistics/cyber-security-breaches-survey-2025

Fylde Coast Academy Trust ransomware attack (September 2024) — Reported by Blackpool Gazette, Computing, and EM360Tech

ICO Reprimand: Finham Park Multi Academy Trust (December 2023) — ico.org.uk/action-weve-taken/enforcement/finham-park-multi-academy-trust

ICO Reprimand: Chelmer Valley High School (facial recognition/DPIA failure) — ico.org.uk/action-weve-taken/enforcement

 
 
 

Comments

bottom of page