Physical security and cyber security are increasingly two sides of the same coin. A school or public sector body that has invested in excellent CCTV, access control, and intruder alarms but whose network is poorly secured has left a significant door open. This article is a governance-level overview of the cyber security basics that every school, council, and public body should have in place, and the legal context that makes getting them right a statutory obligation rather than a good idea.
Schools, councils, NHS trusts, and local authorities hold significant volumes of personal data: pupil records, resident information, employee files, medical records, financial data. This data has value to criminals, and public sector organisations are often perceived as softer targets than large private sector companies — less well-resourced for cyber security, operating legacy systems, and reliant on staff who have not always received adequate training.
The threat is not primarily from sophisticated state-sponsored actors. It is from opportunistic criminal groups using widely available tools to exploit common vulnerabilities: unpatched software, weak passwords, staff who click phishing links, and systems that have never been properly secured because no one made it a priority. These vulnerabilities can be addressed with relatively modest investment in the right places.
UK GDPR places an explicit obligation on organisations to implement appropriate technical and organisational measures to protect personal data. For schools, councils, and public sector bodies, this is not optional — it is a statutory requirement. A cyber incident resulting in the exposure of personal data is a notifiable breach under GDPR if likely to result in a risk to the rights and freedoms of individuals. Failure to have appropriate security measures in place is an aggravating factor in any ICO investigation.
The Cyber Essentials scheme, backed by the National Cyber Security Centre, provides a clear baseline standard demonstrating an organisation has addressed the most common vulnerabilities. Some contracts — particularly central government contracts and NHS procurement — require Cyber Essentials certification.
Patching and updates. Unpatched software is the most common entry point for cyber attackers. Operating systems, applications, and firmware on network devices all require regular updates to address known vulnerabilities. Establish a patching schedule and stick to it — including your security systems, which run on network-connected hardware that is as vulnerable as any other.
Access control and strong authentication. Every user account should have the minimum permissions required to do its job. Administrative accounts should be used only for administrative tasks. Multi-factor authentication should be enabled on all accounts that access personal data or administrative systems — this single measure prevents the majority of credential-based attacks.
Malware protection. Current, properly configured antivirus and malware protection on all devices. This is a baseline, not a complete solution, but a system without it is exposed to threats that have been well understood for decades.
Network configuration and firewalls. A properly configured firewall, secure Wi-Fi with separate networks for staff, pupils or residents, and security devices, plus blocking of unnecessary external connections. Many schools and councils have networks configured years ago and never reviewed.
Secure backups. Regular, tested, encrypted backups stored separately from the primary network. Ransomware attacks encrypt operational data and demand payment for the decryption key; an organisation with clean, current backups can recover without paying.
Technology measures are only effective if the people using the systems understand their role in security. Phishing — emails designed to trick staff into revealing credentials or downloading malware — remains the most common initial attack vector. Staff training that helps people recognise suspicious emails and know who to contact when something does not look right is a more effective security investment than many technical measures.
Our wireless network installations are designed with security built in — segmented networks for security devices, strong authentication, and configurations meeting the requirements of education and public sector environments.
Get in Touch →