School cyber security: a practical guide
Cyber security can feel like a subject designed to make you feel behind. This guide cuts through it for the people who run schools: what the real risks are, why schools get targeted, and what sensible protection looks like, without the jargon or the scare tactics.
Why schools are a target
Schools are an attractive target for reasons that have nothing to do with how interesting they are. You hold a lot of personal data on students, families and staff. You often run lean on IT. And you're under pressure to keep things open and accessible, which pulls against locking them down. Attackers know all of this. They're not singling your school out, they're running automated attacks at scale, and under-protected organisations are the ones that get caught.
The threats that actually hit schools
A handful of things cause most of the damage:
- Phishing: a convincing email that tricks a staff member into handing over a password or clicking something they shouldn't. Still the most common way in.
- Ransomware: software that locks up your files and demands payment. For a school, that can mean losing access to reports, rolls and systems mid-term.
- Account takeover: once one staff login is compromised, an attacker can move through email, files and systems as that person.
- Business email compromise: a fake but believable email, often about an invoice or bank details, aimed at getting money sent to the wrong account.
None of these are exotic. They're everyday, and they're preventable.
What good cyber security looks like for a school
You don't need a military-grade setup. You need the fundamentals done properly and kept current: multi-factor authentication on every account, staff who can spot a dodgy email, systems and software kept up to date, tight control over who has admin access, and backups you've actually tested. The Australian Cyber Security Centre packages the core of this as the Essential Eight, which is the clearest standard to work towards.
Where schools usually go wrong
The common mistakes aren't dramatic.
- Multi-factor authentication switched on for some accounts but not all.
- Backups that exist but have never been restored to check they work.
- Too many people with administrator access.
- Updates left until someone gets around to them.
- And no one clearly responsible for security, so it falls through the cracks.
Each one is straightforward to fix once you can see it.
Where to start
If you're not sure where your school stands, our two-minute Essential Eight readiness check will give you a score and show you the gaps to focus on first. Or book a school IT review and we'll walk through it with you.
Protect your school from the threats that actually hit
Find out where you stand and what to fix first.