Training school staff and governors to prevent cyber attacks

7 August 2023

Human error is the most common cause of security breaches, with research showing that a range of between 52% and 85%  of data breaches were caused by human error. On the DfE’s cyber security standards for schools and colleges they state that “the most common forms of cyber attack rely on mistakes by staff members” and that “basic cyber security knowledge amongst staff and governors is vital in promoting a more risk aware school culture.” 

As discussed in our post featuring 10 cyber security tips, security awareness training should be delivered on a regular basis to help staff become familiar with recognising suspicious emails, along with improving their knowledge of cyber risk. 

DfE cyber security standards for schools and colleges 

The DfE recommend all schools and colleges should implement the cyber security standard as soon as possible. A summary of the guidance is shown below: 

  • Staff must take basic cyber security training every year 
  • New staff members should have cyber security training as part of their induction 
  • At least one current governor must complete the same basic cyber security training 

The DfE recommend training should focus on: 

  • Phishing, spear phishing, smishing and other targeted cyber attacks 
  • Password security and multifactor authentication 
  • Social engineering 
  • The dangers of removable storage media 

How to achieve compliance with the DfE cyber security standards 

Step 1: Deliver the NCSC’s training materials to staff. Either using the NCSC’s presentation (for groups) or the self-learn video (for individuals), both of which are available on the Cyber security training for school staff resources page 

Step 2: Ensure new starters complete the NCSC’s training session as a self-learn video, from their Cyber security training for school staff resources page. 

Step 3: Ensure at least one governor reads and understands the NCSC’s school governor questions.  

Step 4: repeat these steps annually 

Additional steps you can take 

  • In place of step 1 and 2 above, you could hire a cyber security training specialist to deliver a session on cyber security 
  • You could purchase security awareness training packages from a third-party vendor. These packages contain multiple modules of training with centralised progress tracking 
  • You could implement phishing simulation training for all staff. These simulations send spam to your users and generate warnings for those staff that require further training 

RPA cyber cover requirements 

Following the steps above will meet point 2 of the requirements for the DfE’s RPA insurance program. For the full list of requirements, see our post relating to the DfE’s risk protection arrangement


We have listed some key resources below where you can find further guidance from the DfE and resources from the NCSC. 

DfE’s cyber security standards
NCSC – cyber security – all resources
NCSC – cyber security – training resources 
NCSC – resources to print 

How we can help 

We work with a range of schools, MATs and colleges, implementing projects and processes that meet and exceed the DfE’s cyber security standards across all the requirements, including network security, endpoint protection, business continuity, disaster recovery and multifactor authentication. You can contact us today to see how we can help. 

Share this post

Work with us

One of our dedicated IT experts will be in touch:

Let us call you back

DD slash MM slash YYYY
By clicking the submit button below, you consent to Primary Technology storing and processing the personal information submitted in this form to respond to your enquiry.
This field is for validation purposes and should be left unchanged.