top of page

If in doubt, call it out – cyber security training for schools

Updated: Aug 29, 2021

Following a number of recent ransomware attacks on school's across the UK, The National Cyber Security Centre (NCSC) – a part of GCHQ – has released free cyber security training for school staff. The training sets out real-life incident case studies and four practical steps staff can take to protect themselves online.

The resource is the latest package of support the NCSC has offered the schools sector to improve cyber resilience, and follows an updated alert issued last month to help education establishments in the wake of a rise in ransomware attacks. The resource includes:

  • Free cyber security training for school staff released by the National Cyber Security Centre (NCSC) to boost resilience

  • New resource sets out four steps for staff to follow to help mitigate cyber incidents, including ransomware attacks

  • Case studies show impact of incidents, such as schools losing substantial sums of money and access to critical systems for weeks

The training, available from the NCSC website, shines a light on the main threats schools face and outlines the severe impact cyber incidents can have, with one case study showing how a school lost a substantial sum in school fees after reception staff fell victim to a phishing scam.

The training package is designed to be accessible by any staff member, regardless of role or technical knowledge, and is available as a scripted presentation.

The four steps for school staff are being encouraged to follow are:

1. Defend against phishing attempts: Reduce the information available about you, check for anything that looks suspicious, don’t be embarrassed to ask for help.

2. Use strong passwords: Choose three random words for your passwords, have a separate password for your work account, switch on two-factor authentication where possible, keep passwords secure by saving them to your browser.

3. Secure your devices: Don’t ignore updates, only download software and apps from official app stores, put a screen lock on devices (password, PIN, etc), if necessary only use school-issued USB sticks.

4. If in doubt, call it out: Report anything suspicious as soon as possible and do not be afraid to flag up IT security policies that make your job difficult.

Once the training has been completed staff members can download a certificate which indicates they have taken part.

The case studies based on real cyber incidents include:

  • Administration staff at a school falling victim to a phishing email scam asking for contact details of pupils’ parents. Cyber criminals tricked parents into redirecting school fees, leading to a substantial sum being stolen and parents’ details being sold on the dark web.

  • An unencrypted school USB, which contained details about thousands of pupils, being taken outside of the school and subsequently lost. It was only returned when a member of the public found it by chance.

  • A teacher writing their password on a post-it note stuck to their laptop, which allowed a pupil to gain access to their computer. As the same password was used for multiple accounts, the pupil could access more than 20,000 records and change their grades. The school was disciplined by the Information Commissioner’s Office.

The launch of the training builds on a raft of support given to schools since research commissioned by the NCSC in 2019 found 92% of UK schools would welcome more cyber security awareness training for staff.

Additional tailored guidance and advice can be found in a dedicated area on the NCSC website. Resources include questions for schools’ governing bodies to ask school leaders to help improve understanding of cyber risks, as well as cyber security practical tip cards for schools.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page