Cyber Risk and AcademIES: What the DfE Expects and How Trusts Should Respond
Cyber risk is no longer a technical issue confined to school IT teams. For academy trusts, it’s now a clear governance, financial and operational priority. Ransomware and phishing attacks on schools are increasing, placing greater pressure on systems and staff. At the same time, the need to ensure robust cloud security for pupil and teacher data means the challenges facing trusts today are far more complex, both technically and operationally, than they were even a few years ago.
The Academy Trust Handbook makes clear that trusts must maintain effective systems of internal control, risk management and oversight. Increasingly, that includes how academy cyber risks are identified, managed and reported.
This aligns with the broader shift across the sector towards greater accountability, transparency and demonstrable control. You can read more about that shift in this recent article about the Academies Accounts Direction 2025/26.
I recently joined academies specialists, Andy Jones and Glen Bott along with Julia Harnden from ASCL at CP’s annual event for Academy Business Leaders. We talked attendees through the key changes in the latest iteration of the guidance including cyber security best practice for schools.
What the Academy Trust Handbook Says About Cyber Risk
While the Handbook doesn’t prescribe detailed technical controls, it sets clear expectations around risk management and governance that directly apply to cyber security. It also makes clear that trusts must work towards meeting the Department for Education’s (DfE) core Digital and Technology Standards by 2030 (Published 2022, updated 10 June 2026.
At its core, trusts must:
- identify and manage key risks to public funds and operations
- maintain effective internal control frameworks
- ensure trustees have oversight of risk and assurance processes
- implement robust internal scrutiny arrangements
Cyber risk sits squarely within these requirements.
In practice, this means trusts should be able to demonstrate:
- that cyber risk is recognised as a significant organisational risk
- that it is actively considered at board level
- that controls and mitigations are in place and regularly reviewed
- that assurance over these controls is obtained through internal scrutiny or audit
The key expectation is not technical perfection, but evidence of informed oversight and effective management.
A Shift in Expectations: From IT Issue to Strategic Risk
One of the strongest themes from recent sector discussions is a clear shift:
Cyber security is no longer viewed as an IT problem. It’s a core strategic risk with governance accountability.
Trusts are increasingly expected to:
- treat cyber threats in the same way as financial or safeguarding risks
- embed cyber considerations within risk registers and board reporting
- link cyber resilience to wider business continuity and operational planning
This reflects the reality that a cyber incident can:
- disrupt learning across multiple schools
- compromise sensitive pupil and financial data
- trigger significant financial and reputational damage
The question is no longer if an incident might occur, but how well prepared a trust is to respond.
Key Challenges Academy Trusts Are Facing
1. High Exposure to Risk
Academy trusts are particularly vulnerable due to:
- large volumes of sensitive data
- less sophisticated IT environments
- reliance on shared or centralised systems
- dependence on third-party providers
These factors make the sector an attractive target, with risks amplified by system complexity and accessibility.
2. People, Not Technology, Are the Weakest Link
A consistent message from the sector is clear:
Human behaviour is the primary vulnerability.
Phishing attacks and social engineering remain the most common entry points. Even with strong technical controls, risks persist if staff are not equipped to recognise and respond.
Effective approaches include:
- regular staff training and awareness programmes
- clear escalation routes for suspected incidents
- fostering a no-blame reporting culture
The strongest control is an informed and confident workforce.
3. Preparedness Is as Important as Prevention
Trusts are increasingly judged on how they respond to incidents, not just how they try to prevent them.
Common weaknesses include:
- unclear response plans
- lack of defined responsibilities
- poor communication during incidents
More resilient organisations:
- maintain simple, well-understood incident response plans
- test scenarios through exercises
- define clear communication protocols
This reflects a broader expectation within governance frameworks: resilience must be planned, not improvised.
Third-Party and Supply Chain Risk
Cyber risk increasingly extends beyond the trust itself. Many academy trusts rely on:
- outsourced IT providers
- MIS and finance systems
- external service providers
However, due diligence over supplier controls is often limited.
At the same time, the DfE is placing greater emphasis on procurement and value for money, meaning trusts must balance:
- cost efficiency
- compliance
- security assurance
This makes supplier oversight a governance issue as well as a technical one.
What “Good” Looks Like in Practice
Bringing together Handbook expectations and sector insights, leading trusts are taking a more structured approach to cyber risk.
That typically includes:
Governance and Oversight
- Cyber risk clearly defined on the risk register
- Regular reporting to trustees
- Evidence of challenge and discussion at board level
Controls and Assurance
- Documented policies and procedures
- Alignment with recognised frameworks where appropriate
- Internal scrutiny or audit testing of controls
Culture and Capability
- Ongoing staff training and awareness
- Clear guidance on identifying and escalating threats
- Leadership emphasis on openness and early reporting
Preparedness and Resilience
- Incident response plans
- Business continuity planning
- Regular testing of scenarios
Across all of these areas, the common thread is evidence. Trusts must be able to show not just that controls exist, but that they are understood, embedded and effective.
The Growing Link to Reporting and Accountability
Cyber risk is also beginning to influence external reporting expectations.
As reporting frameworks evolve, there is an increasing expectation that trusts will:
- include cyber risk within broader risk and resilience disclosures
- reflect how leadership manages emerging threats
- demonstrate organisational readiness and response capability
This links directly to the wider shift in reporting:
From listing risks to explaining how those risks are understood, managed and mitigated in practice. We explore this shift further in our article on the Academies Accounts Direction 2025/26. [link]
Final Thoughts: Cyber Risk as a Test of Governance
Cyber risk brings together many of the expectations now placed on academy trusts:
- strong governance
- effective internal control
- informed decision-making
- organisational resilience
It is also a live test of whether these frameworks work in practice.
Trusts that succeed are those that move beyond compliance and focus on:
- clarity of roles and accountability
- proactive planning
- continuous improvement
- a culture that supports early action
In a more demanding and uncertain environment, cyber resilience is no longer optional. It is a core part of demonstrating strong stewardship and leadership.
Ready to strengthen your approach to cyber risk?
If you’re reviewing how cyber risk fits within your governance, internal scrutiny or reporting frameworks, now is the time to act. Getting this right isn’t just about compliance with the Academy Trust Handbook. It’s about protecting your operations, your data and ultimately the pupils you serve.
If you’d like to sense-check your current approach, strengthen your controls or ensure your board has the right oversight and assurance in place, get in touch with our academies team. We’d be happy to talk through your challenges and help you move forward with confidence.