When I first started working in school IT, cybersecurity was often an afterthought. It was bolted on after a system was built, or a line in a policy document that few people read. Fast forward to today, and it’s (thankfully) clear that era is over.

Ransomware, phishing, and data breaches have forced every Multi-Academy Trust (MAT) to think differently. When major organisations like Jaguar Land Rover and Marks & Spencer fall victim to cyberattacks, it’s a sobering reminder that even those with vast resources can be caught off guard. For schools, with finite budgets and growing digital dependencies, the stakes are equally high.

We may not hold trade secrets, but we safeguard pupil data, staff records, and sensitive personal information. Losing access to any of that, even briefly, can bring teaching and learning to a halt.

This isn’t just theoretical. The State of School Cybersecurityreport by Secure Schools, one of the companies at the forefront of school cybersecurity’s evolution, found that fewer than 40% of schools have an incident response plan, and only around 15% have a designated cybersecurity lead. Those numbers tell a clear story, risk is widespread, but readiness is patchy.

But over my years in education, I’ve seen a quiet but significant transformation take place across trusts, and one that gives me real optimism for the future.

From IT issue to leadership agenda

The biggest change hasn’t been technical, it’s cultural. Cybersecurity has finally become a leadership conversation. Boards are asking sharper questions, CFOs are factoring digital risk into financial planning, and CEOs recognise that a cyber incident isn’t just an operational inconvenience, it’s a bonafide safeguarding concern.

When cybersecurity is treated as part of governance rather than a technical side project, the whole organisation shifts. Schools begin to view resilience in the same way they view health and safety, as a shared responsibility with clear lines of accountability.

From fragmented systems to clear visibility

A few years ago, most trusts didn’t have a full picture of their digital estate. Each school might use its own devices, cloud tools, and third-party apps, often without central oversight or a real understanding of their full technology stack.

That’s changing fast. Across the sector, we’re seeing trusts carry out full digital inventories, map dependencies, and create central registers for hardware and software. At Astrea, this work was transformational. We introduced standard device naming conventions, tracked which systems were still supported, and began holding suppliers accountable for updates and data protection.

It’s not glamorous work, but it’s foundational and really important. Every cyber incident I’ve seen has started with something small and forgotten. Visibility is the first step to control.

From awareness to culture

Staff training used to mean an annual video and quiz. Now, forward-thinking trusts are embracing phishing simulations, scenario-based training, and open conversations about mistakes, with companies like Secure Schools and KnowBe4 building products specifically for schools and trusts.

The rise of AI-generated phishing emails has raised the bar, but also sharpened awareness. The goal isn’t to spark fear or to point fingers, it’s the way a positive culture is built. When teachers and office staff can spot a spoofed email with the same confidence they’d challenge a safeguarding concern, that’s when real resilience takes root.

From plans on paper to plans in practice

Finally, I’ve learned that no plan survives contact with reality. Writing an incident response plan is one thing; testing it is another.

More MATs are now running tabletop exercises with leadership teams, rehearsing who does what when systems go down, how communication flows, and what the recovery priorities are. It’s all about preparedness. A plan that’s been tested and refined will always outperform one that sits in a shared drive.

What comes next

None of this guarantees safety. But it does guarantee readiness, and that’s progress. We’ve moved from reacting to cyber risk to actively managing it.

For trusts, cybersecurity is no longer just about devices and networks. It’s about continuity of learning, public confidence, and good governance.

As one headteacher recently told me, “We used to see cybersecurity as something to get through. Now we see it as something that keeps us going.”

And that’s the shift that gives me hope for the sector’s digital future.