Cybersecurity is Now Safeguarding - Understanding the 2025 Guidance Game-Changer

This is part 2 of our week-long series based on The Small Business Cybersecurity Guy podcast. This episode is sponsored by Authentrend, providers of FIDO2-certified security keys for robust multi-factor authentication.

The Moment Everything Changed

On September 1st, 2025, something fundamental shifted in UK education. The new Keeping Children Safe in Education (KCSIE) guidance made cybersecurity officially a safeguarding issue. Not just an IT problem. Not just a compliance checkbox. A statutory safeguarding responsibility.

This changes everything from a compliance perspective, and yet many schools remain completely unaware.

What the 2025 Guidance Actually Says

The 2025 KCSIE guidance explicitly mentions taking appropriate actions to meet the Cyber Security Standard as part of schools' safeguarding responsibilities. Paragraph 144 clarifies that the cybersecurity standards were developed to help schools improve their cyber resilience.

For the first time, cybersecurity is woven into safeguarding guidance. The guidance now mentions filtering and monitoring, generative AI considerations, and crucially, links to the September 2024 guidance "Plan technology for your school."

As one safeguarding expert noted: "The guidance now mentions taking appropriate actions to meet the Cyber Security Standard as part of schools' safeguarding responsibilities. That changes everything from a compliance perspective."

Why This Matters More Than You Think

When you frame it as "are you keeping children safe?" rather than "do you have good IT security?" you get very different responses from school leaders. Nobody wants to be the head teacher who has to explain to governors, Ofsted, or parents that a safeguarding failure occurred because of poor cybersecurity.

The Kido breach provides the perfect example. With 8,000 children's data stolen and posted online, this is now officially a safeguarding failure under the guidance, not just an IT incident.

As the discussion highlighted: "So the Kido breach, 8,000 children's data stolen and posted online, that's now officially a safeguarding failure under this guidance, not just 'oh dear, we got hacked.'"

What Schools Cannot Overlook

Schools can ignore IT recommendations. They can say "no budget, we'll get to it eventually." But they cannot overlook safeguarding. It's one of the three things schools actually respond to: Ofsted, safeguarding, and other schools.

Because schools can ignore IT recommendations, they can say "no budget, we'll set to it eventually." But safeguarding? Schools cannot ignore that. Until there's a legal requirement with teeth, schools will continue to discover these gaps the hard way.

The Three-Part Framework

The guidance operates on three levels:

1. Ofsted inspections - Schools are already being asked about cybersecurity in Ofsted inspections

2. Safeguarding responsibilities - Governors need to prioritize cyber as part of safeguarding oversight

3. Staff training - Teaching assistants, admin staff, and sometimes even IT technicians don't have proper security training

What Governors Need to Understand

If you're on a governing body and you're not asking about the Cyber Security Standard, you're potentially failing in your safeguarding oversight. That's serious.

The guidance is clear: governors need to understand this. If you're on a governing body and you're not asking about the Cyber Security Standard, you're potentially failing in your safeguarding oversight.

As one expert emphasized: "Right, speaking of legal requirements with teeth, Tammy, you wanted to talk about something that happened earlier this year that we didn't cover in Part 1. Something about safeguarding?"

The Reality Check: Schools That Ignore This

Most schools won't even be aware of the repository issue from the Kido breach. They'll hear "Kido got hacked" on the news and won't see the VX-Underground post or understand the technical details. They won't know to ask "do we have repositories somewhere?"

Many schools will think "that's terrible" but won't connect it to their own situation because:

• Unless it happens to them directly or becomes a legal requirement, many will think "that's terrible" and carry on as usual

• Most schools don't have the resources or expertise to conduct proper security audits

• The safeguarding link needs to be enforced for schools to take action

Honestly? Either Make It Statutory with Ofsted Inspections or Wait for Enough Schools to Get Breached

The hard truth is that it becomes impossible to ignore when enough schools get breached that it becomes politically or legally required.

One expert noted: "Honestly? Either make it statutory with Ofsted inspections, or wait for enough schools to get breached that it becomes impossible to ignore. I hope it's the former rather than the latter. The safeguarding link in the 2025 guidance gives us hope, but it needs to be enforced."

What Schools Should Do Right Now

Immediate Governance Actions:

1. Review the 2025 KCSIE guidance - Specifically look at paragraph 144 on cybersecurity standards

2. Add cybersecurity to safeguarding meetings - Make it a standing agenda item, not a one-off discussion

3. Ask the key questions:

   • Are we meeting the DIE Digital Standards on our behalf?

   • Do we have MFA enabled for everyone?

   • Do we have any custom software? If so, where is the code stored?

   • When were our credentials last rotated?

4. Ensure the governing body understands - The school business manager often ends up coordinating this, but ultimately it's a whole-school responsibility

For Senior Leadership:

• Understand that cybersecurity is now officially part of safeguarding

• Budget accordingly - this isn't optional anymore

• Get proper IT support to actually implement the recommendations

• Don't wait for Ofsted to ask before taking action

The DIE Digital Standards

The standards are very clear. It's up to the organization, the school, to ask the questions: "Are we meeting this standard? How do we meet this standard?" Your IT provider should help you meet the standards. However, the responsibility for verification remains with the school leadership.

Ideally, the governing body should have a digital lead. The head teacher and senior leadership need to be asking the questions. The school business manager often ends up coordinating it, but ultimately, it's a whole-school responsibility.

Will This Actually Change Behavior?

There's light at the end of the tunnel if it's in the guidance dated 1st of September, 2025. Paragraph 144 clearly states schools should implement cybersecurity standards now. However, most schools are not yet aware of it.

Exactly. Which is why I keep saying this needs to be statutory. Until there's a legal requirement with teeth, schools will continue to discover these gaps the hard way. Or worse, not discovering them at all until they're breached.

Most schools won't realize they need to change until inspections occur or a breach happens to them. They may not connect the dots. But they need to hear from people like Tammy: "Because the alternative is being the next Kido, and nobody wants to ask their child's school what security they actually have in place."

The Bottom Line

Cybersecurity is no longer just an IT issue. It's safeguarding. It's statutory. And schools that ignore this do so at significant risk to the children in their care and their own reputations.

The 2025 guidance provides the framework. Now it's up to schools, governors, and parents to ensure it's actually implemented before the next breach makes headlines.

Key Takeaways

• The 2025 KCSIE guidance explicitly links cybersecurity to safeguarding

• Schools can no longer dismiss cybersecurity as "just an IT problem"

• Governors have a statutory duty to ensure cyber standards are met

• The guidance provides a framework, but enforcement and awareness remain challenges

• Schools should act now rather than wait for Ofsted or a breach