Resources and Practical Steps - What Schools Can Actually Do Right Now
This is part 4 of our week-long series based on The Small Business Cybersecurity Guy podcast. - Authentrend sponsors this episode.
Moving from Awareness to Action
We've covered the Kido breach, the 2025 safeguarding guidance, and the MFA reality check. Now it's time for the practical question: what should schools actually do? Where do they start?
The good news: You don't need enterprise-grade SIEM solutions. You need practical, accessible guidance written specifically for schools with no IT budget and maybe one part-time technician.
Start with the NCSC Cyber Assessment Framework
The National Cyber Security Centre has created the Cyber Assessment Framework (CAF) specifically for small businesses and schools. It's guidance and best practice written in accessible language, not technical jargon.
As one cybersecurity expert noted: "Yes, the NCSC, National Cyber Security Centre, has created the Cyber Assessment Framework specifically for small businesses and schools. It's guidance and best practice written in accessible language, not technical jargon. Mauven, did you use this framework in your former life?"
The CAF is brilliant. It's designed to be practical. Not "implement enterprise-grade SIEM solutions," more like "here's how to think about security at your scale." It's exactly what small organizations need.
The Essential Elements
The CAF encompasses aspects such as user access control, incident management, and supply chain security. And it's free. A school business manager can work through it, though you'll probably need IT support to actually implement the recommendations.
What the CAF Covers:
User access control
Incident management
Supply chain security
Risk assessment
Asset management
Security monitoring
Exactly. It encompasses aspects such as user access control, incident management, and supply chain security. And it's free. A school business manager can work through it, though you'll probably need IT support to actually implement the recommendations.
What About the MFA Problem?
Schools that are struggling with phone-based authentication should discuss alternatives with their IT provider: hardware tokens, authenticator apps on shared devices. There are solutions, but you need to actively ask for them. Don't let the phone rule be an excuse for not having MFA enabled. If it's not set for everyone with system access, you're not protected.
For the phone policy conflict, FIDO2-certified hardware security keys offer an elegant solution. These small devices (available from providers like Authentrend, Yubico, and others) work without phones, can be worn on lanyards, and satisfy both security and safeguarding requirements. They're often more user-friendly than phone-based MFA for staff who aren't tech-savvy.
As one expert emphasized: "Schools that are struggling with phone-based authentication? Tammy, you work with schools on this every day. Discuss alternatives with your IT provider: hardware tokens, authenticator apps on shared devices. There are solutions, but you need to actively ask for them. Don't let the phone rule be an excuse for not having MFA enabled. If it's not set for everyone with system access, you're not protected."
The GitHub Audit Issue
And the GitHub issue? How do schools check if they have any possible exposed code repositories?
Step-by-Step GitHub Audit:
Begin by identifying any custom software you currently use - The easy way is that if two elements or applications seem to be talking to each other, and the fact that they can is not a documented feature, then you probably have built in several scanning for public repositories.
Use GitHub's search functionality - Doesn't cost anything. You just need to know how to look. Which is why schools need to audit everything. Every platform, every integration, every custom script. Everything that touches children's data.
Look for organizational repositories - Search for your school or organization name.
Check personal accounts - Former staff may have created repositories under personal accounts that still contain school credentials.
Examine third-party applications - Middleware solutions could be a 3rd party application you are paying for, in which case there should be a paper trail (invoices etc) or maybe custom code. If it's custom code, someone wrote it, which means there should be a paper trail (an invoice or a maybe custom code).
It's Overwhelming, Mauven. Which is Why I Keep Saying This Needs to Be Statutory with Proper Funding
Until it's Ofsted-ed or explicitly required by law with consequences, it'll remain optional in practice for many schools. The safeguarding link gives us hope, but it needs to be enforced. And schools cannot ignore safeguarding.
But the safeguarding link gives us weight now. It does. And I'm hoping that will be the turning point. Because schools cannot ignore safeguarding.
What Parents Should Be Asking
Parents now have legitimate safeguarding grounds to ask schools direct questions about cybersecurity. These aren't invasive IT audits. These are reasonable safeguarding questions:
Questions Parents Can Ask:
Do you have MFA enabled for everyone? How will do staff get cybersecurity training?
Do you have any custom software? If so, where is the code stored?
Where is your incident response plan, and when was it last tested?
They might not like those questions, but they need to hear them. Because the alternative is being the next Kido, and nobody wants that. And now that cyber is officially part of safeguarding, parents have every right to ask these questions.
The Small Wins Matter
Final thought? And maybe ask your child's school what security they actually have in place. These aren't technical questions. They're safeguarding questions now.
[Final thought] And maybe ask your child's school what security they actually have in place. Please don't wait for them to be the next headline.
Practical Implementation Roadmap
Month 1: Assessment
Download the NCSC Cyber Assessment Framework
Conduct a GitHub repository audit
Document all custom software and integrations
Survey current MFA implementation
Month 2: Quick Wins
Enable MFA for all users (no exceptions)
Rotate all credentials organization-wide
Remove or document all custom code
Update incident response plan
Month 3: Governance
Add cybersecurity to safeguarding meeting agendas
Ensure governors understand their responsibilities
Verify IT provider is meeting standards
Begin staff training on security awareness
Ongoing:
Regular credential rotation (quarterly minimum)
Annual security audits
Continuous staff training
Monitor for new vulnerabilities
The Resources You Actually Need
Free Government Resources:
NCSC Cyber Assessment Framework - ncsc.gov.uk/collection/caf
The foundation for school cybersecurity
Written for non-technical audiences
Practical, actionable guidance
Keeping Children Safe in Education 2025 - gov.uk/government/publications/keeping-children-safe-in-education--2
Paragraph 144 on cybersecurity standards
Links to filtering and monitoring guidance
Digital standards references
Plan Technology for Your School - Available via gov.uk
Self-assessment service
Personalized recommendations
Helps meet digital and technology standards
DIE Digital Standards - Search for webinars and training
Regular updates on requirements
Practical implementation guidance
Data Protection Education Resources:
For anyone who wants to get in touch with Tammy or Data Protection Education:
LinkedIn: search for Tammy Buchanan, Data Protection Education
Website: has a LinkedIn page where articles and resources are published
DIE Digital Standards webinars: explaining the standards in simple terms and how schools can track progress
Additional Support:
Visit the blog at thesmallbusinesscybersecurityguy.co.uk for more resources
Full breakdown of the repository screenshot and Tammy's key points
Changes to the safeguarding guidance details
It's Not as Expensive as You Think
Here's what many schools don't realize: Most of these recommendations don't require massive budgets. The NCSC guidance is free. MFA is often included in existing licenses. Credential rotation costs nothing but time.
The expensive part is if you don't do these things and suffer a breach. Then you're looking at:
ICO fines
Reputation damage
Legal costs
Recovery expenses
Lost trust from parents
Prevention is always cheaper than cure, especially in cybersecurity.
The Bottom Line
Schools have the resources. They have the guidance. What's needed now is the will to implement it and the understanding that cybersecurity is no longer optional. It's safeguarding, it's statutory, and it's essential.
Start with the CAF. Enable MFA for everyone. Audit your GitHub. Ask the hard questions. And most importantly, don't wait for the next headline to prove why this matters.
Key Takeaways
The NCSC Cyber Assessment Framework is free and designed specifically for schools
Start with quick wins: MFA for everyone, credential rotation, GitHub audits
Parents can now ask cybersecurity questions as legitimate safeguarding concerns
Most recommendations don't require massive budgets, just implementation
The cost of prevention is always less than the cost of a breach
| Source | Title | Date |
|---|---|---|
| National Cyber Security Centre | Cyber Assessment Framework | October 2025 |
| UK Department for Education | Plan technology for your school | September 2024 |
| UK Department for Education | Keeping Children Safe in Education 2025 | October 2025 |
| Data Protection Education | Tammy Buchanan - LinkedIn Profile | October 2025 |
| UK Department for Education | DIE Digital Standards | October 2025 |
| GitHub | GitHub Repository Search | October 2025 |
| National Cyber Security Centre | NCSC Training Resources | October 2025 |
