Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Are Governors the Frontline of Cyber Security? (February 12th is Governors Awareness Day)
School governors discussing digital security strategies to protect schools in the digital world.
Best Practice Updates

Are Governors the Frontline of Cyber Security? (February 12th is Governors Awareness Day)

🛡️Are your School's Digital Gates Secure?  Governors are the gate keepers to cyber security. Today, as we celebrate School Governor's Day, it's the perfect time to ask the question that is critical right now: how do we protect our schools in a digital world?

Governor's roles have traditionally focused on teaching and learning, safeguarding and health & safety; more recently there has been a shift from government to move that role to align digital strategies with the school/trust strategies.  Overseeing data protection and cyber security is now a fundamental pillar of modern governance.

Schools handle a considerable amount of sensitive information from student safeguarding records to staff payroll details.  A breach might lead to anything from a financial loss to a breach of trust with the community/damage to the reputation of the organisation.

How can governors bridge the gap between the boardroom and the server room - or the cloud?

✅Changing the Compliance Culture

Data Protection and cyber security should not be just a box ticking exercise - governors should support that 'Privacy by Design' is part of the school's culture.  This means asking if data protection is considered before a new educational app is purchased or a new cloud system is implemented.  

It could mean regular data walks around the schools - DPE Customers can arrange a data walk with their DPE consultant. We call this 'Making the Rounds'; more information about Making the Rounds can be found:

School governor making rounds, overseeing digital security and cybersecurity measures in a school.

✅Strategic Oversight, Not Technical Experts

An effective governor overseeing cyber security and/or data protection doesn't have to be a technical expert - they have to be able to ask questions like:

  • Are we meeting the DfE Digital Standards?
  • Should we be trying for Cyber Essentials?
  • Do we have multi factor authentication configured?
  • Do we have a back up plan in the event of a cyber attack?
  • Have we understood and documented our cyber risks?

Investing in the Human Firewall

The most sophisticated systems can be bypassed by one person clicking on a phishing link; therefore, governors should support budget dedicated to ongoing staff training for both data protection and cyber security. Cyber-awareness cannot be a one-off training session due to the quick, changing threat landscape.  Effective training needs to take into account changes in the environment both inside and outside the organisation.

Everyone in the organisation should know what to do if they receive a phishing email.

Plan for the 'WHEN' not the 'IF'

There is no doubt that everyone must expect some form of cyber attack.  With this in mind, governors should help evaluate risks, assess which systems are critical, what recovery looks like and the time it might take to get there. This will take time, money and resources and should be planned for, not just through cyber insurance.

Understanding the backup and incident response strategy is key to this plan.

Where do we start?

Look to the DfE Digital Leadership & Governance Standard and understand what the roles and responsibilities of governors and SLT are.  While the SLT Digital Lead is accountable for much of the standard, the governors play a key role and should be consulted over responsibilities and be part of the conversations for Registers, Business Continuity and Digital Strategy.

DPE Customers have access to our DfE Digital Leadership & Governance Standard Tracker where progress of the Digital Standards can be tracked and reported.  Our Roles and Responsibilities document can be downloaded to help with 'who should be doing what'.

Our Governance and Data Best Practice Area provides further guidance for governors about how to manage data.

Training

There is a short training course under courses for governors which includes everything they need to know about their responsibilities for data protection and cyber security as part of their role on the governing body.  If they require specific data protection training, this can be assigned from the training courses too.

 

Cyber Governance Code of Practice


The Cyber Governance Code of Practice (the Code) has been created to support boards and directors in governing cyber security risks. The Code sets out the most critical governance actions that directors are responsible for. The Code forms part of the government’s free package of support on cyber governance and should be the first point of reference for board members.

DPE Customers: Governors should complete the tracker with their Data Protection Lead:

 

We welcome governors to our online, in-person meetings, data walks and training sessions as part of our DPO service.

©2025 Data Protection Education Ltd.

Search