Spotting insider cyber threats in schools

The Information Commissioner’s Office (ICO), as highlighted in a recent BBC feature, has issued a strong advisory to the education sector: incidents of students hacking into their own school and college IT systems are on the rise; sometimes as part of dares, other times for personal challenge or gain. This pattern signals more than mischief; it represents an emerging insider threat that many school leaders underestimate.

While external cyber-attacks remain a concern, internal risks, especially those posed by students, can be equally disruptive and damaging to education environments.

Why school leaders should be concerned

Students frequently possess legitimate access credentials, complicating detection of misuse. Consider how susceptible a school becomes if a student is coerced or manipulated, by peers or even worse outsiders, into accessing the school network, installing malware, or sharing sensitive information. Recently Joe Tidy, Cyber correspondent, BBC World Service experienced just this sort of approach from hackers. Such incidents can result in data breaches, serious safeguarding concerns, and reputation loss. Without adequate training, staff may overlook indicators of insider threats, leaving vulnerabilities unaddressed.

School leaders and staff should be alert to

Behavioural indicators:

• Unusual logins by students at irregular hours
• Attempts to access areas outside their authorised permissions
• Use of VPNs or proxy services to evade school filters

System anomalies:

• Sudden system slowdowns or glitches correlated with student activity
• Unexplained modifications to files, settings, or user accounts

Reporting from peers:

• Students sharing concerns about digital dares or suspicious actions
• Boasting about bypassing school systems or discovering 'hidden' areas, and even
  being paid to provide credentials to hackers

Digital curiosity:

• Persistent interest in administrative platforms or IT infrastructure
• Attempts at password guessing or repeatedly probing login screens

Ongoing monitoring and review:

• Implementing controls to block personal devices from critical infrastructure
• Regular audits of access logs and system alerts
• Clear procedures enabling staff to escalate any concerns promptly

What more can school leaders do?

• Deliver focused training for teachers and support staff to identify and respond to insider threats effectively.
• Integrate cyber awareness into PSHE, computing curricula, and safeguarding policies to build resilience from the ground up.
• Collaborate with IT teams to strengthen access controls, implement robust network segregation, and enhance monitoring through intrusion detection systems, centralised logging, and SIEM tools.
• Champion a culture of digital responsibility throughout the school community.

Insider threats are often underestimated, yet they present a significant and growing risk. By equipping staff with practical tools and ongoing awareness, school leaders can strengthen protection of sensitive data, maintain regulatory compliance, and reinforce trust within the community.

Heather Toomey, Principal Cyber Specialist at the ICO commented, “It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists.” 

Cyber security requires a whole-school approach, together we can empower your staff to recognise the warning signs early; protecting learners, preserving your reputation, and ensuring a secure learning environment for all.