For the last couple of years, Xentra has worked in close partnership with TransforMATiive to bring education leaders together for candid conversations about technology, risk, and real-world operations. Our joint roundtable dinners were created to cut through noise and instead explore what actually happens inside schools, trusts, and public sector organisations when digital systems are under pressure.
Across multiple events, this collaboration has built a unique view of how cyber risk in education is evolving: from a technical IT concern to a leadership issue, and now to something far more fundamental… A question of organisational resilience and safeguarding.
Our most recent dinner, held alongside BETT 2026 in London, highlighted a turning point in that journey.
From cyber security to cyber resilience
When we first brought school, trust and sector leaders together for these dinners, the focus was largely on prevention:
- Improving staff awareness and reducing phishing risk
- Hardening networks and endpoints
- Backups and recovery from ransomware
- Meeting compliance and audit expectations
- Gaining visibility over an increasingly complex IT estate
These remain essential.
But the underlying assumption was often that a ‘cyber incident’ was primarily an IT outage: disruptive, expensive, and reputationally painful.
Fast forward to January 2026, and that framing no longer holds.
A cyber incident is a safeguarding incident
At the latest roundtable, participants explored a ‘system-wide compromise’ scenario: identity systems offline, MIS unavailable, safeguarding platforms inaccessible, communications down, printing disrupted, and even building or access-control systems affected.
The conclusion was pretty stark. In highly integrated education environments, a major cyber incident very quickly becomes a safeguarding and operational crisis.
If staff cannot access:
- pupil records and vulnerability flags
- safeguarding histories and reporting tools
- emergency contacts and attendance data
- timetables, access control, or internal communications
…then the immediate risk is not just lost learning. It’s loss of visibility, control, and duty of care.
The core insight that emerged is simple. Safeguarding depends on availability and integrity just as much as confidentiality.
The growing fragility of ‘smart’ schools
Compared to our earlier dinners, there was much greater concern about operational fragility.
Single sign-on, integrated MIS ecosystems, automated workflows, cloud platforms, and third-party services have improved efficiency, but they have also concentrated risk. When identity or a critical supplier fails, the blast radius can be enormous.
A recurring theme was that:
- Processes are increasingly embedded in systems
- Those processes are often poorly documented
- Staff rely on ‘the system’ to tell them what to do
- When the system is gone, organisations struggle to reconstruct how they actually operate
Several leaders noted that teaching can continue with pens and paper. The real failure point is coordination. Who is on site, who can go home with whom, who needs monitoring, who can approve what, and how decisions are recorded safely?
From fire drills to cyber drills
Another shift from earlier discussions was the emphasis on rehearsal.
Schools and trusts practise for fires, floods and physical emergencies. Cyber incidents, by contrast, are still often treated as an IT-only scenario. The result is a two-tier response: experienced staff improvise, newer staff stall, and non-IT teams are unsure what to do when systems disappear.
The emerging direction is to move from: ‘Do we have a plan?’ to ‘Have we actually practised this, as a whole organisation?’
That means cyber drills that include leadership, safeguarding leads, operations, and communications. Not just IT.
Identity and supply chain: the new front line
Earlier dinners focused heavily on perimeter security and endpoints. The 2026 conversation shifted decisively towards identity and suppliers.
Single sign-on simplifies access but it also creates a single point of failure and massively increases the impact of credential compromise. The same applies to core vendors: MIS, safeguarding platforms, communications tools, and hosting providers.
When one of these fails, multiple organisations can be affected at once.
There was broad agreement that:
- Student accounts are a real and underappreciated attack vector
- Third-party risk is now an ‘everyday risk’
- Sector-wide standardisation, while efficient, is also being exploited by attackers
AI changes the social engineering game
A new theme, much more prominent than in previous years, was the impact of AI.
Participants were clear: AI has made phishing, impersonation and fraud more convincing, more targeted, and more scalable. The old advice of, ‘look for bad spelling or odd phrasing’, is no longer enough.
The practical response is a shift away from ‘spot the scam’ towards process-based controls:
- call-backs using trusted directory numbers, not email signatures
- dual approval for sensitive changes
- secondary channel verification
- an ‘assume compromise’ mindset for urgent requests
AI can help defenders too, but only if monitoring is paired with real response capability.
As several attendees noted, alerting someone at 2am without the ability to act is not protection.
Culture beats compliance
This is perhaps the strongest thread running through all three dinners.
There was scepticism about long, generic, tick-box training and unread continuity plans. Real incidents still happen to highly aware staff when they are busy, rushed, or under pressure.
What seems to work better?
- Short, frequent, role-relevant nudges
- Practical simulations with consequences
- Training pupils as well as staff
- Framing cyber risk in terms of real-world harm, not just audits or fines
The message is consistent and increasingly urgent: behaviour, rehearsal, and ownership reduce risk more than paperwork ever will.
The direction of travel
Looking across all three Xentra–Transformative dinners, the direction is clear:
- From prevention to resilience
- From IT ownership to whole-organisation responsibility
- From compliance to culture and practice
- From ‘can we stop attacks?’ to ‘can we keep people safe when systems fail?’
Cyber security in education is no longer just about protecting data. It is about protecting children, maintaining operational control, and preserving trust in a world where digital systems underpin almost everything we do.
Join the conversation: upcoming webinar
To take these discussions further, we’re hosting a follow-up webinar exploring what cyber resilience really looks like in practice for schools, trusts, and education groups, covering safeguarding, operations, identity, and incident response in a system-wide context.
If these challenges resonate with you, we’d love you to join the conversation and hear how other leaders across the sector are approaching them.
Register for the webinar here:
https://zoom.us/webinar/register/9017703882532/WN_Y9KBPLRGTZ6bV4UGNFv6OQ
