Cybersecurity for Multi-Academy Trusts: MAT-Wide Security Governance and Shared Infrastructure Risks

The MAT-Specific Threat Profile

Multi-academy trusts face cyber risks that individual schools do not: - **Scale amplification**: a single successful attack against shared infrastructure affects all schools simultaneously - **Complex attack surface**: the trust's network connects many schools, potentially including remote campuses - **Centralised high-value systems**: MAT finance, HR, and administrative systems are high-value ransomware targets - **Third-party risk aggregation**: a MAT that uses a single IT provider for all schools concentrates supply chain risk - **Governance complexity**: many schools, many headteachers, one central IT team — security policy enforcement is challenging

MAT-Wide Security Governance

Effective MAT security governance requires clear accountability structures: - **Trust board accountability**: the MAT board is responsible for setting cybersecurity policy and ensuring adequate resources - **CEO/COO ownership**: executive accountability for implementing the security programme - **Central IT lead responsibility**: the trust's IT director or manager is accountable for technical controls across all schools - **School-level leads**: each school should have a designated person responsible for local security matters (typically the headteacher or IT coordinator) - **Annual security reporting**: the trust board should receive an annual cybersecurity report, covering posture, incidents, and plans The DfE standards require this governance structure to be documented — not just practised informally.

Segmenting the MAT Network

The most important technical control for a MAT is network segmentation — ensuring that a compromise in one school cannot propagate across the entire trust. This means: - Schools should be segmented from the central trust network at the network level - Each school should be treated as a separate network zone with controlled communication to central systems - Finance and administrative systems at trust level should be isolated from school networks - Firewall rules between segments should be documented and reviewed annually For the Harris Federation, the ability of ransomware to spread across all 50 schools simultaneously indicates insufficient network segmentation. This is the most direct lesson from that incident for other MATs.

Centralised Security Controls That Work Across All Schools

MATs can leverage their scale to deploy security controls more effectively than individual schools can: - **MAT-wide MFA**: enforce MFA across all schools through centralised Azure AD or Google Workspace management - **Centralised email filtering**: deploy email security across all schools through a single platform - **Unified endpoint management**: manage and monitor all school devices through a single MDM - **Centralised backup**: use a MAT-wide backup platform that covers all schools, with independent copies for each school - **Single Cyber Essentials certification**: where infrastructure is shared, pursue a single MAT-level Cyber Essentials covering all schools

Incident Response at MAT Scale

A MAT incident response plan must account for the possibility that all schools are affected simultaneously — as occurred at Harris Federation. This means: - Communication plans that do not rely on school email (which may be compromised) - Designated out-of-band communication channels for the trust IT team - Pre-identified priorities: which schools' systems must be recovered first? - Relationship with a specialist incident response firm, established before an incident occurs - Tested tabletop exercise involving the trust board, CEO, and central IT team — not just IT staff - Documented relationship with NCSC Cyber Incident Response service

Frequently Asked Questions