Cybersecurity for Primary Schools: Small Budgets, BYOD, and Safeguarding Data

What Primary Schools Are Up Against

Primary schools face a combination of threats and resource constraints unique in the UK cybersecurity landscape:

• Small or zero IT budget: most primary schools spend less than £5,000 per year on IT security
• No dedicated IT staff: typically a part-time technician or shared IT support contract
• BYOD by default: teachers using personal iPads, phones, and laptops for school work
• Legacy systems: older MIS installations, out-of-date Windows devices, unsupported hardware
• Safeguarding data: child protection records, SEN files, and medical information requiring the highest security
• Governor capacity: many primary school governing bodies have limited technical expertise

BYOD in Primary Schools: The Security Gap

In most primary schools, teachers use personal devices — smartphones, tablets, and laptops — to access school email, learning platforms, and sometimes the MIS. This creates a security gap that is difficult to close without significant investment. Personal devices cannot be enrolled in school MDM systems, may not have up-to-date antivirus, and may store school data (including pupil photos, emails with parental information, and class lists) in insecure personal cloud storage. The practical controls for BYOD in primary schools focus on limiting what data is accessible from personal devices: ensuring that sensitive systems (MIS, safeguarding records) require MFA and are not accessible from unmanaged devices; providing school-managed email rather than personal accounts; and clear policies prohibiting storage of pupil data on personal devices.

Safeguarding Data: The Highest-Risk Records

Safeguarding records — child protection files, referrals to children's services, records of abuse or neglect — are among the most sensitive data any organisation in the UK holds. For primary schools, these records must be: - Stored securely with access limited to the designated safeguarding lead (DSL) and headteacher - Not accessible from personal or unmanaged devices - Retained for the child's lifetime in many cases (CPOMS and equivalent systems support this) - Backed up separately and independently of general school data - Never shared by email without encryption or a secure messaging system A data breach involving safeguarding records is likely to require ICO notification and may have serious consequences for affected children.

Free and Low-Cost Controls for Primary Schools

Primary schools can make meaningful security improvements within tight budgets:

• MFA on Google Workspace or Microsoft 365: free — enables immediately, prevents majority of account takeovers
• NCSC Schools Cyber Health Check: free assessment against DfE standards
• NCSC Cyber Aware training resources: free staff training materials
• DMARC on school email domain: free DNS configuration — prevents email spoofing
• Cyber Essentials certification: from £300 — provides framework and verification
• Local authority DPO service: many LAs offer subsidised shared DPO services for primary schools

Governor Accountability in Primary Schools

The DfE Cyber Security Standards place accountability on governors — and primary school governing bodies cannot delegate this entirely to the headteacher or IT support. Governors should receive an annual cybersecurity update covering the school's posture against DfE standards, any incidents in the past year, and the plan for the coming year. The chair of governors should be identified as a contact in the incident response plan. Cyber Essentials renewal each year provides a natural hook for the annual governor update.

Frequently Asked Questions