Schools across the UK are facing a growing wave of cyber threats — from phishing to ransomware — but many still rely on free, pre-packaged tools as their primary line of defence.
As someone who's worked with thousands of cyber security clients and implemented solutions for some of the largest multi-academy trusts in the UK, I’ve seen firsthand how this reliance creates a false sense of security. Tools may be in place, but they’re often misconfigured, unmonitored, or misunderstood.
In this article, I’ll explain why free tools aren’t enough, what schools are getting wrong, and what practical steps you can take to close the gap and truly protect your students, staff, and data.
But here’s the hard truth: having those tools in place isn’t enough. It can create a dangerous sense of security. Time and again, I speak with IT managers and school leaders who assume that because something has been "installed," the job is done. Sadly, cyber threats don’t work that way.
The Department for Education and various tech vendors provide schools with valuable resources: antivirus software, basic firewalls, email filters, and general safeguarding guidance. These are all solid starting points. But they come with an implicit assumption: someone knows how to configure, manage, and respond to what those tools detect.
That assumption often breaks down in practice. Many school IT teams are overextended, responsible for multiple sites with limited support. A filter may be installed, but are policies updated? Logs enabled? Alerts monitored? In many cases, the answer is no. Without the time and expertise to make these tools work effectively, schools are flying blind.
Think of it like giving someone a high-end toolkit and expecting them to build a house. Without the knowledge and experience to use the tools correctly, the outcome will be patchy at best, dangerous at worst.
A recent case springs to mind: a well-regarded UK college had email filtering and impersonation protection enabled through a free platform. On paper, they were covered. In reality, their finance team was being targeted with spoofed emails requesting fraudulent purchase orders.
You can read the full story here: West Lothian schools hit by ransomware cyberattack
This isn’t about blame. It’s about recognising that tools don’t work in isolation. They need the right people behind them. Unfortunately, cyber security specialists are in short supply in the public education sector, where salaries can’t compete with corporate or financial roles. As a result, schools are often left with the tools but none of the support.
When systems are misconfigured or ignored, the results can be severe: data breaches, ransomware lockdowns, and safeguarding failures. And the impact goes beyond IT disruption. Parents lose trust. Regulators ask hard questions. In some cases, sensitive student data is exposed, with lifelong consequences.
Sophos’s education sector report found that over 90% of schools hit by ransomware experienced serious operational disruption. Worse still, only 2% fully recovered their data after paying a ransom. Free tools didn’t stop the attack and couldn’t help them recover.
See the full report here: The State of Ransomware 2024
So, what’s the alternative? It’s not about throwing money at the problem. It’s about using what’s available more effectively. That starts with recognising the gap between "tool" and "solution."
If you try to do it all internally: You may spend more time troubleshooting than improving learners’ outcomes. IT staff can become overwhelmed, and cracks may go unnoticed until it's too late.
If you work with a partner: You gain confidence, clarity, and continuity. You free up internal resources while gaining a structured, proven approach to keeping your school safe.
Small steps matter. And they can often be taken within existing budgets, especially when schools leverage local IT communities or trusted managed service providers.
Cyber security in schools isn’t a tech issue. It’s a safeguarding issue. Relying on free tools alone is like locking your front door but leaving the windows open.
Yes, the resources exist. But it takes the right expertise and approach to use them well. We owe it to our students and staff to move beyond box-ticking and build real, resilient protection.
If your school hasn’t reviewed its cyber security strategy recently, now’s the time. Don’t wait for a breach to realise that free tools were never enough.