When schools talk about cyber risk, the conversation still tends to focus outward. External attackers. Phishing emails. Criminal groups attempting to gain access from outside the organisation.
That framing is familiar, and it remains relevant. But it no longer tells the full story of how cyber incidents are actually unfolding in education settings.
Increasingly, the risk schools are managing does not begin with a breach from the outside. It begins with legitimate access being used in unintended ways by people already inside the system. In many cases, that “insider” is a student.
This is not about malicious intent or deliberate wrongdoing. It is about curiosity, confidence, and systems that assume adult judgement in environments designed for young people. It is about access that works as designed, boundaries that are not always visible, and behaviour that makes sense to the individual in the moment but carries wider consequences.
What makes this type of risk particularly challenging is that it does not sit neatly in one place. It is not purely an IT issue, because the systems are often functioning correctly. It is not always treated as a safeguarding concern, because harm may be indirect or delayed. And it is not always visible in the classroom, because its impact often emerges elsewhere.
As a result, student digital behaviour — and the risk it can create — frequently sits in the gaps between roles, responsibilities and responses.
This blog explores what it means to recognise that shift. It looks at why student-led cyber incidents are becoming more visible, how curiosity and access interact in modern school systems, and why this is fundamentally a safeguarding and leadership issue rather than a technical one. Most importantly, it considers what helps schools reduce risk in practice — not by locking systems down, but by supporting better judgement, clearer expectations and consistent responses across the organisation.
What “insider threat” means in a school context
In many sectors, the term insider threat is used to describe deliberate, harmful activity by someone who already has authorised access to systems or data. It often carries assumptions of intent, malice, or misconduct.
That framing does not translate well to education — and it is one of the reasons this type of risk is so often misunderstood or avoided altogether in schools.
In a school context, an insider threat is not about a student “attacking” systems. It is about legitimate access being used in ways that were not intended, anticipated, or properly bounded — often without the individual fully understanding the implications of what they are doing.
A typical example helps illustrate the distinction.
A student logs into a learning platform using their own credentials. While navigating the system, they notice that a particular area reveals information they were not expecting to see — perhaps assessment data, staff-only resources, or settings that appear editable. Nothing has been bypassed. No controls have been broken. The system has simply allowed access.
The student explores further, partly out of curiosity, partly because the platform gives no indication that this access is inappropriate. They may show a friend. They may mention it in passing. From their perspective, they are using the system as it presents itself to them.
From the school’s perspective, a boundary has been crossed — but not through hacking, deception, or deliberate wrongdoing. It has happened because access existed, expectations were unclear, and no immediate signal indicated that something was wrong.
This is the core distinction schools need to understand. Insider risk in education is rarely about intent. It is about context. It arises when young people, who are still developing judgement and understanding of consequence, are placed inside systems that assume adult decision-making.
Recognising this difference is essential. If schools treat these situations as security breaches alone, the response is likely to be overly punitive or purely technical. If they ignore the risk entirely because there was “no malicious intent”, the underlying issue remains unaddressed.
A safeguarding-informed approach sits between those extremes. It acknowledges that the behaviour occurred, that risk was created, and that the appropriate response is guidance, boundary-setting, and support — not blame.
How student access creates unintentional cyber risk
Modern schools rely on digital systems that are designed to be accessible, flexible, and supportive of learning. Cloud platforms, learning management systems, shared devices, and collaboration tools are now essential to how education operates day to day.
To function effectively, these systems often require broad access models. Students are given credentials that allow them to move independently through platforms, submit work, collaborate with peers, and manage aspects of their own learning. This level of access is not a mistake — it is a deliberate educational choice.
However, access on its own is not neutral. Access creates opportunity, and opportunity invites curiosity.
Curiosity is a normal and expected part of learning. Students are encouraged to explore, test boundaries, and understand how things work. In physical environments, those boundaries are often obvious. A locked door, a staff-only area, a visible rule. In digital systems, those boundaries are far less clear.
When a student clicks into an area of a system that appears available to them, there is often no immediate indication that they should not be there. No warning, no barrier, no clear signal that a line has been crossed. From the student’s perspective, the system is behaving as designed.
This is where unintentional risk begins to form.
A student may discover information they were not expecting to see, settings they did not know existed, or functionality that feels interesting rather than dangerous. Because no technical barrier has been bypassed, the behaviour does not feel like rule-breaking. It feels like exploration.
In some cases, that curiosity remains individual and fleeting. In others, it is shared. A student shows a peer. Someone else tries the same thing. The behaviour becomes normalised — not because it is malicious, but because it is repeatable and unchallenged.
At this point, the risk is no longer hypothetical. Sensitive information may be exposed, system integrity may be affected, or trust boundaries may be weakened — all without a single moment where a student consciously decides to do something “wrong”.
This is a crucial distinction for schools to understand. Student-led cyber incidents often emerge not from deliberate action, but from a mismatch between access, expectation, and developing judgement. Systems assume users understand boundaries that have never been explicitly taught or reinforced.
A safeguarding-informed response recognises this dynamic. It accepts that curiosity is not something to eliminate, but something to guide. The goal is not to remove access entirely, but to ensure that access is accompanied by clear expectations, proportionate boundaries, and supportive conversations about responsibility and consequence.
When student access is viewed through this lens, cyber risk becomes less about control and more about care.
Why these incidents are increasing
The rise in student-led cyber incidents is often explained as part of a wider increase in cyber attacks overall. That explanation is convenient, but it does not fully account for what schools are experiencing in practice.
What has changed over the past few years is not student intent, but exposure.
Schools are now far more digitally embedded than they were even five years ago. Cloud platforms, online assessment tools, shared collaboration spaces and identity-based access are no longer supporting learning at the edges — they are central to how learning happens. That shift accelerated rapidly during and after the pandemic and has not reversed.
With that change came broader access. Students are expected to navigate systems independently, manage their own digital spaces, and move between platforms with minimal supervision. This is an educational positive, but it also means that far more decisions are now made in digital environments where boundaries are not always obvious.
Curiosity plays a significant role here. Students are more digitally confident than ever, and curiosity, experimentation and peer influence are entirely normal developmental behaviours. What has changed is the scale at which those behaviours now operate. A single point of access can expose far more than it once did.
This shift is starting to show up clearly in national reporting.
In the 2021 UK Cyber Security Breaches Survey, only 8% of secondary schools that reported a cyber incident identified unauthorised access by students as part of that incident. Primary schools did not report student unauthorised access at all in that year’s findings. At the time, this type of activity was treated as relatively uncommon and largely confined to older students.
By 2025, the picture had changed. Among schools that identified a breach or attack, 17% of secondary schools reported unauthorised access by students — more than double the figure from four years earlier. Importantly, primary schools were now reporting this behaviour as well, with 5% identifying unauthorised student access as part of an incident.
Those figures do not suggest a sudden change in student behaviour. They suggest a change in environment. The same curiosity that has always existed is now operating inside more complex, interconnected systems, with fewer visible guardrails.
The ICO’s own analysis reinforces this trend. Reviewing personal data breaches reported by education providers over a multi-year period, the ICO found that 57% of insider-related incidents involved students rather than staff. In many cases, the activity involved legitimate access being used in unintended ways, rather than deliberate attempts to bypass security.
Taken together, these figures tell a consistent story. Student-led cyber incidents are not increasing because students are becoming more malicious. They are increasing because access is broader, systems are more permissive, and the gap between digital capability and digital judgement is widening.
For schools, this marks a quiet but important shift. Cyber risk is no longer primarily about keeping threats out. It is increasingly about understanding how risk emerges inside trusted systems — and responding in a way that reflects both educational reality and safeguarding responsibility.
Where responsibility currently breaks down
When cyber incidents occur in schools, responsibility is often instinctively traced back to IT. Systems, permissions, configurations and controls are examined first, and in many cases that is appropriate. For a long time, cyber risk largely lived at the technical perimeter, and IT teams were best placed to manage it.
That model no longer reflects how risk actually emerges.
In practice, responsibility for digital risk in schools is split across roles that are each doing exactly what they are meant to do:
IT teams manage systems.
They focus on infrastructure, access, availability and security controls.
Safeguarding teams manage harm.
Their role is to respond to risk, protect wellbeing and ensure proportionate, supportive intervention when harm occurs.
Teaching staff manage learning.
They focus on behaviour, engagement and ensuring digital tools support education in the classroom.
Individually, each of these roles makes sense. Collectively, they leave a gap.
Student digital behaviour sits in that gap.
It is not fully owned by IT, because it is behavioural rather than technical. It is not always framed as safeguarding, because the harm may be indirect, delayed or unintended. It is not consistently addressed through teaching, because its consequences often sit outside the immediate learning context.
As a result, student-led cyber risk can develop quietly without a clear point of ownership. This is not because anyone is neglecting their responsibilities, but because the risk itself does not align neatly with existing structures.
This is why many modern cyber incidents in schools are no longer best understood as IT failures. The systems often work exactly as configured. The issue lies in how people — particularly young people still developing judgement — interact with those systems.
In that sense, cyber risk in schools has become a people problem rather than a purely technical one. Addressing it requires shared ownership, clearer expectations, and closer alignment between systems, safeguarding, and learning.
Why this is fundamentally a safeguarding issue
Safeguarding in education has always been about more than responding to harm after it occurs. At its core, it is about recognising vulnerability, understanding context, and putting proportionate support in place before situations escalate.
Student-led cyber incidents sit squarely within that definition.
In many cases, the behaviour that creates cyber risk does not involve malicious intent. A student may access information they do not fully understand, explore functionality without recognising boundaries, or share access with peers without appreciating the wider consequences. The action itself may appear minor, but the potential impact can be significant — for the student, for others, and for the school.
This gap between intent and consequence is precisely where safeguarding applies.
Young people are still developing judgement, impulse control, and an understanding of responsibility. Digital systems, however, often assume adult decision-making. When students are given legitimate access to complex environments without clear guidance or visible boundaries, they can inadvertently place themselves and others at risk.
Treating these situations purely as security incidents or behavioural issues misses the point. A purely technical response may address the immediate exposure but does little to support learning or reduce future risk. A purely disciplinary response may discourage reporting and push behaviour underground.
A safeguarding-informed approach recognises that the priority is not punishment, but protection and understanding.
That means helping students grasp why certain boundaries exist, what the consequences of digital actions can be, and how to act responsibly when something unexpected occurs. It also means ensuring that adults respond proportionately — recognising vulnerability and development rather than assuming intent.
This framing matters because it changes how incidents are handled. Instead of asking “who broke the rules?”, the more useful question becomes “what support was missing, and how do we put it in place?”. That shift aligns cyber risk management with the same principles schools already apply to online safety, peer behaviour, and pastoral care.
When schools view student-led cyber risk through a safeguarding lens, they are better placed to intervene early, respond consistently, and reduce harm without resorting to fear-based or punitive measures. Cybersecurity stops being an abstract technical concern and becomes part of the wider responsibility schools hold for the wellbeing and development of the young people in their care.
Why technical controls alone are not enough
Technical controls are essential. Access management, permissions, monitoring and security configuration all play a critical role in reducing cyber risk in schools. Without them, digital environments would quickly become unmanageable.
However, the incidents schools are increasingly dealing with demonstrate a clear limitation: technical controls cannot manage behaviour on their own.
Most student-led cyber incidents do not occur because controls are absent or broken. They occur because systems allow access in ways that appear legitimate to the user, and because the behaviour that creates risk sits outside the scope of what technical measures can reasonably govern.
This is where responsibility becomes blurred.
IT teams are responsible for managing systems — ensuring platforms function securely and reliably. Safeguarding teams are responsible for managing harm and responding proportionately when risk materialises. Teaching staff are responsible for learning, behaviour and engagement. None of these roles, on their own, are designed to manage the grey area of student digital behaviour across complex systems.
As a result, schools can find themselves tightening controls in response to incidents without addressing the underlying cause. Access is reduced, restrictions increase, and workarounds emerge. Students adapt quickly, behaviour shifts elsewhere, and risk is displaced rather than resolved.
Overly restrictive controls can also create unintended consequences. When systems become difficult to use, staff and students are more likely to share credentials, bypass processes, or rely on informal practices that introduce new vulnerabilities. In attempting to remove risk through control alone, schools may inadvertently create more of it.
This does not mean technical controls are unnecessary. It means they are insufficient in isolation.
Effective risk reduction depends on aligning systems with how people actually behave. That requires clarity about expectations, shared ownership of responsibility, and support for judgement at the point where decisions are made. Technical controls can set boundaries, but they cannot teach understanding or guide curiosity.
In this context, cybersecurity looks much less like a configuration problem and much more like a safeguarding and culture issue. Reducing risk is not about choosing between systems or people; it is about recognising that systems must be designed, governed and supported with human behaviour in mind.
When schools combine appropriate technical controls with clear guidance, consistent expectations and safeguarding-informed responses, cyber risk becomes manageable. Not because systems are locked down, but because people are supported to use them responsibly.
What this looks like when cyber risk is treated as a safeguarding issue
In schools, managing student-led cyber risk rarely involves dramatic interventions or wholesale changes to systems. More often, it shows up in how existing responsibilities are aligned and how digital behaviour is understood in context.
Expectations around digital access and responsibility are made clearer, not through additional rules, but through consistent guidance and shared understanding. Students are supported to recognise boundaries in digital environments that do not always make those boundaries obvious, and they are given clear routes for what to do when something feels unexpected or uncertain.
Roles remain distinct, but better connected. IT teams continue to manage systems and access. Safeguarding teams focus on harm, vulnerability and proportionate response. Teaching staff support learning and behaviour in the classroom. What changes is not ownership of those roles, but how student digital behaviour is recognised across them.
This is also where established safeguarding frameworks provide useful language. Many schools already use the 4 Cs of online safety — content, contact, conduct and commerce — to understand student risk online. Student-led cyber incidents often sit most clearly within conduct, but they rarely stay there. Curiosity-driven behaviour can quickly extend into content, where information is accessed that was not intended to be visible, or contact, where access or information is shared with peers. In some cases, particularly where systems connect to payments, subscriptions or personal data, commerce also becomes relevant.
Viewing student cyber behaviour through this lens helps reinforce that these incidents are not separate from safeguarding practice. They sit on the same continuum of online behaviour that schools already manage, just expressed through systems rather than screens.
When incidents occur, the response focuses on context as much as outcome. Rather than treating access issues as technical failures to be closed off and forgotten, schools consider how and why the behaviour occurred, what assumptions were made, and where clearer expectations or support could reduce future risk.
Over time, this approach reduces uncertainty for everyone involved. Students are less likely to drift into risky behaviour without realising it. Staff are more confident in responding consistently. Cyber risk becomes something that is understood and managed within everyday safeguarding practice, rather than something that sits apart from it.
This reflects the reality that digital access is now part of normal school life, and that safeguarding practice must account for how young people actually interact with the systems they are given.
What leaders should take away
For school leaders, the most important takeaway is not that cyber risk has increased, but that where it comes from has shifted.
Student-led cyber incidents are no longer best understood as technical failures or isolated behavioural issues. They sit at the intersection of access, curiosity, judgement and responsibility — and that makes them a leadership concern rather than an IT one.
This does not mean leaders need to become cybersecurity experts. It does mean recognising that digital behaviour now carries safeguarding implications in the same way that online communication, peer interaction and digital wellbeing already do. When risk emerges from within trusted systems, it cannot be delegated entirely to technical controls or reactive responses.
What leaders can influence is alignment.
When expectations around digital access are clear, when staff share a common understanding of how student behaviour creates risk, and when responses are consistent and proportionate, incidents are less likely to escalate. Students are more likely to report concerns early. Staff are more confident in knowing when something is a safeguarding issue rather than “just an IT problem”.
This is where training has a meaningful role to play.
Effective cyber awareness training in schools is not about turning staff into technicians or overwhelming them with threat scenarios. It is about building shared understanding — helping IT teams, safeguarding leads and teaching staff recognise the same behaviours in the same way, and respond with confidence rather than uncertainty.
For students, it is about supporting judgement rather than restricting access. Training that explains why boundaries exist, how curiosity can unintentionally create harm, and what to do when something feels wrong reinforces safeguarding messages students already receive in other areas of online safety.
For leaders, this creates something far more valuable than compliance. It creates consistency.
When cyber risk is treated as part of everyday safeguarding practice, supported by training that reflects how schools actually work, responsibility stops sitting in the gaps. Digital behaviour becomes something that is understood, guided and supported — not just controlled after the fact.
That is the difference between managing incidents and reducing risk.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
