A support decision that does not feel like a cyber decision
A learner cannot access their account just before a session starts. The tutor is already trying to settle the room, manage late arrivals, respond to a support issue that surfaced earlier in the morning, and avoid losing more teaching time than they already have. The learner is standing there waiting while everyone else is moving on.
A quick workaround is suggested.
It is not the formal route, and it is not how the issue would ideally be handled if there were more time. But it will get the learner into the platform straight away, avoid another disruption, and stop the access problem from becoming the centre of the session. In that moment, the visible problem is not cybersecurity. It is that a learner cannot begin, the lesson is already underway, and the pressure is to remove the barrier quickly enough that the session can still function properly.
So the decision makes sense.
It makes sense because the tutor is not choosing between safe practice and obvious danger. They are choosing between the disruption in front of them and the quickest workable way to keep learning moving. The learner needs access now. The group needs the session to continue. The workaround feels proportionate to the problem that can be seen, while the risk behind it is quieter, less immediate, and much easier to push into the background.
That is where the issue begins.
In further education, many of the decisions that shape cyber exposure do not arrive looking like security decisions. They arrive looking like support decisions, access decisions, communication decisions, or continuity decisions. They happen when someone is trying to keep a learner engaged, prevent delay, solve an operational problem, or make sure support does not stall at the point it is needed.
That is why this matters. The question is not simply whether colleges know cyber risk exists. The question is whether they recognise the moments where learner support, operational pressure, and security judgement are all meeting in the same place.
Further education is not the same as schools
It is easy to talk about education as though it is one environment, but the point where cybersecurity meets practice is not the same across the sector.
In schools, cybersecurity is often understood through the protection of children in a more directly supervised setting. That is why the conversation so often connects to safeguarding, filtering, monitoring, and online safety. The concern is not only whether systems are secure, but whether pupils are protected while learning, communicating, and accessing digital spaces in an environment where adults are expected to maintain clearer oversight.
Further education works differently. Colleges and providers are still responsible for protecting learners, but the environment is broader, less uniform, and more operationally complex. They are supporting not only younger learners, but also adult learners, apprentices, employers, awarding bodies, partner organisations, and a wide mix of systems, platforms, records, and services. The daily pressure is spread across teaching, learner support, administration, finance, communication, digital access, data handling, and institutional continuity.
That changes where cyber risk tends to appear.
In schools, it is often easiest to see the overlap through safeguarding and supervised online activity. In further education, the overlap is usually wider. It appears in the systems that learners depend on, the information that moves between teams, the messages that arrive in the course of everyday work, and the decisions staff make while trying to keep learning and support moving without delay.
The difference is not that safeguarding stops mattering in further education. It is that cybersecurity is less contained within that one frame. In schools, the issue is often understood through protecting children in a more bounded environment. In further education, it is more often embedded across access, communication, records, operational systems, and the wider running of the institution.
That is why further education needs its own conversation. The question is not simply whether learners are safe online. It is also whether access is controlled properly, whether sensitive information is handled well under pressure, whether systems can be relied on, and whether support can continue when something goes wrong.
Where cyber and further education actually meet
In further education, cyber and everyday practice often meet in moments that feel operational before they feel risky.
A member of staff is trying to make sure support is put in place for a learner whose situation has changed quickly. Information needs to move between teams so that the right people understand what is happening and can respond without delay. A message is sent, details are shared, and the quickest available route feels like the most sensible one because the priority is clear: make sure the learner does not fall through the gap while people wait for the perfect process.
That moment feels like support. It feels like acting responsibly so that help can be coordinated in time. The decision is easy to understand because the immediate priority is visible: get the right information to the right people quickly enough that support can actually happen.
This is one of the clearest points where cyber and further education meet.
They meet when information is moved quickly, but in a way that weakens the usual control around who should receive it, how it should be shared, or whether the route being used is the right one. They meet when urgent support needs make speed feel more important than process. They meet when a message arrives in the middle of a busy day and is acted on because it appears to fit the work already in progress. They meet when the practical pressure in front of the member of staff is more immediate than the less visible risk behind it.
That is why cybersecurity in further education is not only about technical protection in the background. It is also about the everyday decisions that shape whether information is handled properly, whether communication is trusted, and whether support can continue without creating a different kind of exposure.
This is also why the further education environment needs its own explanation. The Department for Education’s cyber security core standard talks about access and permissions, secure email, risky behaviour, incident response, and business continuity. Those are not abstract controls sitting outside college life. They connect directly to how people make decisions across teaching, learner support, administration, and operations. In practice, cyber and further education meet wherever someone is trying to keep learning, support, and systems moving under pressure.
Why these decisions make sense at the time
This is the part that matters most, because these decisions do not usually happen when someone is ignoring risk. They happen when someone is trying to do the right thing in the conditions in front of them.
In further education, the visible priority is often the learner, the session, the support need, or the disruption that will grow if nothing happens quickly. If a learner cannot get into the system, the problem feels immediate. If information needs to move so support can be put in place, delay feels unhelpful. If a message arrives that fits the task already in progress, responding to it can feel more like doing the job properly than taking a risk.
That is why the decision makes sense.
The member of staff is not weighing up cybersecurity in the abstract. They are dealing with a practical situation where the pressure to keep things moving is clearer than the possibility that a control is being weakened. The action in front of them feels proportionate to the problem they are trying to solve. It removes friction. It protects momentum. It supports the learner. In the moment, those signals are far easier to see than the quieter risk sitting behind them.
This is especially true in further education because the environment is shaped by competing responsibilities. Staff are often balancing teaching, learner welfare, attendance, communication, access, administration, and wider operational pressures at the same time. Under those conditions, the fastest option can easily feel like the most responsible one, particularly when the intention is to help rather than to bypass a rule.
That is why these moments need to be understood properly. The problem is not usually a lack of care. It is that the decision is being made inside a setting where responsiveness, continuity, and learner support are already carrying more weight than a less visible security concern. By the time the risk becomes obvious, the decision has often already been made.
This is also why awareness on its own so often stops short. People may know the rule. What changes the outcome is whether they can recognise the moment when doing the helpful, efficient, sensible thing is also the moment where a pause is needed.
What 2026 adds to the picture
A clearer Department for Education position
What 2026 adds is not only a more demanding cyber environment. It also brings a clearer official position on where cybersecurity now sits in further education.
The Department for Education is no longer treating cyber as a narrow technical issue that can be left in the background. Its cyber security core standard for schools and colleges says that following the standard is intended to help keep students, staff, and their data safe, reduce disruption to school or college operations, prevent unauthorised access to systems or data, and make vulnerabilities harder to find. It also sets out the consequences in practical terms. If the standard is not met, compromised sensitive data can create safeguarding issues, student outcomes can be affected, disruption can be serious enough to lead to closure, and there can be financial loss, recovery costs, and reputational damage.
That matters because it changes the shape of the conversation. The Department for Education is not describing cyber as a specialist concern sitting somewhere outside the real work of a college. It is describing it as something that affects whether the institution can function safely and reliably, whether learners are supported without avoidable disruption, and whether core systems and information can be trusted. The same standards framework also says schools and colleges should be working towards meeting these core standards by 2030, which makes this a long-term direction of travel rather than a passing emphasis.
Stronger accountability for colleges
For colleges, the position is firmer still. The Department for Education has clarified that Cyber Essentials is a requirement for colleges under their ESFA funding agreement. That shifts cyber further into the language of formal expectation and institutional accountability, rather than recommended good practice alone.
That wider accountability picture is reinforced by the 2025 college financial handbook and the 2025 to 2026 accountability framework, which place colleges within stronger expectations around governance, control, oversight, and responsible management as public sector bodies. In other words, the issue is no longer simply whether colleges are aware of cyber risk. It is whether cyber resilience is being treated as part of the wider governance and running of the institution.
What this adds on the positive side
So one side of the 2026 picture is clarity.
There is now less room to treat cyber security in further education as something separate from safety, continuity, learner impact, governance, and operational resilience. The official position is clearer, the direction of travel is clearer, and the expectation that colleges treat cyber as part of the wider running of the institution is clearer too.
What this adds on the more difficult side
The more difficult side is that this clarity does not make the working reality any easier.
It lands in a further education environment that is already stretched, system-dependent, and operationally complex. Colleges are being asked to strengthen cyber resilience while continuing to support a mixed learner population, rely on multiple digital systems, meet funding and accountability requirements, and keep teaching, learner support, and administration moving without interruption.
The more college life depends on digital access, learner records, communication systems, shared platforms, and cross-team workflows, the more often staff are required to make quick decisions inside those systems just to keep things functioning. A learner cannot get in. A record needs updating. A message needs answering. Support needs to be coordinated. None of those moments arrives labelled as a cyber issue. They arrive as practical problems that need resolving now.
The gap between policy and live practice
There is also a structural difficulty here. Stronger expectations do not automatically create stronger capacity.
The Department for Education can define standards, requirements, and direction, but colleges still have to translate those into live practice across real teams and real pressures. At the same time, the wider threat environment is becoming harder. Jisc, the sector body that provides the Janet Network and cyber security services to education and research, reported in February 2026 that cyber-attacks across UK education and research are becoming more complex and sophisticated. It said ransomware and phishing remain leading threats, alongside more visible AI-enabled threats, and that only 37% of further education colleges reported employing dedicated cyber security staff, with responsibility often sitting with general IT managers instead.
Why 2026 feels sharper
That is what makes 2026 sharper rather than simpler.
The expectations are clearer. The responsibilities are broader. The room for treating cyber as someone else’s job is smaller. But the conditions in which decisions are made are still busy, fast, and full of competing priorities. So the issue is not simply that the risks are still there. It is that further education is now being asked to treat cyber as a core part of institutional resilience while the everyday pressures that shape decision-making remain very much in place.
Why treating cyber as separate creates the problem
The problem with treating cybersecurity as something separate is not simply that it creates a gap in responsibility. It creates a gap in recognition.
Once cyber is placed in its own category, it starts to feel as though it belongs somewhere else. It becomes an IT issue, a compliance issue, a policy issue, or a topic covered in annual training. The institution may still say it takes cyber seriously, and that may be true in principle. But if cybersecurity is understood as something that sits outside the ordinary work of the college, it becomes much harder to recognise in the moments where risk is actually being created.
That is where the problem begins.
In further education, many of the decisions that shape exposure do not arrive looking like security decisions. They arrive as practical problems. A learner cannot access the system they need. Information needs to move quickly so support can be put in place. A member of staff receives a message that fits the context of the day and responds because it looks like part of the job. A workaround is suggested because following the full process feels too slow for the situation in front of them.
If cyber has already been mentally separated from that kind of work, those moments will not be interpreted through a security lens. They will be interpreted through the more visible priority, which is usually the learner, the session, the support need, or the operational problem that needs resolving. In other words, the decision is not experienced as a choice between support and poor practice. It is experienced as a choice between keeping things moving and creating delay.
That is why the separation creates risk.
It allows the immediate priority and the security priority to feel like two different things. Supporting the learner feels urgent. Keeping teaching on track feels necessary. Solving the practical problem feels helpful and proportionate. Cybersecurity, by contrast, feels like a separate requirement sitting somewhere in the background, important in theory but less visible in the moment. When those two things are experienced as separate, the urgent and visible one will usually win.
This does not happen because staff do not care about security. It happens because the way the issue has been framed makes cyber feel detached from the decision in front of them. By the time the risk becomes obvious, the action has often already been taken, not because the person involved was careless, but because the situation was understood first as a support issue, an access issue, or a continuity issue.
That is why further education needs a different framing. Cybersecurity is not separate from learner support, communication, continuity, and access. It is part of how those things are handled well. Until that is recognised, colleges can continue to take cyber seriously as a subject while still missing the moments where exposure is being created in practice.
What better judgement looks like in further education
Better judgement in further education does not mean slowing everything down or making normal college work feel suspicious. It means that the same decisions are still being made inside teaching, learner support, administration, and operational work, but they are handled differently at the point where pressure would usually push someone straight through them.
Take a routine-looking message. A request arrives during a busy day, uses familiar language, fits the context of the work already in progress, and appears to come from someone the member of staff would normally respond to without hesitation. It may be asking for learner information, confirmation of a detail, or a quick action so that support can move forward. Better judgement does not mean distrusting every message that arrives. It means recognising that familiarity is not the same as verification.
Instead of treating the message as safe because it looks routine, the member of staff pauses long enough to confirm that the request is genuine and that the route being used is the right one. That may mean checking through a known channel, using the proper system rather than replying immediately, or confirming that the person asking for the information is who they appear to be. The change is not dramatic. It is simply that the request is no longer allowed to pass on appearance alone.
That is where the “why” matters most. Better judgement is realistic in further education because it does not ask staff to stop helping learners or stop keeping things moving. It asks them to recognise that some of the most important decisions are the ones that feel too ordinary to question. In a busy college environment, the pressure to be responsive is clear and immediate. The risk behind the decision is usually quieter and less visible. Good judgement is what closes that gap. It helps someone see that the helpful, efficient, sensible action may still be the point where a pause is needed.
This is why better judgement is not the same thing as being more aware in the abstract. Plenty of staff already understand that cyber risks exist. What changes outcomes is whether they can recognise the moment when a practical problem is also a security decision. In further education, that often means noticing when urgency, familiarity, trust, or routine is shaping the response more than verification is. It means understanding the difference between something that looks right and something that has been confirmed. It means escalating earlier, not because a situation has become obviously dangerous, but because something important is about to be actioned without being checked properly.
There is also a reason this has to be framed carefully in further education. Colleges and providers do not have the luxury of treating secure behaviour as something separate from responsive practice. Staff still have to support learners, solve problems, coordinate across teams, and keep learning moving. So better judgement cannot mean friction for the sake of it. It has to work inside the reality of the job. That is why the strongest shift is not “be more careful.” It is “apply the right check at the right moment without losing the purpose of the work.”
In practice, that means a member of staff checks a routine-looking request before acting on it. A support team confirms the route before sending sensitive learner information. A colleague questions a familiar message because it fits a little too neatly into the task already in front of them. A line manager escalates earlier when something does not have to look suspicious to deserve confirmation.
That is what better judgement looks like in further education. The work still gets done. The learner is still supported. The college still functions. But the moments that would normally pass unchallenged are handled more deliberately, and that changes what happens next.
The real overlap in FE
In 2026, the point where cyber and further education meet is not exactly the same as it is in schools.
It is not only about online safety in the school sense, and it is not best understood as a separate technical issue sitting somewhere behind the scenes. In further education, the overlap is wider and more embedded in the everyday running of the institution. It appears in learner access, staff judgement, data handling, communication, continuity, and the systems that support teaching and learner services.
That is what makes the FE context different.
In schools, the cyber conversation often connects most visibly to safeguarding, filtering, monitoring, and the protection of children in a more directly supervised environment. In further education, those responsibilities do not disappear, but cyber risk is less contained within that one frame. It is more likely to appear in the practical decisions staff make while trying to keep learning moving, remove barriers, coordinate support, and respond to problems without delay.
That is why the real overlap in FE is not simply “education plus cyber.” It is the point where operational pressure, learner support, and security judgement meet in the same moment.
A learner needs access restored quickly. Information needs to move so support can be put in place. A routine-looking message arrives in the middle of a busy day. A workaround is suggested because it seems proportionate to the problem in front of the member of staff. None of these moments feels dramatic enough to stand out on its own. That is exactly why they matter. They are ordinary enough to pass through without challenge, but important enough to shape whether access, information, and trust are being handled well.
Seen properly, this is not a separate layer of college life. It is part of how college life now works.
That is also why treating cybersecurity as something outside learner support creates such a weak picture of the problem. The decisions that shape exposure are often being made while staff are trying to be responsive, useful, and proportionate in the middle of real further education work. If cyber is only recognised when something looks explicitly suspicious, it will be missed in many of the places where it actually forms.
So the real overlap in FE is not found in a policy label. It is found in the ordinary moments where colleges are trying to support learners, protect continuity, and keep systems working under pressure.
That is where this becomes more than an IT issue. It becomes a question of how well the institution recognises and handles the decisions that already sit inside its normal work.
And that is usually the point where a college needs to look more closely — not just at what controls exist on paper, but at how decisions are actually being made across access, support, communication, and day-to-day operations.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
