Cybersecurity awareness – Why compliance isn’t enough

Originally published by Teach Secondary and available online via Teachwire.

Cyber Rebels contributed this article as part of Teach Secondary’s wider coverage around student safety and wellbeing. Written by Andrew Longhurst, Director of Training and Development at Cyber Rebels, the piece explores why cybersecurity awareness in schools cannot stop at compliance.

Schools can often evidence that cybersecurity training has been completed. Staff may have taken the required module, received a certificate and understood the basic risks. That matters, but it does not always show whether staff feel prepared to make secure decisions when digital risk appears inside ordinary school life.

A cyber incident in a school rarely begins as something obvious. It may start with a routine attachment, a parent-style message, a request that appears to fit an ongoing safeguarding concern, or information being shared because the situation feels legitimate at the time.

In those moments, the decision does not feel like a cybersecurity decision. It feels like a safeguarding judgement, an admin task, a communication issue or a response to something urgent.

That is the gap the article explores.

Cybersecurity awareness gives staff the language of risk. It introduces common threats, reinforces policy and supports compliance. But secure judgement is tested in the moment: when time is limited, information is incomplete and the right action is not immediately clear.

The article argues that schools need to move beyond completion as the measure of readiness. Awareness should be treated as a starting point, not the finish line. Staff need space to work through realistic scenarios, test their understanding, ask questions and build confidence before those decisions appear in live situations.

This reflects the wider Cyber Rebels approach to cybersecurity training: calm, practical, human-first and grounded in how people make decisions under real working conditions.