A member of staff is moving between lessons when a pupil mentions that an image is being shared in a group chat. They do not have the full story yet. They do not know whether it is bullying, embarrassment, friendship conflict, sexual harassment, AI-generated content, or something that needs immediate safeguarding action. What they do know is that the pupil looks uncomfortable, the next lesson is about to start, and the decision they make in the next few minutes will shape what happens next.
In another part of the school, a teacher is using an AI tool to help prepare resources. It feels practical and helpful. The tool saves time, gives structure to a lesson idea, and makes a busy week feel slightly more manageable. Somewhere else, a member of the office team receives a message asking for pupil information to be shared with someone who appears to have a legitimate reason for needing it. The request fits the rhythm of the day, and answering quickly feels like the helpful thing to do.
These are not dramatic cyber incidents. They are ordinary school moments. They involve safeguarding, online safety, information sharing, cyber security, professional judgement and, increasingly, artificial intelligence.
That is why the draft version of Keeping children safe in education 2026 matters. It points towards a more connected view of digital risk in schools, where cyber awareness is not treated as a separate IT topic, but as part of the decisions staff, leaders and pupils are already making during normal school life.
It is important to be clear from the start that KCSIE 2026 is currently draft guidance for consultation, not current DfE policy. Schools should not treat the draft as final, and wording may change before the final version is published. But the direction of travel is useful. The draft strengthens the connection between safeguarding, online safety, generative AI, filtering and monitoring, information security and staff training. The draft also says that safeguarding training for staff, including online safety training, should be integrated, aligned and considered as part of the whole school or college safeguarding approach.
Cyber incidents are already showing up in education
The latest UK Government Cyber Security Breaches Survey gives useful context for why this matters. In the 2025/2026 education findings, 49% of primary schools, 73% of secondary schools, 88% of further education colleges and 98% of higher education institutions said they had identified a cyber breach or attack in the previous 12 months. Secondary schools saw the clearest year-on-year movement, rising from 60% in 2024/2025 to 73% in 2025/2026.
Those figures should not be turned into scare copy. They do not mean every school has suffered a major cyber incident, and they should be read with the survey’s own limits in mind. What they do show is that cyber risk is already present in the systems, accounts, platforms, devices, messages and records that education relies on every week.
We explored those figures in more detail in our article on what the 2025/2026 breaches survey really shows about cybersecurity in education.
The useful point for this KCSIE 2026 discussion is not simply that attacks are happening. It is that schools are now working in a digital environment where safeguarding, online safety, AI use, information sharing and cyber security increasingly overlap.
The question is no longer whether cyber belongs in education. It is whether cyber awareness is close enough to the decisions staff, leaders and pupils are already making.
KCSIE 2026 brings online safety further into everyday safeguarding
The draft KCSIE 2026 guidance describes online safety as a broad and evolving area. It groups online safety risks around the familiar 4Cs: content, contact, conduct and commerce. In the draft, those categories include harmful content such as misinformation, disinformation, conspiracy theories, misogyny, antisemitism and radicalisation; harmful contact with other users or generative AI applications; conduct such as online bullying, explicit image-sharing, AI-generated intimate images and deepfakes; and commerce risks such as gambling, inappropriate advertising, phishing and financial scams.
We explore the 4Cs in more practical detail in our guide to understanding the 4Cs of online safety for schools and trusts.
The useful point for this KCSIE 2026 discussion is not simply that the 4Cs need to appear in policy. It is that each one can show up inside ordinary school decisions: what a pupil reports, what staff notice, what gets filtered, what is escalated, what is recorded and what support is offered next.
That matters because schools are not dealing with one neat category called “online safety”. They are dealing with situations where online and offline behaviour overlap. A concern that begins in a group chat may affect behaviour in the corridor. A fake image may lead to shame, silence, threats or retaliation. A pupil may not report something because they are frightened of losing their phone, being blamed, getting someone else into trouble, or making the situation bigger.
For staff, this creates a judgement problem. The first sign of risk may not arrive as a clear safeguarding disclosure. It may arrive as a comment at the end of a lesson, a change in behaviour, a message shown quickly on a phone, or a concern that another pupil mentions without wanting to be involved.
At that point, the member of staff is not making a technical cyber decision. They are making a safeguarding decision in a digital context.
KCSIE 2026 appears to recognise that online safety cannot sit in a separate box. The draft says governing bodies and proprietors should ensure online safety is a running and interrelated theme while devising and implementing the whole school or college approach to safeguarding. That includes relevant policies, curriculum planning, teacher training, the role and responsibilities of the designated safeguarding lead and parental engagement.
That is the important shift. Online safety is not only something pupils are taught. It is something schools have to manage through culture, roles, training, reporting routes, technical systems, leadership oversight and everyday judgement.
AI makes the judgement problem more complex
The draft guidance also points schools and colleges towards support on the safe and effective use of generative AI in education. It refers to teacher-facing and pupil-facing use, and highlights risks connected with safeguarding, ethics, data protection and intellectual property.
That is a sensible direction, because AI in schools is not only a question of whether a tool is useful. It is a question of what people enter into it, what they take from it, what they trust, what they share, and what they do when AI is used to create or manipulate content.
A teacher using AI to support planning may not be thinking about cyber security. They may simply be trying to save time after a long day. A pupil using AI to create an image may not understand the harm it could cause once it is shared. A member of staff using an AI tool to summarise information may not immediately consider whether the content includes sensitive pupil details. A leader approving a new platform may be focused on workload, innovation and teaching benefits, while still needing to understand data protection, safeguarding and access implications.
None of those decisions are careless by default. They make sense inside the pressure of school life. Schools are busy, staff are stretched, and tools that promise speed or support can feel very attractive. That is exactly why AI guidance needs to become practical.
A policy may set boundaries, but staff and pupils also need examples that feel close to the situations they are likely to face.
For staff, that means knowing what should not be entered into an AI tool, when output needs checking, when a tool should not be used, and who to ask when the situation is unclear. For pupils, it means understanding manipulation, fake content, image-based harm, privacy, pressure and how to ask for help when something has already happened.
AI safety in schools cannot depend on everyone making perfect decisions in the moment. It needs a culture where pausing, checking and escalating feel normal.
Filtering and monitoring need ownership, not just systems
Filtering and monitoring is another area where the draft guidance moves beyond the idea that technology alone is enough. The draft says schools and colleges should ensure appropriate filtering and monitoring systems are in place and regularly review their effectiveness at least once every academic year. Reviews should include checks that filtering is working appropriately on all internet-connected devices in relevant locations, with a record kept of those checks. It also says leadership teams and relevant staff should understand the provisions in place, manage them effectively and know how to escalate concerns when identified.
That wording matters because it connects technical provision with human ownership.
A system can block content, generate alerts or apply rules, but someone still has to understand what is happening around it. Someone needs to know whether the system covers the devices pupils are using. Someone needs to know what happens when an alert appears. Someone needs to decide whether an incident is a technical issue, a safeguarding concern, a behaviour issue, a pastoral concern, or several of those things at once.
This is where schools can unintentionally create gaps. Filtering and monitoring may be seen as something owned by IT, while safeguarding is owned by the DSL, curriculum is owned by teaching staff, and strategic assurance is owned by leaders and governors.
In real life, the concern does not respect those boundaries. It moves across them.
A pupil might search for something concerning on a school device. A member of staff might notice that access behaves differently on a particular platform. A blocked page might be a sign that a system is working, or it might be part of a wider pattern that needs safeguarding attention. A remote learning tool, personal device, shared classroom device or third-party system might sit slightly outside what staff assume is covered.
Cyber awareness has a role here, but not because every teacher needs to understand the technical configuration. The useful question is much more practical: do staff know what the system is there to do, what its limits are, what to notice, and who to involve when something does not feel right?
Cyber security is part of safeguarding resilience
The draft KCSIE 2026 guidance also links information security and access management directly to safeguarding. It says governing bodies and proprietors should protect children’s personal information by ensuring appropriate cyber security systems are in place. It also points schools and colleges towards the Cyber security standards for schools and colleges, which are described as actions that can strengthen resilience, reduce the risk of disruption, prevent data breaches and mitigate safeguarding risks.
That connection is important because cyber security in schools is sometimes treated as a technical or operational issue until something goes wrong. In practice, it is closely connected to safeguarding, continuity and trust.
If a staff account is compromised, the risk may involve pupil records, internal communications or safeguarding information. If access to systems is disrupted, staff may not be able to reach the information they need at the point a concern is being handled. If sensitive information is shared through the wrong route, the issue is not only data protection. It may affect a child, a family, a member of staff, or the school’s ability to manage a concern safely.
This is why cyber awareness in education needs to be rooted in school work, not generic office scenarios. A school is not just another workplace. It holds sensitive information about children. It communicates with families. It uses multiple platforms. It relies on staff making judgement calls under time pressure. It has safeguarding duties that do not pause because a system is awkward, a message looks familiar, or a request appears to come from the right person.
The safer behaviour is not always obvious in the moment. Checking a request may feel slow. Asking another person may feel awkward. Escalating a concern may feel disproportionate when the evidence is incomplete. Waiting for confirmation may feel like it will hold up support for a child.
Good cyber awareness needs to acknowledge that reality, because that is where the decision actually happens.
So what changes for schools?
The practical shift is that cyber awareness can no longer sit at the edge of safeguarding as a separate training topic.
KCSIE 2026 does not appear to be saying that every member of staff needs to become a cyber specialist. The draft points in a more useful direction: staff need training and updates that include online safety, filtering and monitoring responsibilities, and that training should be integrated, aligned and considered as part of the whole school or college safeguarding approach.
That matters because many schools already have some form of awareness in place. Staff may have completed the NCSC cyber security training for school staff, watched a short awareness video, read a safeguarding update, or signed to confirm that they have understood the relevant guidance. Those things have value. They create a baseline, and in a busy school they can be a practical way to get important information in front of everyone quickly.
But baseline awareness is not the same as decision readiness.
A short generic video can explain common cyber risks. It can remind staff about passwords, suspicious messages or reporting routes. What it cannot do on its own is prepare staff for the wider situations now gathering around safeguarding: an AI-generated image shared between pupils, a filtering alert that may or may not connect to a welfare concern, a request for pupil information that appears legitimate, or a member of staff using an AI tool without being fully sure what information is safe to enter.
That does not make basic awareness training wrong. It simply puts it in its proper place. It is a starting point, not the whole safeguarding response.
We looked at this in more detail in our article on whether 36 minutes of cyber training is enough for schools.
The gap usually appears later, when information has to be used in real time. A pupil does not always describe an online concern neatly. A parent message does not always look suspicious. An AI tool does not always feel risky. A filtering alert does not always explain what needs to happen next. A request for information may appear to come from someone with a legitimate reason to ask.
In those moments, staff are not sitting in a module choosing the obviously safe answer. They are trying to help, respond, teach, protect, support or keep the day moving. The risk is that the digital part of the situation is missed because the human reason for acting feels so reasonable.
This is why schools should treat cyber awareness as part of safeguarding judgement, not as a technical add-on.
The aim is not to make staff anxious or suspicious of every message, tool or platform. It is to help them recognise the point where a normal task needs a check, a second route, a conversation or an escalation. It is also to help leaders understand whether the school’s systems, policies and training actually support those decisions when pressure is present.
For governors and senior leaders, this means asking a different kind of question.
Not only:
“Have staff completed cyber awareness training?”
But:
“Do staff know what to do when cyber, online safety, AI or information-sharing risks appear inside normal safeguarding work?”
That is the gap KCSIE 2026 should prompt schools to examine.
What schools should do now
Because KCSIE 2026 is still draft guidance, schools do not need panic-led changes based on unfinished wording. What they can do is use the draft as a prompt to review whether their current approach to cyber awareness, AI and online safety is close enough to the real decisions staff and pupils face.
The starting point should be ordinary work. Schools should look at where digital decisions already happen: pupil records, safeguarding platforms, filtering alerts, parent communication, finance processes, shared documents, AI tools, classroom platforms, remote access, homework systems, group chat concerns and online incident reporting.
The question is not simply whether a policy exists. The better question is whether the people involved know what to do when something appears during the day and does not fit neatly into one category.
Staff training should also be reviewed through that lens. Cyber awareness for schools should not feel like generic workplace training with school examples added at the end. It should help staff recognise the moments they actually meet: a pupil showing them a message, a parent email asking for information, an AI-generated image being shared, a login prompt appearing inside a familiar platform, a request to access a document, a filtering concern, or uncertainty about whether information can be shared.
The value of training is not only that staff learn more terms. It is that they become more confident recognising when a normal task has become a decision point. That confidence matters because the pause often has to happen before anyone knows for certain that something is wrong.
Schools should also make AI use clearer and more practical. That means understanding where AI is already being used, formally or informally, by staff and pupils. It means giving staff usable guidance on what can be entered, what should never be entered, what needs checking, and what to do when AI output affects a safeguarding, teaching, assessment or communication decision. It also means helping pupils understand that AI-generated content can still cause real harm, even when no camera was used and no original image existed.
Filtering and monitoring should be reviewed as a shared responsibility rather than a hidden technical function. Leaders, DSLs, governors, IT staff and relevant staff need enough shared understanding to know what is in place, what is reviewed, where limitations may sit, and how concerns move from a technical signal to a safeguarding response. That does not mean everyone needs the same level of technical knowledge. It means the school should not rely on one person quietly holding the whole picture.
Most importantly, schools should make it safe to pause and ask.
Staff need to know that checking is not overreacting, and escalation is not failure. In cyber and online safety, many situations begin with uncertainty. A message looks normal. A pupil gives only part of the story. A tool appears useful. A request feels legitimate. A platform is familiar.
The safer culture is not one where people become suspicious of everything. It is one where they can say, “This may be fine, but I need to check before I act.”
Cyber awareness needs to move closer to safeguarding judgement
The draft KCSIE 2026 guidance points towards a more connected reality for schools. Online safety is not separate from safeguarding. AI is not separate from professional judgement. Filtering and monitoring are not separate from leadership ownership. Cyber security is not separate from pupil information, continuity and trust.
For schools, the practical task is not to turn every member of staff into a cyber expert. It is to help staff, leaders and pupils recognise the moments where ordinary digital work needs a little more judgement, verification or support.
That is where cyber awareness becomes useful.
Not as another tick-box session, and not as a warning to “be careful”, but as practical support for decisions schools are already making every day.
If your school is reviewing how KCSIE 2026 may affect online safety, AI use, cyber security or staff training, this is a good time to look at the working moments behind the policy. The strongest place to start is not with a list of threats. It is with the places where staff and pupils are already deciding what to trust, what to share, what to question and when to ask for help.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.