A member of the school office team is trying to get through the morning rush. Registers are being checked, a parent is waiting at reception, a supply teacher needs access to the right system, and an email arrives that appears to relate to a supplier invoice. The sender name looks familiar, the wording is routine, and the request sits inside work that already needs doing.
In that moment, the decision does not feel like a cybersecurity decision. It feels like an administrative one. Do they open the attachment, reply quickly, approve the change, or leave it until later and risk slowing everything down?
That is why embedding cyber awareness across a multi-academy trust is not simply about sending the same reminder to every school. Awareness has to reach the places where decisions are actually made: central finance, school offices, classrooms, safeguarding processes, shared drives, cloud platforms, governance meetings, and day-to-day communication with parents, suppliers, staff, and pupils.
The Department for Education’s digital and technology standards for schools and colleges have made cyber security a clear leadership and operational responsibility. The current standards include areas such as cyber risk assessment, cyber awareness plans, anti-malware and firewalls, account security, software updates, backups, and reporting cyber attacks.
For MATs, the important point is not simply that standards exist. It is that cyber awareness has to become consistent across different schools, roles, systems, and levels of responsibility. A trust can have strong technical controls and still remain exposed if staff do not recognise the moments where risk appears as normal work.
Cyber Awareness Has to Travel Across the Trust
A multi-academy trust is not one working environment. It is a connected network of different environments, each with its own pressures and routines. Central teams may be handling finance, HR, procurement, governance, and policy. School offices may be dealing with attendance, parent communication, visitors, supply cover, payments, and urgent requests. Classroom staff may be using learning platforms, shared resources, email, cloud documents, and pupil information systems throughout the day.
Those environments do not create the same decisions. A finance officer dealing with a supplier payment change is not in the same position as a teacher opening a shared resource before a lesson. A safeguarding lead accessing sensitive records is not making the same decision as a governor reviewing papers through a shared portal. A member of the office team responding to a parent query is not facing the same pressure as an IT lead trying to contain an incident across multiple sites.
This is why trust-wide cyber awareness cannot be a single generic message. It needs a shared foundation, but it also needs role relevance. People need to recognise cyber risk inside the work they actually do, not inside abstract examples that feel distant from their day.
The aim is not to make every member of staff think like an IT specialist. It is to help them notice when a routine task is asking for more trust than usual. A file that needs opening, a link that asks for credentials, a payment change that feels urgent, a shared document that appears at the right time, or a system prompt that interrupts a busy workflow can all become decision points.
Cyber awareness becomes meaningful when staff can see those points before they act.
Why MATs Face a Different Kind of Cyber Challenge
MATs can be particularly complex because they combine central oversight with local operational reality. A central team may set policy, manage contracts, oversee systems, and coordinate digital strategy, but the decisions that shape risk often happen locally and quickly.
A school office may be under pressure to respond to parents before the day begins properly. A teacher may be preparing lessons between responsibilities. A pastoral or safeguarding team may be handling sensitive information while responding to urgent concerns. A finance team may be processing supplier activity across multiple schools. A senior leader may need to make a judgement about communication, escalation, or disruption before the full picture is clear.
This creates a difficult balance. MATs need consistency, but they also need flexibility. A trust-wide approach has to create common expectations without ignoring the different ways schools actually operate.
The threat picture reinforces this. The Cyber Security Breaches Survey 2025/2026 found that 49% of primary schools, 73% of secondary schools, 88% of further education colleges, and 98% of higher education institutions identified a breach or attack in the previous 12 months. Among those that identified breaches or attacks, phishing was reported by 90% of primary schools, 96% of secondary schools, and 96% of further and higher education institutions combined.
Those figures should not be used to frighten schools. That does not help. The useful point is that cyber risk is already part of the education environment, and phishing remains heavily connected to normal communication. That means awareness cannot sit outside the working day. It has to sit inside it.
The Limits of Technical Controls
Technical controls matter. Firewalls, filtering, anti-malware, account security, software updates, device management, secure backups, and monitoring all form part of the trust’s protection. The DfE cyber security standards reflect this by setting expectations across technical, operational, and governance areas.
But technical controls cannot interpret every human situation.
A filter may block a known malicious site, but it cannot always know whether a member of staff expected a document from a supplier. Multi-factor authentication can reduce the risk of account compromise, but it cannot always stop someone approving a prompt because they believe they are logging into a legitimate system. A backup process may exist, but it does not help the first hour of an incident if staff do not know who to contact or what not to touch. A device may meet a secure baseline, but the way people use accounts, share access, respond to warnings, and report uncertainty still matters.
This is where the trust-wide awareness gap appears.
If cyber security is framed only as an IT function, staff may assume that anything they can access has already been made safe for them. If it is framed as shared operational judgement, the meaning changes. Staff begin to understand that systems can be well managed and still depend on how people interpret messages, prompts, requests, and unusual behaviour.
That does not reduce the role of IT. It makes IT support more effective, because the rest of the trust understands when to pause, when to check, and when to escalate.
Awareness Needs to Match the Role
Cyber awareness training across a MAT should not feel like a generic compliance exercise. It should help different people recognise the decisions they are most likely to face.
For central finance, that might mean supplier impersonation, invoice redirection, payment changes, procurement fraud, and approval pressure. For school office teams, it might mean parent communication, attendance data, attachments, fake login pages, visitor information, and urgent administrative requests. For teaching staff, it might mean shared resources, classroom platforms, personal device boundaries, cloud documents, and pupil data. For safeguarding teams, it might mean sensitive records, access discipline, secure communication, and escalation. For governors and trustees, it might mean asking informed questions about oversight, readiness, reporting, and accountability.
The DfE cyber security core standard says cyber training should be given at least annually, or more regularly where there is a known cyber risk, and it identifies coordination between the SLT digital lead, IT support, the DPO, and the designated safeguarding lead. That is important because it positions awareness as something that crosses roles, not something that lives with one department.
The training itself needs to reflect that. Staff do not need abstract warnings about “being vigilant”. They need scenarios that feel like their work. A last-minute email before the school day begins. A shared file from a colleague. A login prompt during lesson preparation. A supplier invoice that arrives at the end of a busy week. A request to move pupil information into a new location. A message that appears to come from a senior leader.
Those moments work because they are believable. The person’s decision makes sense. They are trying to keep the school moving, respond to someone else’s need, and avoid creating delay. That is exactly why the risk needs to be visible before the action becomes automatic.
From Compliance to Culture
Meeting standards is important, but compliance alone does not create culture. A trust can have policies, records, and controls in place while staff still feel unsure about what to do when something looks almost normal but not quite right.
Culture forms in the way people respond to those moments.
If a member of staff worries they will be blamed for clicking something, they may delay reporting. If someone is unsure whether a message is suspicious but does not want to look foolish, they may act quietly rather than ask. If leaders only discuss cyber security after something goes wrong, staff may see it as an incident topic rather than a normal part of professional practice.
A stronger culture works differently. It makes early reporting feel responsible. It treats uncertainty as something to be raised, not hidden. It gives staff permission to pause when a request asks for unusual access, urgency, payment, data movement, or credential entry. It helps leaders model the behaviour they expect from others.
This is especially important in MATs because culture has to travel. It has to reach central office and individual schools. It has to be understood by senior leaders and support staff. It has to make sense to teaching teams and operational teams. It has to survive busy periods, staff turnover, new systems, and local variation.
Cyber awareness becomes embedded when it is repeated through normal trust life: induction, CPD, staff briefings, leadership discussions, governance reporting, incident rehearsals, and post-incident learning. It should not appear once a year and then disappear.
What Embedded Awareness Looks Like in Practice
Embedding cyber awareness across a MAT does not mean turning every staff briefing into a technical session. It means placing practical judgement into the rhythms the trust already uses.
A trust might use short scenario discussions during staff development time, where teams look at a realistic message or request and discuss what decision they would make. A school office team might practise how to verify a payment change or suspicious parent communication. A senior leadership team might rehearse the first hour of an account compromise or ransomware concern. Governors might receive clear reporting on training coverage, incident readiness, and known areas of exposure.
The point is not to create more noise. Schools already have enough to absorb. The point is to make cyber awareness easier to apply because it is linked to real tasks.
A phishing simulation, for example, should not be used to catch people out. Used poorly, it can create embarrassment and silence. Used well, it becomes a learning moment that helps staff recognise pressure, timing, language, and verification routes. The question should not be, “Who failed?” It should be, “What made this believable, and how would we handle it next time?”
That shift matters because it builds judgement rather than fear.
The same applies to incident response. A plan that only senior leaders or IT staff understand is fragile. Staff do not need every technical detail, but they do need to know what to report, who to contact, what to avoid doing, and how communication will be handled. In a live incident, confusion spreads quickly. Clear expectations reduce that confusion.
Learning from the Decisions That Repeat
Most cyber risk in schools is not created by one dramatic failure. It builds through repeated decisions that do not stand out at the time.
A password is shared because it is quicker. A document is saved into the wrong location because someone needs access urgently. A suspicious email is left unreported because the person is not sure. A login prompt is followed because it looks like the system normally used. A payment change is accepted because the sender seems familiar. A backup process is assumed to work because no one has needed to restore from it recently.
Each decision can feel reasonable in isolation. The problem is repetition. Across a trust, small decisions repeat through different teams, systems, and schools. If no one sees the pattern, the trust may believe it has a technical problem when it actually has a consistency problem.
This is where MAT leadership matters. Leaders do not need to become cyber specialists, but they do need to create the conditions where cyber awareness is treated as part of operational resilience, safeguarding, governance, and professional responsibility. That means asking different questions. Not only “Have staff completed training?” but “Do staff know what to do when a request feels almost legitimate?” Not only “Do we have an incident plan?” but “Have people practised the decisions they would need to make?” Not only “Are systems secure?” but “Are the behaviours around those systems consistent?”
Those questions move awareness from policy into practice.
How Cyber Rebels Supports MATs
Cyber Rebels supports multi-academy trusts by helping cyber awareness become practical, role-relevant, and connected to the decisions staff actually make.
Our approach is built around real working situations rather than generic cyber warnings. That means looking at how risk appears in school offices, central finance, classroom activity, safeguarding processes, leadership decisions, shared systems, and trust-wide communication. We focus on the point where a member of staff sees something, interprets it as part of the job, and has to decide whether to continue, verify, report, or escalate.
For MATs, this matters because awareness has to be consistent without becoming generic. A trust needs shared language, clear expectations, and common reporting habits, but it also needs examples that make sense to different roles. The aim is not to make staff nervous around technology. It is to help them recognise when a normal action is asking for more trust than usual.
Cyber Rebels training can support role-specific awareness, leadership conversations, incident response practice, safer reporting culture, and practical alignment with the DfE’s expectations around cyber awareness and readiness. The work sits between policy and behaviour: helping trusts move from having standards written down to seeing better decisions made in real situations.
That is where awareness becomes useful. Not as another compliance item, but as a visible change in how people handle pressure.
From Central Office to Classroom
Embedding cyber awareness across a MAT is not about adding another layer of burden to already busy schools. It is about making existing work safer, clearer, and more consistent.
The central office has a role because it shapes systems, policy, contracts, governance, and trust-wide expectations. School leaders have a role because they model priorities and create the culture staff work within. Office teams have a role because many cyber risks enter through administration, finance, communication, and access. Teachers have a role because digital tools now sit inside everyday teaching and learning. Governors and trustees have a role because they provide oversight, challenge, and accountability.
The trust becomes stronger when those roles are connected.
Cyber awareness cannot be left in one corner of the organisation. It needs to travel from central office to classroom, not as a slogan, but as a shared way of recognising risk in ordinary work. A supplier email is checked before a payment is changed. A login prompt is questioned before credentials are entered. A suspicious file is reported before it is opened. An incident plan is practised before a live incident forces people to improvise. A near miss becomes learning, not blame.
That is what meaningful cyber awareness looks like across a MAT. It is calm, practical, and repeated. It recognises that staff are already making decisions under pressure, and it gives them the confidence to handle those decisions more safely.
If this feels familiar across your trust, the next step is not to make cyber security louder. It is to make it clearer. Cyber Rebels helps MATs build awareness that fits the way schools actually work, so staff across central teams, school offices, classrooms, and leadership can recognise the moments that matter and respond with better judgement. You can learn more about our approach to cybersecurity training for education and training providers.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
