Simon Freeman, Managing Director at IRIS Education, wrote a piece for Schools Week this week arguing that email is the single biggest cybersecurity vulnerability in schools. His core point is simple: email was never designed for financial transactions, but schools use it to send bank details, approve invoices, and share payment instructions every day. That gap between what email was built for and how schools actually use it is where the risk sits.

He’s right. And the statistics he cites are uncomfortable: one in four schools experienced a cybersecurity incident in the last 12 months, two in five lack any cybersecurity training, and over one in five don’t even have a cybersecurity policy. Those numbers alone should worry anyone running a school.

Schools Week article by Simon Freeman arguing that email is the weakest link in school cybersecurity, with the headline 'Email is the weakest link that could bring down your school'

The problem isn’t just phishing

When people think about email security, they think about phishing: the dodgy link, the fake Microsoft login page, the “urgent” message from a supplier. And yes, phishing is a real threat. But Freeman’s article highlights something more fundamental. Schools are using email as a workflow tool for high-risk financial processes. A bursar emails bank details to a supplier. A headteacher approves a payment over email. Someone forwards an invoice as an attachment, and it gets actioned without a second verification step.

None of this requires a sophisticated attack. A compromised email account, a well-timed impersonation of a headteacher, or even a simple typo in a forwarded bank detail can result in thousands of pounds going to the wrong place. The attacker doesn’t need malware or ransomware. They just need to look convincing in an inbox that’s already overflowing.

Training helps, but process matters more

Freeman recommends cybersecurity training, incident response plans, and a no-blame reporting culture. All good advice. But I think the more important recommendation in his piece is the one about moving high-risk transactions off email entirely.

If your school still processes supplier invoices by email, approves bank detail changes by email, or shares financial information over email, then training your staff to spot phishing is treating the symptom rather than the cause. The cause is that email is being used for something it was never designed to do securely.

Finance systems with proper approval workflows, authenticated portals for supplier payments, and a policy of verifying bank detail changes through a separate channel (a phone call, not a reply to the same email thread) are all process changes that reduce the attack surface regardless of how good your staff are at spotting suspicious messages. People will always click things they shouldn’t. The goal is to make sure that clicking the wrong thing doesn’t immediately result in a financial loss.

Schools are targets, not bystanders

I wrote recently about the C2K cyber attack in Northern Ireland, where a single attack on a centralised school network locked out every pupil and teacher weeks before exams. That was an infrastructure-level attack. Email-based attacks are different: they’re quieter, harder to detect, and often target individual staff members rather than systems. A school might not even realise it’s been compromised until the money has gone.

The National Cyber Security Centre has been warning about this for years. Schools hold sensitive data on children, operate on tight budgets with limited IT resource, and often lack the security infrastructure that a similarly sized business would have. That makes them attractive targets, not for nation-state attackers, but for opportunistic criminals who know that a school office is more likely to action an invoice without a second check than a corporate finance department.

What’s worth doing now

Freeman’s article is published by a vendor (IRIS makes school finance software), so there’s an obvious commercial interest in schools moving financial processes onto platforms like theirs. That doesn’t make the argument wrong. If anything, the vendor angle makes the practical recommendation clearer: stop using email for things that need to be secure.

Some specific steps that don’t require buying new software:

Verify bank detail changes by phone. If a supplier emails to say their bank details have changed, call them on a number you already have on file. Not the number in the email. This one step alone would prevent a large proportion of payment fraud in schools.

Stop emailing bank details. If you need to share account information with a supplier or parent, use a secure method. Even a password-protected document is better than plain text in an email, though a proper portal is better still.

Enable multi-factor authentication on every email account. This should already be done, but the statistics suggest many schools haven’t. MFA won’t stop every attack, but it stops the easiest ones: compromised passwords from data breaches, credential stuffing, and basic phishing.

Run a tabletop exercise. Sit down with your office team and walk through a scenario: “A supplier emails with new bank details and an urgent invoice. What do we do?” If the answer involves replying to the email or forwarding it to someone else to action, you have a process gap.

This isn’t going away

Cyber attacks on schools are increasing in frequency and sophistication. The DfE’s cyber security standards set baseline expectations, but meeting the standard on paper and being resilient in practice are different things. Email will remain the primary attack vector for schools because it’s the primary communication tool, and because the gap between how it’s used and how it should be used is so wide.

Freeman is right that this needs to be treated as a leadership responsibility, not an IT problem. The headteacher who treats payment security with the same seriousness as safeguarding or fire safety is the one whose school is less likely to end up in the news. The technology matters, but the culture and process around it matter more.