Aligning to NCSC Best Practice Through Cyber Resilience and Network Assessments

Education is one of the most attacked sectors in the world. Schools hold significant volumes of sensitive data on pupils, parents and staff, and increasingly rely on technology to deliver day-to-day teaching. That combination, high-value data, broad attack surface, and limited specialist security resource in-house, makes the sector a consistent target.

Most cyber incidents start with the human side: phishing, social engineering, the kind of activity that captures the public's imagination because it is the most common and the most relatable. But while the human layer is typically the way in, the damage rarely happens at point of entry, it happens because of what an attacker is able to do after they get in. For schools, understanding both how to reduce that initial attack surface and how to limit the damage if something is breached is essential.

This particular prep school wanted an objective view of where it stood. The leadership team and IT function needed to understand their real risk position, not in abstract terms, but in a way that could be communicated to governors, aligned to budget realities, and used to set priorities for the years ahead. Behind that was a clear regulatory horizon: NCSC guidance alongside the Cyber Assessment Framework (CAF), that all schools are expected to be aligned with by 2030.

Formation Tech engaged the school using its two foundational assessments aimed at education: the Cyber Resilience Quick Assessment (CRQA), focused on the human side of cyber security, and the Cyber Networks Quick Assessment (CNQA), focused on the network side. Both quick assessments have aligned in-person, in-depth versions, and both are designed to give IT managers, governors and senior leaders an objective view of where the school's risks really sit, measured against NCSC best practice.

The assessment of the network environment surfaced several critical oversights that left the school significantly more exposed than the team had appreciated. A CCTV system had been left open to the internet, sitting on a network that was equally exposed to core servers running in Azure. The wider environment included unsegregated networks, meaning that compromise of any of the lower-hanging fruit would have been felt much more widely across the school than it should have been.

These are exactly the kinds of issues that an objective, NCSC-aligned assessment is designed to surface, not theoretical risks, but specific, fixable exposures that had built up over time and were no longer being seen by those closest to the environment.

The assessment delivered a strategic plan to resolve the issues identified, structured around an initial set of quick wins that immediately reduced the school's exposure, followed by a longer roadmap of more significant improvements. Crucially, the roadmap was designed to align with the school's budget and funding cycles, recognising that the right plan is the one a school can actually deliver on, not the one that looks best on paper.

The outcome went beyond security. Education is now a deeply technology-led discipline: the network environment underpins teaching, communication, and the day-to-day experience of both staff and pupils. By addressing the network at a foundational level, the work didn't just close down risk, it improved the digital experience of staff and teachers, supporting the way modern teaching is actually delivered.

More broadly, the case illustrates how the CRQA and CNQA work as a pair. NCSC best practice covers both the human and the network sides of cyber security, and so does the assessment programme. For schools navigating the path to alignment with the 2030 educational frameworks, the value of the assessments is not just in the technical findings, it is in giving senior leaders and governors an objective, communicable view of where to put their priorities, and a plan that fits the realities of how schools actually operate.