Four out of five schools have suffered a cybersecurity incident such as phishing or malware and one in five have reported unauthorised access to their computers, networks or servers by their own students.
The findings come from a cybersecurity audit of more than 430 schools across the UK carried out by the National Cyber Security Centre (the cybersecurity arm of surveillance agency GCHQ) and the London Grid for Learning (LGfL).
The audit found that nearly all schools (97%) said that losing access to network-connected IT services would cause considerable disruption, but that the vast majority of schools (83%) had experienced at least one of a number of types of cybersecurity incident.
SEE: 10 tips for new cybersecurity pros (free PDF)
For example, 69% of schools had been targeted by a phishing attack and 35% had experienced periods with no access to important information, while 30% said they had suffered a malware infection, including viruses or ransomware. And 20% said they had been victims of spoofing attacks, where their school emails were impersonated by others.
Just over one in five - 21% - reported unauthorised pupil use of computers, network or servers (including accidental usage), while 11% said they had experiences of unauthorised staff use of computers, networks or servers. Only 4% said there had been unauthorised external use and even fewer - 3% - admitted leaks of confidential information from online systems.
"Since GDPR came into force in May 2018, schools have had new requirements placed upon them regarding data access and protection. Nonetheless, 21 percent of schools had experienced non-authorised IT system use by pupils," the report said.
Schools are often seen as a tempting target by hackers because they have limited funds and cybersecurity skills to protect themselves, while also holding large amounts of sensitive data.
One the plus side, more than 95% of schools had firewalls, antivirus, data backups and kept software patches up to date. As many as 85% had a cyber security plan, but only 41% had a business continuity plan and the audit found there was relatively low use of strong cybersecurity practices, such as mobile-device management and two-factor authentication.
"Budgets are tight, the curriculum is squeezed, and school is all about keeping children safe and providing the best-possible education. So you won't often hear schools talking about their cybersecurity preparedness. Whilst it was hospitals rather than schools which suffered major disruption from the WannaCry virus, schools are just as likely as any organisation to face DDoS and phishing attacks," said Mark Bentley, safeguarding and cybersecurity manager at LGfL.