Description

Episode Description

Following the Kido nursery breach where 8,000 children's photos were stolen and posted online, we sit down with education sector expert Tammy Buchanan. With 15 years working in UK schools and now consulting on data protection compliance, Tammy reveals the shocking reality of cybersecurity in British education. From nurseries using platforms like Famly and Tapestry to primary schools struggling with basic MFA implementation, this conversation exposes systematic failures that put every child's data at risk. If you're a parent, school governor, or education professional, this episode will change how you think about school security.

Currently ranked in the Top 100 Apple Business Podcasts (US)

What You'll Learn

• Why only 50% of schools have multi-factor authentication enabled
• The difference between early years providers and mainstream schools
• How photo-rich platforms create unique vulnerabilities for nurseries
• Why DFE digital standards remain unknown to most schools
• The governance problem: volunteers without power
• Who actually gets things done when head teachers won't prioritise security
• Why schools keep breaches quiet and what that means for parents
• Practical steps parents can demand from their child's school today
• The Cyber Essentials challenge for small schools with limited budgets
• How COVID pushed schools years ahead without proper security foundations

Guest Contact Details

Tammy Buchanan
Senior Data Protection Consultant
Data Protection Education

Email: info@dataprotection.education
LinkedIn: Search for Tammy Buchanan or visit the Data Protection Education company page
Website: Data Protection Education

Tammy and her team (including a solicitor) work with schools across the UK on data protection compliance, information security, and cyber resilience. They provide free resources and news updates for schools on their LinkedIn page.

Government and Regulatory:

• DFE Digital Standards (Department for Education)
• NCSC (National Cyber Security Centre) staff training resources
• ICO (Information Commissioner's Office) breach log and guidance
• Ofsted inspection framework
• Safeguarding regulations

Platforms Discussed:

• Famly (early years learning journey platform)
• Tapestry (early years learning journey platform)
• Arbor (school management information system)
• Bromcom (school management information system)

Security Standards:

• Cyber Essentials certification
• Multi-factor authentication (MFA) implementation
• Incident response planning

Additional Resources:

• The Small Business Cyber Security Guy blog: thesmallbusinesscybersecurityguy.co.uk
• Data Protection Education news page (free resources for schools)

Key Statistics from This Episode

• 50% or less of schools have MFA enabled
• 8,000 children's photos stolen in the Kido breach
• 12 years Tammy worked directly in schools before consulting
• 15 years Tammy has been in the education sector overall
• 2030 target date for schools to meet six DFE digital standards

Questions Parents Should Ask Their School

1. Do you have multi-factor authentication enabled on all systems?
2. How often do staff receive cybersecurity training?
3. Where is your incident response plan and when was it last tested?
4. Who on the governing body is responsible for data protection and cyber resilience?
5. Are you working towards the DFE digital standards?
6. Which third-party platforms hold my child's data and photos?
7. How do you monitor and configure security settings on these platforms?

Key Takeaways

For Parents:

• Schools are having breaches regularly but keeping them quiet
• Most schools lack basic security like MFA
• Your child's photos on learning journey apps create unique risks
• You have the right to ask questions about data protection
• Schools respond to parental pressure

For School Leaders:

• Documentation matters for ICO compliance
• Training needs updating regularly, not the same video for three years
• Incident response plans are useless if nobody knows where they are
• School business managers need authority, not just responsibility
• Other schools' examples work better than external expert advice

For Governors:

• Cybersecurity needs to be statutory to get real traction
• Digital lead on governing body remains unfilled at many schools
• You need both knowledge and authority to make change happen
• Physical security analogies help boards understand cyber risks

The Big Picture

This episode exposes a systematic failure in UK education cybersecurity. Schools operate under considerable constraints, including volunteer governance, stretched budgets, and part-time IT support. Meanwhile, they hold treasure troves of children's data on platforms configured by people who lack security expertise. The Kido breach reveals what happens when one password unlocks 8,000 children's intimate moments. Most schools are one credential compromise away from the same fate. Until cybersecurity becomes statutory or linked to Ofsted inspections, progress will remain painfully slow.

Connect With The Show

Website: thesmallbusinesscybersecurityguy.co.uk
Subscribe: Available on all major podcast platforms
Social Media: Find us on LinkedIn

Help us grow: Leave a review, subscribe, and share this episode with parents, teachers, and school governors who need to hear this message.