On this page
What changed in school cyber safety since 2022
Four developments have reset the cyber safety agenda for schools over the past three to four years. The first is generative AI. ChatGPT, Claude and the other large language models have moved from novelty in 2022 to standard student behaviour by 2024. Schools that did not write an AI policy lost the integrity of internal assessment first, then formal coursework second. The strongest schools now have a written, taught, regularly updated AI usage policy.
The second is the rise in sextortion targeting teenagers, particularly boys. The UK National Crime Agency, the FBI, the AFP and equivalent agencies worldwide have all flagged sharp increases. Schools have moved from generic e safety lessons to specific, named training on this risk, supported by clear reporting routes that do not punish the victim. The third is data breach exposure. Several large school groups have suffered breaches affecting current and former pupils; insurance markets are responding with tighter underwriting. The fourth is the move to one to one device programmes, which has placed more screen time inside the school day than at any prior point.
For wider context on what is shifting across the sector, our state of international schools 2026 piece sets the broader backdrop. Cyber safety is, in 2026, one of the three or four areas where the variance between strong and weak schools matters most.
Filtering, networks and managed devices
The technical baseline starts with network filtering. The school network should run a web filter that blocks adult content, gambling, self harm content and known phishing domains, with category granularity sufficient to allow legitimate research while blocking unwanted material. Strong schools use a named filtering provider, publish a category list to parents on request, and have a documented override process for sixth form research.
The device model is the second variable. One to one programmes on school owned hardware allow the school to install device level monitoring, control app installation and remote wipe in the event of loss. Bring Your Own Device approaches give the school less visibility but require a more sophisticated network policy. The strongest schools have a clear device choice and own the trade off explicitly; the weakest run a hybrid model that produces gaps.
The pastoral side of the technical work is just as important. Children do not always tell adults what they are seeing online. A school with strong cyber safety has a monitoring system that flags concerning activity, a named staff lead who reviews flags daily, and a documented response protocol that includes the wellbeing team. Ask whether the school has a specific tool, who reviews the flags and how often. Read our piece on AI policy at international schools 2026 for the wider technology policy frame.
Generative AI and assessment integrity
Generative AI is the single largest cyber safety policy question of 2026. The strongest schools have a written AI policy that addresses three things explicitly: what AI tools are permitted on the school network and managed devices, how AI use must be cited in coursework, and what counts as academic dishonesty. The policy should distinguish between research support, drafting assistance and direct generation of submitted text.
External examination boards have moved at different speeds. The IB published clear AI guidance for the Diploma core and coursework subjects in 2024. Cambridge and Edexcel followed with detailed guidance through 2025. The AP programme has guidance but allows individual institutions latitude. Schools that integrate this guidance into Year 9 and Year 10 routines build healthier habits than schools that introduce it at the start of sixth form.
Download our cyber safety audit checklist
We have built a one page cyber safety school audit checklist that lists every question parents should put to admissions before signing an offer. Free to download, no email required for the PDF.
The integrity dimension matters because the alternatives are worse. Schools that ban AI outright tend to drive use underground; schools that pretend AI does not exist produce graduates who arrive at university unable to use the tools responsibly. The middle path, written into a policy and taught explicitly, is producing the most coherent outcomes.
Social media, phones and the school day
Phone policy has reshaped the school day at a growing number of international schools since 2024. The strongest model in our reading of the evidence is full phone away during school hours, including at break and lunch, with phones collected at the start of the day or kept in a designated locker. Schools that have implemented this report measurable improvements in pupil concentration and break time interaction within one academic year.
The argument against full removal is that phones are tools children rely on for transport, family contact and timetable management. The strongest schools resolve this by allowing phone access at defined moments such as the start and end of the day, with school smart watches or supervised lanyards for emergency contact. The weakest run a soft policy that is unenforceable and produces continual low level conflict between staff and students.
Social media itself is a related but distinct question. Most accredited international schools do not allow access to Instagram, Snapchat, TikTok or X on the school network. The harder question is the use of these platforms outside school but on school related matters, where the school's safeguarding responsibility extends. Schools with strong policies have explicit guidance on student to student contact and student to staff contact through social platforms.
Data the school holds about your child
The school holds a substantial dataset on every pupil: name, date of birth, contact details, medical information, behavioural records, assessment scores, photographs and increasingly behavioural data from learning management systems and device monitoring tools. Parents should know where this data sits, who has access, how long it is retained and what would happen in a breach.
Strong schools publish a privacy notice, list the third party processors used, and respond promptly to subject access requests. They run their own data protection impact assessments before adopting new technology. They have a named data protection officer. The weakest schools rely on a generic policy copied from a template, have not audited their third party processors in years, and have no breach response plan beyond improvisation.
The international dimension complicates things. A school operating in Singapore but using a US based learning management system is subject to data transfer rules between jurisdictions; the GDPR rules, the UAE PDPL, Singapore PDPA, and the various Asian data protection frameworks all touch the school's processors. Ask the school for the most recent data protection audit and the date of its last breach incident, if any.
Response to online harms
The response plan for an online safety incident is the test of operational seriousness. Strong schools have a written incident response protocol covering sextortion, online grooming, doxxing, intimate image sharing, image based abuse, online bullying and the discovery of self harm content. The protocol names roles, sets response times, identifies external partners (local police, helplines, the school's clinical psychologist) and sets out the parent contact procedure.
The follow up question is what training the staff have received. A protocol on paper that no one has rehearsed is not a protocol. Ask when the school last ran a tabletop exercise of a serious online incident, who attended, and what changed as a result. The strongest answers point to specific drills and specific changes. Read our piece on safeguarding at international schools for the wider context if available; if not, the sister piece on SEN support at international schools covers adjacent pastoral structures.
The parent conversation
Cyber safety only works when parents and school are aligned. The strongest schools run parent education sessions at least twice a year, with named topics and rotating evening times to accommodate work schedules. The sessions cover platforms in current use, age appropriate device introduction, household phone rules and the school's reporting routes. Parents who attend these sessions tell us they find them the single most useful event the school offers.
The weaker pattern is a school that publishes a long policy document and assumes parents have read it. They have not. Ask when the school last ran a parent session on online safety, what topics it covered and what proportion of parents attended.
The strongest schools also publish a short termly bulletin specifically for parents on what is changing in the online environment that children inhabit. Two paragraphs of practical guidance from the digital safeguarding lead, sent out by email, is far more useful than a fifty page policy filed on the parent portal. Ask whether the school produces this and request the past three editions to evaluate the quality.
Questions to put to the school
Specific questions surface depth. What filtering product runs on the school network, and what categories are blocked? A confident school answers in one sentence. How is your AI policy worded, and may we see the document? The document either exists or it does not. What is your phone policy during the school day, and how is it enforced? Ask for the written policy and the enforcement record. When did the school last suffer a data incident, however minor? An honest answer signals trust; an evasive answer signals risk. For the wider admissions question set, our questions to ask before choosing a school piece complements the cyber specific items above.
FAQ
Yes, all reputable accredited international schools run web filtering on the school network and on managed devices. The depth and configuration vary. Ask the school to share the filtering policy, the categories blocked, and the override process for legitimate research.
It depends on the school's device model. Some schools run a fully managed one to one programme on school owned hardware. Others operate a Bring Your Own Device approach. The ownership model matters because it determines who can see browsing history, install monitoring software and remotely wipe the device.
Policies vary widely. The strongest schools have a written AI policy that distinguishes acceptable use, citation requirements, and assessment integrity. Some schools have banned generative AI on school networks; others have integrated it into classroom practice. Ask for the policy document.
It is a family decision rather than a school one. Most clinical psychologists working with adolescents advocate openness with the child rather than covert monitoring, alongside clear household rules and explicit conversations. Schools can advise but should not insist on a particular household tool.