Why every education leader needs a clear picture of their data

When I’m speaking with leadership teams in universities, colleges or local councils, there’s one question I like to start with:

Do you know exactly what information you hold, where it is and why you have it?

For most, the honest answer is “not really,” and that’s where one of the biggest cyber and data protection risks begins.

The risk: Not knowing what you’ve got

If you don’t know what data you need to secure, you can’t realistically expect to be compliant with the law nor can you adequately prevent the risk of a breach. It’s as simple as that. In my work, I see the same pattern time and again:

• Systems and datasets are being used in an isolated way without a clear understanding of the potential level of risk.

• Meanwhile, genuinely sensitive information, the “crown jewels,” is left under-protected.

That misalignment wastes time, money and skilled staff hours. It also increases the chances of a damaging incident, because the real risks aren’t getting the attention they deserve.

Think of it like this: locking your garden shed while the front door of your house is wide open. It’s great that the shed is secure but it’s a safe bet that the wrong things are being prioritised, and attackers, or even accidental mistakes, will inevitably find the gap.

Why this is a leadership issue

It’s tempting to think of cybersecurity and compliance as “IT problems” or “data protection problems,” but they are organisational responsibilities.

Every business area – from HR to research, from finance to student services – generates and handles information. And it’s senior leadership that sets the tone for how it's managed.

When leadership actively promotes and embeds information governance into the culture:

• People know where to take questions.

• Security is built in from the start of projects, not bolted on at the end.

• Risks are spotted earlier, before they grow into bigger problems.

Without that culture, things drift. New systems get procured with no security oversight. Data gets copied into uncontrolled spaces. Teams work in silos, each assuming someone else is managing the potential risks.

The hidden data you’ve forgotten about

Even if your main systems are well secured, data has a habit of multiplying, and moving.

Staff might check work emails on personal phones, sync files to a private cloud account for “convenience,” or take meeting notes using the latest AI app. Old exports of student records might be sitting on a shared drive that nobody has touched in years.

These “shadow” copies are exactly what attackers look for, but they also create risk from simple human error. A misplaced USB stick or an email sent to the wrong person can be just as damaging as a malicious breach.

That’s why I recommend leaders regularly ask: “Where else might our data be?” The answer is often surprising, and occasionally alarming.

How to start improving visibility

Getting a better idea of what is out there doesn’t have to be complicated, but it does need to be intentional. Here are some immediate actions to consider:

1. Make it easy to talk about projects
   Security, legal and compliance teams should be part of the conversation, for every project. They should be involved in all new projects at the planning stage but it’s never too late to bring them in. It can be uncomfortable but it’s a worthwhile exercise to ask the question, “What are we doing that we should have talked about?” Getting a view on project even if its in its later stages can prevent a significant issue from arising

2. Challenge your assumptions
   Ask: “What do we believe about our processes, and how do we know they actually work? Testing assumptions often uncovers gaps you didn’t know existed.

3. Focus on impact, not just fines
   Instead of asking, “Will we be penalised if we don’t fix this?,” ask, “Who will be harmed, and how much trust will we lose, if we don’t?”

4. Get an outside view
   Ask someone to stress-test your systems. It’s far better to find weaknesses in a safe, controlled exercise than during a real incident.

Building visibility into the way you work

Mapping your data once isn’t enough. Your environment changes constantly, with new systems, AI tools, cloud services and collaborative partnerships.

To ensure you have visibility of your data that means:

• Having a process for assessing and securing new environments.
  Making sure that oversight mechanisms as your data flows (and its uses) evolve.

• Reviewing and refining your security and compliance controls regularly.

The truth is, nothing will ever be 100% secure. But by truly understanding what you have, where it is and why you have it, you give yourself the best chance of protecting it, and of focusing your limited resources where they matter most.

Because in the end, the cost of not knowing is almost always greater than the cost of finding out.

If you’d like to talk about how to map your organisation’s data and close the most common visibility gaps, feel free to get in touch.