Cyber security is the practice of protecting computers, networks, and data from unauthorised access, damage, or attack. At KS3, students learn to recognise common threats and apply basic defences — skills that matter far beyond the computing classroom.
Why does cyber security matter?
Every device connected to a network is a potential target. The UK National Cyber Security Centre (NCSC) reported that in 2023, 32 per cent of UK businesses and 24 per cent of charities identified a cyber attack or security breach in the previous 12 months. For individuals, the risks include theft of personal data, financial fraud, and loss of access to important accounts.
The DfE's national curriculum for computing requires KS3 students to "understand a range of ways to use technology safely, respectfully, responsibly and securely" and to know "a range of ways to report concerns." Cyber security is not just a technical topic — it is a fundamental life skill.
What are the main types of cyber threat?
Malware
Malware (malicious software) is any software designed to damage, disrupt, or gain unauthorised access to a computer system. The main types KS3 students need to know are:
| Type | What it does | How it spreads |
|---|---|---|
| Virus | Attaches itself to files and spreads when those files are shared | Email attachments, infected USB drives |
| Worm | Self-replicates and spreads across networks without needing a host file | Network connections, exploiting vulnerabilities |
| Trojan | Disguises itself as legitimate software but performs malicious actions | Downloads, fake software |
| Ransomware | Encrypts files and demands payment to restore access | Email attachments, malicious links |
| Spyware | Secretly monitors a user's activities and sends data to attackers | Bundled with downloads, fake apps |
| Adware | Displays unwanted advertising and may redirect browsing | Bundled with free software |
Phishing
Phishing is a social engineering attack in which criminals pretend to be a trusted organisation — a bank, a delivery company, a school — to trick a user into revealing personal information or clicking a malicious link. The NCSC advises looking for:
- Urgent or threatening language ("Your account will be suspended unless...")
- Email addresses that look almost but not quite right (support@am4zon.co.uk)
- Links that do not match where they claim to go
- Requests for login credentials, passwords, or payment details
Spear phishing is a targeted variant where the attacker uses personal information about the victim to make the message more convincing. Smishing is phishing via SMS.
Social engineering
Social engineering is the broader category of attacks that manipulate people rather than exploiting technical vulnerabilities. Common examples include:
- Pretexting — inventing a scenario to gain trust (pretending to be IT support calling to fix a problem)
- Baiting — leaving an infected USB drive where a target will find it
- Tailgating — following an authorised person through a secure door without proper credentials
The NCSC consistently emphasises that people are often a more effective attack vector than software vulnerabilities — which is why understanding human-targeted attacks is as important as knowing about malware.
What are the main cyber security defences?
Defences fall into three categories: technical, physical, and behavioural.
Technical defences
| Defence | What it does |
|---|---|
| Antivirus/antimalware software | Scans for and removes known malicious software |
| Firewall | Monitors and filters incoming and outgoing network traffic based on security rules |
| Encryption | Converts data into unreadable form unless the correct key is used — essential for protecting data in transit (HTTPS) and at rest |
| Two-factor authentication (2FA) | Requires two pieces of evidence to log in (password + one-time code); limits damage if a password is stolen |
| Software updates and patches | Fix known security vulnerabilities that attackers could exploit |
| Strong, unique passwords | A password manager generates and stores long random passwords for each site |
Access control
Access control determines who can see or change what data. Key principles include:
- Principle of least privilege — users are given only the access they need for their role, nothing more. A student account should not have administrator rights.
- Authentication — verifying identity (password, biometric, 2FA)
- Authorisation — determining what an authenticated user is allowed to do
Physical security
Not all attacks are digital. Physical security includes:
- Locking computers when away from the desk
- Not leaving devices unattended in public
- Shredding documents containing personal information
- Controlling physical access to server rooms
Worked example: recognising a phishing email
Scenario: You receive an email with the subject "URGENT: Your school account is locked. Verify now."
- Sender address: admin@sch00l-support.net (not the school's real domain)
- Greeting: "Dear Student" (not your name — mass-sent phishing)
- Content: "Click here immediately to unlock your account or it will be deleted."
- Link hover: Shows http://verify-accounts.ru (a Russian domain unrelated to your school)
- Red flags: Urgency, vague greeting, mismatched sender, suspicious link
What to do: Do not click. Do not enter any information. Report to your school's IT department. Delete the email.
This scenario is consistent with the type of threat the NCSC documents in its guidance for UK schools.
How do encryption and HTTPS work?
When you visit a website using HTTPS (Hypertext Transfer Protocol Secure), the connection between your browser and the server is encrypted using TLS (Transport Layer Security). This means:
- Data you send (login details, payment information) is scrambled and unreadable to anyone intercepting it.
- The website's identity is verified via a digital certificate issued by a trusted Certificate Authority.
- A padlock icon in the browser address bar confirms the connection is encrypted.
HTTP (without the S) sends data in plain text — anyone who intercepts the connection can read it. HTTPS is now the standard for all websites handling any personal or sensitive data. At KS3, students should understand that HTTPS does not guarantee a site is legitimate — a phishing site can also use HTTPS — but its absence is a definite warning sign.
Frequently asked questions
What is the difference between a virus and malware?
Malware is the umbrella term for any malicious software, including viruses, worms, trojans, ransomware, and spyware. A virus is one specific type of malware: it attaches to legitimate files and spreads when those files are shared. All viruses are malware, but not all malware is a virus.
What is two-factor authentication and why is it important?
Two-factor authentication (2FA) requires two separate pieces of evidence to log in — typically something you know (a password) and something you have (a one-time code sent to your phone, or generated by an authenticator app). Even if an attacker steals your password, they cannot log in without the second factor. The NCSC recommends enabling 2FA on all important accounts, particularly email, banking, and social media.
How can you tell if a website is safe?
Look for HTTPS in the address bar (padlock icon), check that the domain matches the organisation it claims to be (gov.uk for government sites, not gov.uk.support-portal.com), and be cautious of sites reached via unexpected links. However, HTTPS alone does not guarantee safety — a phishing site can have a valid security certificate. Always access important sites (your bank, your school portal) by typing the known address directly rather than following links.
What should you do if you think you have been hacked?
Change your password immediately on the affected account and on any other account using the same password. Enable two-factor authentication if it is not already on. Check for any unauthorised activity (emails sent, purchases made, settings changed). Report the incident to the relevant organisation (your school, your bank, the platform). If the hack involved financial information, contact your bank. The NCSC's website (ncsc.gov.uk) provides guidance specific to individuals and schools.
For Socratic computing tutoring covering cyber security, networks, and beyond, visit aitutors.me.