For nurseries · Digital safety pack

Digital safeguarding is part of safeguarding.

You already keep children, parents and staff safe every day. This pack turns online and AI risk into a few simple habits a small team can actually follow — calm, practical, and free to use, print and share.

For owners & managers

Do this first.

The short list that protects the most for the least effort. You can start it in an afternoon — no IT department needed.

  • Turn on two-step login (MFA) on the accounts that matter

    Email, your nursery management / EYFS software, banking, payroll and any cloud storage. It means that even if someone learns a password, it is much harder for them to get in.

  • Use a password manager, with a different password for every account

    Reusing one password means one leak unlocks everything. A password manager remembers them for you; three random words make a strong one you can still type.

  • Turn on automatic updates everywhere

    Phones, tablets, laptops and apps. Many common attacks use known weaknesses that updates have already fixed — letting updates install themselves closes the door.

  • Change the default router and Wi-Fi passwords

    Change the router admin password and set a strong Wi-Fi password. Default admin details are often known or easy to find, and Wi-Fi passwords can become widely shared over time.

  • Put cameras, printers, tablets and smart devices on a separate Wi-Fi

    Use a guest or device network kept apart from the computers that hold your records, so a weak gadget can't become a way into your files.

  • Back up your key records — and check a backup actually restores

    Registers, contracts, safeguarding notes and accounts. Test a restore once so you know it works before you ever need it.

  • Remove access the day someone leaves

    Accounts, shared logins and door / alarm codes. Give each person their own login so you can switch one off without disrupting everyone.

  • Agree a payment-change callback rule

    Any request to change bank details or move money is verified by calling a number you already hold — never the number in the message or email.

  • Agree a voice-fraud safe phrase or known-number check

    A voice can now be faked from a short clip. For any urgent voice or message request, confirm with an agreed safe phrase or by calling a number you already trust.

Prints on its own page to pin up.

Grounded in: NCSC — Small Business Guide; NCSC — Cyber Essentials: the five technical controls; NCSC — Passwords, MFA and password managers

Staff handout

What bad actors do now.

Scams today are more personal, better written and more believable than they used to be — often because criminals now use AI to write them. The trick is almost always the same: get you to act quickly, before you stop to think.

Be on guard the moment a message, call or email asks you to:

  • change or confirm bank details
  • send a child's details, photos or records
  • approve, process or refund a payment
  • download an app or click a link to “fix” a problem
  • read out or share a code from a text or email
  • reply urgently because something is “about to go wrong”

Pause and verify on a number you already have.

It is always okay to say “I'll call you back.” Then check using a number from your own records or the organisation's official website — never the number in the message. A genuine request can survive a callback. Only a scam needs you to rush.

Stop

Taking a moment before you part with money or information could keep the nursery safe.

Challenge

Could it be fake? It's fine to reject, refuse or ignore a request. Only criminals try to rush or panic you.

Protect

If you think you've fallen for a scam, tell your manager straight away. If money or fraud is involved, contact the bank quickly and report it through Report Fraud / Action Fraud where appropriate (Action Fraud: 0300 123 2040).

One page for the staff room.

Grounded in: Take Five to Stop Fraud — Stop, Challenge, Protect; NCSC — How to spot scam messages and calls; NCSC — The impact of AI on the cyber threat

Printable

Our nursery incident card.

Fill this in once, print it, and keep it where your team can find it. When something goes wrong, the difference between a scare and a serious problem is usually how quickly the right person acts.

If something goes wrong — our plan

Who we tell first, internally the person who takes charge
Who owns our email & admin accounts can lock accounts and reset passwords
Where our backups are, and who can restore them
Who contacts parents, and how
Who contacts our software / IT provider provider name and direct number
Who decides if it's a personal-data breach (and reports to the ICO) see the 72-hour note below

If personal data may have been lost, seen, changed or shared without permission, decide quickly whether it is a notifiable breach. The ICO says notifiable breaches must be reported without undue delay and, where feasible, within 72 hours of becoming aware. Keep a record of all breaches, even where you decide they do not need to be reported.

  • Action Fraud (report fraud): 0300 123 2040 — actionfraud.police.uk
  • ICO (report a data breach): ico.org.uk/for-organisations/report-a-breach
Fill it in once, then pin it up.

Grounded in: ICO — Personal data breaches: a guide; ICO — Report a personal data breach

Read more

The why behind the habits.

Article

The nursery cyber checklist: 10 things to do before something goes wrong

None of these need an IT department. Start at the top and work down — even the first three make a real difference.

Most security problems for a small setting aren't dramatic. They're an account left open after someone left, a password used in three places, or a rushed payment to the wrong bank details. The fixes are just as ordinary — and you can do them in an afternoon.

  • 1

    Turn on two-step login (MFA) everywhere that matters

    Email first, then your management software, banking, payroll and cloud storage. It's the single biggest thing you can do, and even if a password leaks, the account stays shut.

  • 2

    Use a password manager and a unique password per account

    Let it generate and remember the passwords. For the few you type yourself, three random words make a strong, memorable phrase.

  • 3

    Change the default router and Wi-Fi passwords

    Change the router admin password and set a strong Wi-Fi password. Default admin details are often known or easy to find, and Wi-Fi passwords can become widely shared over time.

  • 4

    Turn on automatic updates

    Phones, tablets, laptops and apps. Updates quietly fix the weaknesses attackers rely on, so letting them install themselves does the work for you.

  • 5

    Separate your devices from your records

    Put cameras, printers and smart gadgets on a guest or device network, away from the computers holding children's and families' information.

  • 6

    Back up your key records — and test a restore

    Registers, contracts and safeguarding notes. A backup you've never tested is a guess; restore one file once so you know it works.

  • 7

    Use the malware protection you already have

    Built-in protection on modern phones and computers is good — keep it switched on, and don't dismiss its warnings to make something work faster.

  • 8

    Give everyone their own login, and remove access when they leave

    Shared logins can't be traced and are hard to switch off safely. Individual accounts mean you can close one the day a person moves on.

  • 9

    Agree a money rule and a safe phrase

    Any change to bank details or any urgent payment is checked on a number you already hold. Agree a safe phrase for voice requests, because voices can be faked.

  • 10

    Write a one-page “if it goes wrong” plan

    Who's told first, who can lock the accounts, where the backups are, who calls parents, and who decides whether it's a data breach. The incident card on this page is a ready-made template.

You don't have to do all ten today. Each one you tick off makes the nursery a little safer — and the order above puts the highest-value habits first.

Grounded in: NCSC — Small Business Guide; NCSC — Cyber Essentials: the five technical controls; NCSC — Passwords, MFA and password managers; Action Fraud — Mandate / payment-diversion fraud

Article

Voice notes, WhatsApp and fake urgency: how AI changes parent scams

The channels are the ones your families already use. The tell-tale signs we were all taught to spot are disappearing. The defence hasn't changed.

For years the advice was to look for the clues: clumsy spelling, odd grammar, a generic greeting. AI has quietly removed those clues. The national cyber authority now warns that AI lets criminals write convincing messages without the spelling and grammar mistakes that used to give phishing away — and that it's getting harder for anyone, however careful, to tell a genuine request from a fake one.

It reaches a nursery through the everyday channels — a WhatsApp message, a voice note, an email that looks like a real supplier. What it tends to look like:

  • a “parent” messaging to change the account their fees are paid from
  • a “manager” voice note asking a staff member to buy gift cards or move money quickly
  • a “supplier” email with new bank details on an otherwise normal-looking invoice
  • a message that knows a real detail — a child's name, a recent event — because it was pieced together from public posts

Voice is the newest twist. A short clip of someone speaking — from a voicemail or a social video — can be enough to make a synthetic version of their voice. So a familiar-sounding caller asking you to act fast is no longer proof it's really them.

The constant across every version is urgency. The message needs you to act before you think — a payment that must go today, a code that must be read out now, a problem that's “about to” cost you. That pressure is the scam.

Which is why the defence still works, AI or not: stop, challenge, protect. Pause. It's always fine to say you'll call back. Then verify on a number you already have — from your own records or the organisation's official website, never the number in the message. A real parent, supplier or colleague will understand completely. Only a scam can't survive a five-minute pause.

And to keep this in proportion: the overwhelming majority of messages your nursery gets are genuine. You're not trying to distrust everyone — just to build one cheap habit of checking before money moves or information leaves the building.

Grounded in: NCSC — The impact of AI on the cyber threat; NCSC — How to spot scam messages and calls; Take Five to Stop Fraud — Stop, Challenge, Protect; Action Fraud — Mandate / payment-diversion fraud

Article

Your nursery is not too small to be targeted

“We're too small to be worth it” is the most common reason settings skip the basics — and exactly why they get caught.

It's a natural thought: surely criminals go after big companies with big money. But most attacks aren't aimed at a particular victim at all. They're automated and opportunistic — sweeping for any account with a weak password or any inbox that will click a link. Being small doesn't make you invisible; it often means the basics are assumed to be missing, which makes you easier.

And a nursery holds more of value than it might feel like:

  • parents' contact and payment details, kept in one place
  • fees and payroll — real money moving in and out on a regular rhythm
  • staff email accounts, which families already trust and open
  • children's records — information that deserves particular care, and may include health, allergy, safeguarding or family details
  • your name and your word, which parents believe when a message comes “from the nursery”

That last one is the quiet prize. A trusted nursery email asking a parent to update payment details will be acted on — that trust is precisely what a criminal is trying to borrow.

Children's data carries an extra duty, too. The Information Commissioner's Office is clear that children's personal data merits specific protection, because children are less aware of the risks. Looking after it well isn't only good practice; for the data you hold on the children in your care, it's expected of you.

This is really the point of the whole pack: digital safeguarding is now part of safeguarding. You already protect the children, families and staff in your building every day. Protecting their information is the same instinct, applied to a few simple online habits — and none of them need you to become technical.

Grounded in: NCSC — Small Business Guide; ICO — Children and the UK GDPR; Action Fraud — Mandate / payment-diversion fraud

Where this comes from

Sources & further reading.

Everything in this pack is based on guidance from the UK's national authorities. None of it is our own invention — go straight to the source whenever you want the detail.

This pack is general information to help you build good habits, not legal, security or data-protection advice for your specific situation. For your duties around personal data, the ICO is the definitive source.

Get free updates and printable templates.

Register for new nursery digital safety resources, scam alerts and staff handouts.

Register for updates

Halo works with nurseries.

We help nurseries get found, fill places and get paid in full — while you carry on running your setting exactly as you do today. Keeping families' trust safe is part of that.

Talk to our teamFor nurseries