Special Report

The REAL Cyber Skills Gap

Executive Summary

The internet is an amazing resource providing countless opportunities. It is truly global and has become available to all at the touch of a screen. Technological enhancement in connected devices, interconnectivity and ease of use has increased at an unprecedented rate. Long gone are the days of needing to understand how computers actually work to benefit from digitally enabled services.

Whilst the internet is, without doubt, a fantastic resource for good, anyone involved in security or online safety recognises the serious risks associated with uninformed use. As with any aspect of life there are dangerous elements across the internet that are not automatically obvious to the uninitiated. The dangers and risks therein may have wide-reaching impacts; financial, mental and even physical consequences; potentially escalating to a proven risk to life, in extreme cases. There is clear evidence of children and adults dying as a result of internet-related risks being realised. Child exploitation [1] and cyber bullying [2] are on the rise, and their effects are being seen in the physical world. At the same time the financial impact of cyber-enabled crime is growing exponentially (reaching GBP2M per day for the first time according to the latest figures from Financial Fraud Action UK [3]). This is not just a problem for particular groups, it is a problem for all.

It is encouraging to see the Government starting to acknowledge this issue, most pertinently through the publications such as the Children’s Commissioner ‘Growing Up Digital’ Taskforce report [4], the House of Lords Communications Committee’s ‘Growing Up With the Internet’ [5] and the Government’s planned Internet Safety Strategy. This heralds a good start in surfacing the issues, though in most respects, this is focussed on children. Although child safety is a natural concern, especially in the digital world, this is a problem faced by all of the UK population.

Outside of core Government activities there are some fantastic examples of good practice, from online resources like GetSafeOnline [6], or Internet Matters [7], to the amazing work undertaken to promote digital competence by South West Grid for Learning [8]. Equally, in local Government, there are pockets of exemplary practice, like Kent County Council [9] which has embedded Online Safety throughout all of its services, providing guidance and oversight to all, young and old. It should be noted, much like the focus from central Government, that most activity in this space is aimed at children and young people. Whilst that should absolutely be commended, there is still too little focus on digital competence for the adult population.

We should be collating and evaluating what is working well and where, and how we can emulate that more widely by defining a holistic approach to building digital competence, with online safety at the core. We need an honest and open discussion about the problem in its entirety and identify the opportunities across all sectors to drive solutions. One of many avenues that should be explored is the use of the existing families’ and social work bodies to provide leadership training on risks and best practice to citizen-facing staff, to improve understanding, learning and knowledge of issues. These staff can then carry the message to those they support.

We should be leveraging and encouraging greater collaboration between Government (Local and Central), academia, the private sector, Charities and subject leaders to maximise the avenues available for delivering a base foundation of knowledge and awareness across all demographics of the UK populace. This problem requires a multi-faceted approach which can only be achieved through coherent collaboration across sectors. There already exists pockets of collaboration, which should be built upon and emulated. This is an area ripe for agility and delivery at pace, whilst building solid foundations for repeatable delivery.

This paper seeks to provide insight across different sectors affected by this problem, and sets some clear recommendations in order to make progress in tackling this issue. These points of view are provided by experienced professionals from various fields at the frontline of online safety and range from preventative measures through to remediation, where risks have been realised. Those who have provided content in this paper are all calling for immediate action to be taken to address the issues presented herein.

Lord Best has called for digital literacy to be the fourth pillar of education, whilst the Lords publication calls for a Children’s Digital Champion. This is most definitely welcomed, though the view presented by the quoted experts is that this should be wider reaching. We need a digital champion for ALL of the population and digital competence must go way beyond just children in mainstream education. The time for action is now! This will not be solved overnight, nor is it easy, but we must drive digital competence and online safety through all aspects of UK society.


In January 2017 the Children’s Commissioner published the ‘Growing Up Digital’ Taskforce report. The report highlighted a number of issues facing children as they navigate their way through the online world. Much like the real world it provides infinite possibilities, but it also contains serious risks.

It report resonated with many professionals who deal with these risks on a day-to-day basis and who see their potential impacts first hand.

The report is not just valid for children, but also reflects the varying levels of awareness (including total risk ignorance) that many adults have when it comes to online safety. This is a serious problem, and a growing one too.

The findings of Growing Up Digital have been confirmed by the House of Lords Communication Committee’s ‘Growing Up With the Internet’ report. The Committee echoes the belief that intervention at the highest level of the Government is needed to promote the best interests of children online.

We are in an age where technology and interconnectivity are on a vertical trajectory, whilst at the same time the risks that comes with such a digitally connected world are following the same course.

Not wanting to let these vital publications go gently into the night, a group of respected experts in the online world have decided to come together to offer their perspectives on this issue and to pool their expertise to help define what needs to happen next if we are the bridge this ever widening skills gap. These experts are from across the online safety spectrum, including subject-matter experts in child exploitation, online safety education, teaching, social care, information and cyber security.

Their views offer a true insight into this problem, both at the child and adult levels. There is not an easy answer to this by any means, but their view is that we must start somewhere in terms of truly building a sustainable and repeatable pathway to developing the requisite knowledge foundation for online safety across the UK.

The Experts’ Views

Ed Tucker – CISO

I am an expert – I’m the Head of Cyber Security for a large Government department – but I’m not writing this as an expert I am writing this as a concerned parent and citizen. Across the security industry there are rafts of comments detailing the cyber skills gap, or chasm, in terms of truly skilled security professionals able to deal with the threats of tomorrow but, I believe there is a larger and far more pressing ‘cyber’ skills gap that we need to prioritise more than ever!

Unlike today’s children I wasn’t born into technology. Technology was something that happened to me; firstly in the workplace and then the .com boom and latterly through the advent of smart devices, social media, apps and a hugely convergent and inter-connected society, all driven through technological advances. I had to learn technology, and being an inquisitive sort I also learnt how it worked, not just how to use it. I believe I’m in a fairly small percentage of the population who have looked ‘under the hood’ of technology to fully understand how it does what it does.

Children in the UK today are truly born into technology. Most will have their lives embedded into technology from before they are even born. That’s a reality.  Once outside the womb they are wedded to technology like no previous generation. The sheer nature and intuitive design of today’s technology has enabled my now five year old to navigate through apps and games with ease from the age of about three, and he will continue to do so throughout his life. To be honest, that ease of use is truly fantastic, and opens up all sorts of opportunities for the children, and adults of today.

However, with it also comes danger, or rather risk. Being a security professional of some years I am all too aware of these risks, and come from a position of prejudice, but this risk position is being echoed by many.

Very recently the Children’s Commissioner published ‘Growing Up Digital’ – A report of the Growing Up Digital Taskforce. The report highlights numerous issues, but for me the key sentence is in the second paragraph of the whole report. It says that:

“At the moment, children are not being equipped with adequate skills to negotiate their lives online.”

This is a fundamental statement! However, I think this sentence actually rings true far more widely. I do not believe that the majority of adults are equipped with said skills. As Baroness Beeban Kidron commented in the report [10]:

“Again and again, children and young people say that they have no idea how the internet works, either in ways that might be of interest to them or ways that disempower them.”

Personally, I would ask again how many adults also feel the same. And here we have the crux of the problem. In my opinion we are on the brink of an epidemic of technological ignorance. I know that sounds disturbing and possibly hyperbolic, but just think about it for a moment.

How many people are digitally savvy? How many know what, when signing up to use an app or service, they are actually signing up for? How many people know what privacy settings are, let alone what settings they should be using? We live in a time of massive over-sharing without being cognisant of the risks therein. It’s all there, I suppose, but then who reads the terms and conditions, and then who actually understand what they mean in practice. At the same time there appears to be a greater level of trust with anything on the internet than in real life. We see this every day in the security profession.

Proliferation of malware is on the rise, phishing and the number of delivery and attack vectors is on the rise, ID theft is on the rise [11], cyber enabled fraud is on the rise, child exploitation is on the rise, cyber bullying is on the rise [12]…….awareness sadly is not.

Now, to bring this back to the professional security world for a moment, I also believe that in general the security community has frankly failed in providing their workforce with the base skills to protect themselves, be that in their personal or corporate lives. Humans are the weakest link! Naturally so. But if, as I believe, we have got corporate security awareness wrong, where do we stand with the general public’s security awareness, and then that of children? Frankly, it’s the blind leading the blind, stumbling through technology as ease of use has enabled them to.

Now, there are some superb resources available in this space; GetSafeOnline [13], InternetMatters [14], NetAware [15], and the UK Safer Internet Centre [16] etc. The list could go on. Even with these hugely valuable resources we still have a major problem, in that a base level of online safety skills is not being built at anywhere near the rate it needs to be. Now, many people use these resources and are developing their skills, which is great, but more, far more, are not, and that is before you even consider those living with adversity whose parents may not be able to engage.

When I go and speak in schools to children and parents, the level of ignorance, for want of a better word, is staggering. It’s clear to me that we are not getting the right messages across, we are not building true awareness and we are not educating children and parents sufficiently to equip them to live safely in an ever increasingly digital world.

It’s not just a straightforward security issue, in that there are far more sinister risks than identity theft out there, especially when we talk about our children. Technology is a fantastic enabler for good, but with that comes the bad. Child exploitation is a major issue, and without these requisite skills and knowledge our children are wide open to abuse of all kinds. This is simply not good enough! From speaking to experts in this field, and with my own experience in security, it becomes obvious that we have a cyber skills chasm and that chasm is widening as technology advances at an exponential rate.

What I believe needs to happen is a tectonic shift in how we approach this issue. Many of us do get out there and speak to children, parents, teachers, et al, but this is very much piecemeal and something we do off our own backs. It does work, but one session alone is nowhere near enough to build the skillset. You simply do not become competent at anything after a couple of hours. What is required is a coordinated educational programme, built from the expertise of those who have the practical knowledge across all fields, that will not only form an intrinsic part of all school curricula at all ages, but also be driven out across the adult population of the UK.

We need to build a curriculum that is tailored towards our children and their respective ages. An ongoing programme of education that continually builds the Online Safety awareness and skills for everyday digital life. This also needs to be built for adults – to prime parents, carers, guardians and non-parents with the same skills, so that parents and children can mutually support each other and learn together and non-parents can upskill in a similar vein.

We need to upskill teachers and other professionals who work with children so that they are equipped as individuals and also as a support system for the children under their care. We basically need a curriculum for all that focuses on practical skills that are universally valid, for the child, the parent, the teacher, the citizen. We need a coherent programme to build true awareness of digital responsibility with Online Safety at the core. These are, funnily enough, the same base skills that help protect the corporate world!

Sadly, the Children’s Commissioner’s report will be tomorrow’s fish and chip wrapper in no time. We can’t let that happen. Speaking as both a cyber security professional and a parent, we simply cannot!

Judith Staff – Teacher

So many children have access to, or own, hand-held devices now – and from very young age –   and all hand-held devices have internet access.  The fact that most children today have been using touchscreens all their lives, indeed many are unable to use a mouse nowadays, is an indication of how much time they are spending on devices and for some, the internet.  Currently, there are no guidelines in place in the UK as to acceptable time limits for children’s internet use.

To date, much of the input children receive on online safety has been written/developed/devised by adults – adults who did not grow up with devices or even the internet.  I believe it is in this gap that the main disconnect lies. One of the keys to plugging this gap is to engage with children in the co-design of input for both parents and for children themselves in relation to online safety.

As with anything, safety is never a guarantee.  As we cannot guarantee children’s safety when they step outside the front door, so we can never ensure their safety online either, even with the very best of intentions. The best which can be hoped for is a well-managed risk – being online carries a risk at all times.

Current approaches promote “keeping” or “staying” safe online; as we know from children being out in the community, we can only expect so much of the children in relation to common sense and making best decisions for themselves, because we are unable to eliminate or even control the risk which is ever-present as long as people are perpetrating crimes against children either in real life or in the virtual world.

As with community safety, we need to remain particularly mindful, with online safety messages, that we are not promoting either explicit or veiled references to victim-blaming.  In truth, I feel concerned that much of the promotional information we offer to children is of this ilk.  There are some powerful, well-intended materials which could easily be misinterpreted by children who have experienced online abuse or bullying.

An example which springs immediately to mind is one for primary schools about sharing inappropriate selfies. The child depicted in one animated clip is shamed for sharing a photo of his genitals when in fact, the child who asked him to share the photo and then went on to share it more widely is the perpetrator of that abuse and should be highlighted as such.  As we know, a victim-blaming culture can lead to feelings of self-blame which can be a major factor in silencing voices and inhibiting disclosures.

Children being silenced on abuse is a very dangerous ground which leads to self-blame, and can lead to mental health concerns. Its main effect is that the children concerned go unprotected, whist, at the same time, the abuser is shielded, enabling them to continue their abuse and potentially putting other children at risk.

Another issue with some of the current material, is that developmentally children often find scare-mongering difficult to relate to.  They can relate to experiences which mirror their own, but stories which form the basis for some of the police-led video campaigns where children have been groomed online, raped, and in some cases murdered fall into the “that could never be me” category.  They scare the child, traumatise them perhaps, but because they seem so far from any likely experience, they fail to support them in avoiding making the same mistakes (again, some parallels here in relation to victim-blaming).

I think one of the keys to online safety is removing the shame and stigma of sharing worries or concerns linked to online activity or interactions, and encouraging children to find someone, anyone, they can speak with.  In secondary schools, it might work to promote a model of “open clinics” run by 6th form students every day.  The older children could field issues from younger ones to support them in any issues online, with back up from the team of Designated Safeguarding Leads.  There needs to be an equivalent safe-sharing-space in both primary and early years.  This could be developed and promoted in schools.

Another really big population at risk is children who are electively home-educated.  I worked with a child in another local authority who was electively home-educated along with her sister – they were 12 and 14.  The majority of their social lives was on social media and indeed the 12 year old spent much of her life on her mother’s phone – a phone the mother was largely unable to use herself – where the girl accessed FaceBook, Twitter, Snapchat, Instagram and WhatsApp – all of which are for children aged 13 and up, and in the case of WhatsApp, 16 and up.  Affecting the safety of such children online is a significant challenge

Lastly, are children in Early Years Foundation Stage (aged birth to 5 years)  In pubs at Sunday lunch or on trains or in shopping trolleys, it is common to see children under the age of 5 years being handed a device and left unsupervised; even if they are next to a parent at the time, the parent is not at all monitoring the child’s use, merely using it as a treat to keep the child quiet so they can engage in conversation or finish their shopping, free from interruption.  Much of this type of usage for under 5s happens in public places where Wi-Fi is not necessarily a safe space for children.  Indeed, Collective Shout in Australia recently ran a campaign to challenge McDonalds to block online pornography using Wi-Fi filters, given the high volume of families who form the customer base at the fast-food outlet.

Parental Involvement

A main concern with this is, just like sex education, it is not an area many parents feel confident in talking about to their children.  A combination of the fact that, at the moment, the majority of parents have not yet been raised with the internet and the fact that much of the risk online is related directly or indirectly to sexual abuse which is still such a taboo – both these factors compound the issue around parents educating their children.

The other massive issue is that for families living with varying levels of adversity, the online safety of their children may be very low on their priority list as they struggle with everyday challenges including housing issues, financial difficulties, single parent-hood and domestic violence, to name a few.  In the same way that children who have an increased number of vulnerability indicators, may be more likely to “roam the streets” (not my judgement, but the received perception some hold of families living with complexity and adversity), the same may be true for online risk.

That analysis is in no way meant to be a judgement, but rather reflects a reality as parents have so much else to worry about, especially if they are themselves isolated and facing financial burdens.

I think there is also a problem in the drive to fill school halls with parents and engage them in the wider effort to protect children online when in actual fact, in all other areas of safeguarding, there is a perceived view that it is up to all of us.  We do not put sessions on for parents in relation to ensuring their child is safe when accessing the local leisure centre – we expect them to manage this themselves as well as expecting all professionals in the child’s life to be aware of signs of a safeguarding alert.

To put pressure on a generation of parents who have inadvertently found themselves on the steepest technological learning curve ever, to attend a session where they feel out of their depth, and feel under scrutiny in relation to their parenting skills and in front of their peers and their child’s school is completely unrealistic and in itself explains why attendance at such sessions is often poor.

The last point I would make, in relation to parents, is the lack of understanding they have of the consequences of setting their child’s online age incorrectly or allowing their child to do so.  The number of children who have an online age of 18 on Instagram and Snapchat when they are still under the legal age of sexual consent is staggering.  Parents have no idea about this in the main.

The message needs to be shared far and wide that online age can be the difference between the police deeming an offence to have been committed against a child or not. People putting their 9 year olds on Facebook by setting up an account where they declare the child is 13, in essence have added 4 years to their child’s age to enable the account.  If the child is contacted for the purposes of sexual exploitation at the age of 14 when their online age states they are 18, that will not be readily flagged up as a child at risk and the safeguarding concern could be missed.

The practice of putting a fabricated birthdate is dishonest and can also leave children at risk of seeing online images, advertising and information which is not suitable for children of their age.

Carl Gottlieb – Chief Technology Officer

The Children’s Commissioner recently stated that “children are not being equipped with adequate skills to negotiate their lives online.” Whilst few can argue with this, it does lead us to ask, who, amongst us adults, even has these skills? And more critically, what are these skills in the first place? If we are to address the problem of inadequate education for online safety, whether it be for children or adults, we must first start with defining the scope and the content of that subject matter.

Scope as a concept is essential since it will define the target audience and the digital services we wish to educate on. For example, should we concern ourselves with a seven year old child being the target of credential phishing or an adult publishing inappropriate selfies on social media? We need to define the various groups of people, circumstances and risks and build content that is highly relevant.

The content of any piece of education needs to be complete and accurate, and with a fast moving market for apps and their use cases, this educational material needs to continually evolve. Apps move in and out of fashion, safety features within apps continually improve and so “good practice” itself must continually evolve too. At present there are countless online recommendations for staying safe online. But which is correct? Which one is most up-to-date? Which is most relevant to me and my child or my parent?

I am pushing for a single source, sponsored by the UK Government, to be seen as authoritative in the production of this educational material. Whilst this route has traditionally seen little success, e.g. terrible Government advice on nutrition, the UK’s National Cyber Security Centre (NCSC) [17] is proving to be a shining light in delivering sensible real-world advice for the corporate cyber security community. I see no reason why this model cannot be extended to the rest of us for our own online safety.

In turn, the first port of call must be to define this education owner and have the many good people and organisations in the online safety world support their effort.

Lee Pardy-McLaughlin – Children’s Services Principal Social Worker

I write this through the lens of both a parent and senior social work professional with 19 years’ experience within and across the children’s and young people’s child protection system. As a parent, the challenges in ensuring that your children understand the risks and harm that the social media and web-based platforms present is immense and at times a real challenge, particularly if you are not from generation Y or one of the ‘poddlers’!

My partner and I often spend time considering the push and pull factors of ensuring our children grow up with a strong moral compass and with the confidence and independence they will need as they grow into young adults. This is one of the skills of parenting, but I still find myself returning to the point that the construction of childhood has changed, and in fact the constructs around childhood are now more polarised than ever before.

In particular, young people are exposed to a far greater risk through the internet. We now know much more about this, and it is safe to say that awareness has grown in relation to exploitation and online grooming. Recent independent reviews relating to the horrendous abuse of young people in Rotherham [18], Doncaster [19] and a Serious Case Review in Oxfordfordshire [20] really shine a light on the learning from practice and indeed what works.

However, I believe from an educational and training perspective we need to equip our professional helpers of the future to be more skilled and knowledgeable about cyber risks and abuse. In a recent discussion with final year social work students they told me that there was limited reference on their course to understanding and safeguarding children and vulnerable adults from social media- and internet-based abuse.

I raise both the question and the answer – this needs to be remedied. Educators and indeed practitioners across health and social care need to focus on this issue and promote a stronger culture of understanding and appreciative inquiry into this aspect of child welfare. It takes a village to raise a child and the village and community responsible for raising our children need to engage in a deeper debate through learning, knowledge-transfer and more critically understanding and challenging ourselves to be thirsty to know more.  We should all have be crazily devoted to our children, both our own and those we have a responsibility to safeguard and protect.

Traci Good – Online Safety Educator

I have been delivering Online Safety training for staff, governors, students and parents / carers for around 6 years now and in all that time my biggest challenge remains parental engagement. I have a good deal of experience with parents and of their frustrations when it comes to keeping children safe. As in all areas of parenting, some parents are proactive, some are passive, some wish they could do more and some have just about given up.

I do however believe that parents welcome advice and support, but the barriers that prevent that engagement are as prevalent as ever, and part of this problem is with how we try break down these barriers and increase our reach.

In some ways I really can’t blame parents for not attending Online Safety sessions that are held in school. Let’s face it who really wants to sit in a school hall on a wet Wednesday evening and listen to a random stranger telling us about the horrors of being online; that the internet is full of strange weirdos who are just looking for opportunities to gain access to our children, that everyone is at risk of sexual exploitation, that we are not fulfilling our parenting duties properly.

I recently sat through a ‘parents online safety session’ without admitting to the trainer that this is what I do as a job. It was awful and ticked all of the above boxes. Parents left the session feeling scared, confused, inadequate and unsure of what their next steps should be, with no strategies to better safeguard their children, no back up, no prevention, no educational resources, hints or tips.

‘She got an iPad for Christmas, I really should put some settings on it, but I don’t know how’ 

(parent of year-3 girl).

I am lucky to be able to go into classrooms and work directly with children. I asked 2 separate year-4 groups of children at a large primary school:

“How many of you use an Xbox, PlayStation or similar to connect to the internet?” in both groups around 2/3 of the class raised their hands.

I then said “keep your hand raised if you play online games with friends from school or other people that you know in real life” most children in both classes kept their hands up.

I then asked the first group “how many of you play online games with strangers – people you don’t know in real life?” Only two children kept their hands raised, and these children received stares and glowers from the others in the class that could mean only one thing – ‘don’t tell Miss that!’

With the second group I phrased the question differently; “how many of you have the exciting opportunity to play games with people from all around the world, people that are just your in-game friends?” It will come as no surprise that most children kept their hands raised.

Whilst my questions were hardly scientific it shows that children know the right things to say and they know when they are doing something they shouldn’t be. Most children will say they know more about the internet than their parents, and a significant number of parents would agree with that. The problem is that children will share what is in their best interests to share. Which is why when trying to drum up interest in a parents’ session it concerned me when a parent said;

‘I don’t need to attend your session, my son tells me everything I need to know’ 

(parent of year-4 child)

When we start to take parenting advice from our children we are on quite a slippery slope. Usually, the parents that do turn up to sessions are never the ones you want to reach. They are already alert to some of the risks faced by their children and they have filters in place, they monitor, they question and take an interest in their child’s online life.  We also need to open our eyes to the fact that the children of money-rich, time-poor parents are just as vulnerable as they have access to the latest kit and are often left to their own devices to use it.

‘I can’t believe she has done that [sexting], she has a horse…’ 

(parent of year-9 girl)

Parents seem to forget that children are naturally inquisitive, they are risk-takers and like to push boundaries – it is a natural part of growing up. Parents need to be taught about how the risks faced by children online are just as serious as the risks faced offline and how to deal with any worries or concerns they have as they would offline concerns.

We have many groups of children who do not benefit from Online Safety education, such as those who are home-educated, long term sick or traveller children.

We don’t have enough high quality resources for SEND children and those who have English as a second language, including British Sign Language. We know that our SEND students are particularly vulnerable online as the internet is a great leveller and additional needs can easily be hidden from view.

Some of our parents may have additional needs themselves and we have to support them better. We need to ensure that the resources we are rolling out are fit for purpose and meet the needs of all. We need to ensure that the education we are giving to parents is relevant and up to date as some parents base their advice on ‘how it was in my day’ with no thought or consideration to how things may have changed;

‘I gave him my old iPhone, but its ok, he can’t get online because I haven’t put any credit on it’ 

(parent of year-10 SEND boy)

Tech has become so important to our children that the fear of having a device removed is a very powerful motivator for our children to become secretive about their behaviour or they may delete their online activity by clearing their history or use private browsing;

‘She was on a site called ‘Talk to Strangers’ so I confiscated her phone for 2 weeks, she hasn’t been on the internet on her phone since then, and I know that’s true because I check her history every night’ 

(Overheard, primary teacher and parent of year-9 girl)

We need to ensure that parents do not have a knee jerk reaction when they find their children have done something risky. Parents need to be taught to open the lines of communication, talk to their children and provide a safe place to fall if everything goes wrong. We know that children value the support of their parents but while parents are still confused about what to do and so children are guiding them, we are fighting a losing battle.

We need an innovative system that will truly engage parents and carers, one that is simple, empowering and effective; one which enable parents and carers to feel confident in their ability to keep their children safe online and in turn their children empowered to make safe choices.

We need to engage parents better and we need to do it now.

“I wish I could tell the parents about the cases of grooming and CSE we have recently had at   this school, if they knew it was happening right here they would come to these sessions, because they don’t see it they don’t think their children are at risk”

(Headteacher, Primary school)

So what?

Since the release of the Byron Report [21] in 2008 and the subsequent Government action plan that saw the creation of the UK Council for Child Internet Safety (UKCCIS) [22], online safety has been a significant area that remains at the heart of child protection within the UK.

It is increasingly apparent that technology is interwoven through many aspects of safeguarding, from sexual predation and exploitation, to bullying and child abuse, providing a platform that enables and sustains issues in way that requires a more sophisticated approach when crafting effective interventions. During that time we have seen UK Government driving:

  • Strategies to reduce the amount of illegal child abuse images available to UK internet users and to tackle trade of illegal child abuse images involving UK children in the international arena
  • Significant changes in law to prosecute those who post sexual content online, without the permission of the subjects involved
  • Changes in the Criminal Justice Bill to prosecute those who post hate or racist content online
  • Strategies to reduce online bullying
  • Changes in police policy and procedure to manage the posting and sharing of self-generated indecent images of children online

Whilst these changes to overarching legislation are welcome and provide the right levers for change, measuring the impact of these new strategies can often be difficult as can ensuring consistency in monitoring their efficacy, holding agencies to account, and addressing identified weaknesses or breaches. Recent research gives indicators that legacy approaches to internet safety education may be having little effect in changing the knowledge and practice of young people.

There are a variety of different curricular resources available, each with their own approach and attendant variance, but no established standards that allow consistent metrics to compare or assess learning and progress. Put simply, how do we know that the education programmes we provide are making a difference?

The insights from experts in their respective fields of online safety paints a pretty bleak picture all told, though in today’s media we have become used to bad news scenarios, and over-hyping of issues. However, in this case the ‘hype’ is warranted.

The Office for National Statistics last year estimated there were almost 6 million fraud and cyber-crimes committed in England and Wales [23]. Included in this were 2 million computer misuse incidents, involving malware infections and unauthorised access to personal information, both of which are a conduit to onward cyber-enabled fraud.

At the same time, we are seeing a marked increase in cyber=enabled crimes against children, bullying, grooming [24], exploitation, as ease of use and engagement into the digital world soars. Children are using the internet from younger and younger ages, with little or no recognition of the connected nature of what they are doing, no concept of the internet itself, and almost no understanding of the potential risks therein. It is not hyperbole to say that ignorance of the risks of the internet has led to the death of children. Children who have been engaged through online channels.

With the scale of development in the digital space and growth in earlier adoption we have a problem that is only going to worsen unless action is taken.


It is acknowledged that there has been some significant movement on the issue of Online Safety in the last ten years, which has seen the birth of the UK Council for Child Internet Safety (UKCCIS), and more recently the Department for Education’s Keeping Children Safe in Education (2016) [25], and Ofsted’s Safeguarding Schedules [26].

Alongside this there has been a huge growth in superb online resources for both adults and children to provide advice and guidance in online safety. Just a cursory glance at the efforts of Southwest Grid for Learning’s (SWGfL) portfolio of resources and education plans highlights what can be done, but without consistent and widespread adoption therein we will always have inconsistent results. And although SWGfL are an exemplar in this space there are also a number of very poor resources.

Much of the activity in this space is disparate at best, without coherent application, and, as a result actions to improve understanding of online safety and digital literacy has largely failed. This is evidenced by the continued growth in all aspects of cyber risk, both to organisations and individuals.

The last UK Schools Online Safety Policy and Practice Assessment [27] highlights some key issues. The assessment is undertaken from self-review data of almost 7,000 schools and shows that the strongest aspects are primarily policy-based, for example having effective Acceptable Usage Agreements in place. It shows that the weakest areas across those participating schools are the practical and engagement aspects of online safety, especially for wider community and staff training.

The progress achieved in standardising operational policy and technical intervention is to be welcomed, however, the gaps in effective staff development and the ability to assess impact have a negative effect on a school’s ability to deliver an online safety curriculum that has positive and measurable outcomes.

Schools and early years providers are a pivotal component of safeguarding strategy: not just because they are educators and mentors, but also because they are the single agency where most children can be engaged.  They are the key agencies required to identify, intervene and escalate child protection issues, providing an important intelligence route into the wider, collective agency hub (MASH [28] or otherwise).

Whilst educational establishments and early years settings carry a lot of influence in changing attitudes, they also shoulder an increasing amount of responsibility for the safety and well-being of the children and young people in their care. Many schools have made significant changes to their operational procedures to incorporate online safety into their wider safeguarding strategy. However, online safety education (a significant influence in affecting change) remains, at best inconsistent, and at worst, absent entirely.

Currently, the development of online safety across the education sector is significantly sub-optimal, both within the classroom and also in relation to wider engagement with communities. Compounding this the almost complete absence of engagement with the adult population when it comes to digital literacy and online safety. Not only are we failing to educate those in mainstream education cohesively and measurably (not forgetting those not touched by mainstream education), but we are also failing to engage similarly with adults, who both need to provide support and require support themselves.

Underpinning much of the cyber security world in the UK is the recently published National Cyber Security Strategy [29], which in itself has funding of £1.9bn. However that strategy does little to draw out, highlight and earmark plans to address the digital literacy gap in the UK populace. Security can only get so far if the general populace remains ignorant of the risks involved in an ever increasingly interconnected life. This populace makes up the customers and employees, of today and tomorrow, which this strategy seeks to secure.

The National Cyber Security Strategy has a clear vision:

“Our vision for 2021 is that the UK is secure and resilient to cyber threats, prosperous and confident in the digital world.”

National Cyber Security Strategy

There are some fantastic outline technological preventions being heralded as part of the Active Cyber Defence (ACD) programme [30], which are aimed at reducing the threat to UK citizens and organisations. These initiatives, if brought to fruition, with sufficient take-up, will make a difference to the threat landscape, but prevention through technology is not a panacea. How can the UK truly be secure and resilient to cyber threats if the population is uninformed?

It should be noted that the answer, or answers, to this problem are not easy. There is no “one size fits all” solution, and even if there was embedding it in the culture of the UK would be challenging, but we have to start and we have to start now! We have to build engagement with the subject matter, create opportunities for growth and progression, and we have to build a foundation of knowledge for all, not just those already engaging or in mainstream education.

We must develop a coherent and collegiate cross-sector response to upskilling the people of the UK, young and old, in order to maximise exploitation of digital opportunities, whilst minimising and mitigating the potential risks therein.


There is considerable work required in this space. Although there has been a drive in the UK Government’s Digital Strategy [31] for Digital Literacy growth and a wider focus on internet safety this can still be seen as far too narrow in actually addressing a core knowledge gap across all generations. There is a clear focus on leveraging technology as an enabler and preventative measure, which should be championed. However, without an underpinning educational approach across all demographics this will only address symptoms. There are key foundations which must be laid down to enable a truly cohesive roadmap for developing Online Safety and Digital Competence. Collectively the authors have identified key areas that need progressing as a matter of urgency:

R1. Ownership and responsibility for Digital Competence, including online safety, MUST be established at the core of a UK Government that oversees and ensures it is embedded holistically across all services and functions of Government.

R2. A progressive and effective framework for Digital Competence MUST be embedded at the heart of the education system. This should include:

  • a curriculum that is consistent, has scope and progress
  • the capability to build on prior knowledge
  • the ability to meet need, either through age range or developmental stage
  • materials that are engaging and resources that draw on latest knowledge
  • the right environment for honest and open dialogue to take place
  • a metric to benchmark impact and progress
  • opportunities for young people to shape and contribute to the curriculum
  • educators and mentors who are empowered to facilitate the most effective lessons
  • the support and engagement of families and the community to continue that education beyond the classroom
  • the flexibility to dovetail into other curriculum areas
  • the adaptability to be used in other children’s settings and be pushed beyond children in mainstream education

R3. The Government should establish an Online Safety Commissioner, with the responsibility to drive Online Safety measure across the UK. They should work in tandem with areas like the Children’s Commissioner and UKCCIS, and have responsibility for ALL aspects of Online Safety in the UK.

R4. A portion of the £1.9bn of funding invested in the National Cyber Security Strategy MUST be apportioned to the drive to build Digital Competence for the entire UK populace.

R5. A coherent focus MUST be developed to determine the ideal level of Digital Competence, including Online Safety, current gaps across different demographics and the appropriate mechanisms to deliver a cohesive and progressive strategy to address these gaps. This focus MUST be pursued in conjunction with leaders in Online Safety, industry, academia, technology, and core demographic representations, having a clear focus on Digital Competence for ALL.

Edward Tucker, Lee Pardy-Mclaughlin, Judith Staff, Traci Good and Carl Gottlieb


  1. Home Office (2017) Tackling Child Sexual Exploitation: Progress Report London: Home Office
  2. NSPCC (2016) Bullying and Cyberbullying: Facts and Statistics London: NSPCC
  3. Financial fraud costing UK £2 million a day. Financial Fraud Action Press Release March 16 2017
  4. Growing Up Digital Taskforce (2017) Growing Up Digital. London: Office of the Children’s Commissioner for England
  5. Select Committee on Communications (2017) Growing Up With The Internet. London: House of Lords
  6. https://www.getsafeonline.org/
  7. https://www.internetmatters.org/
  8. http://swgfl.org.uk/
  9. http://www.kent.gov.uk/education-and-children/protecting-children/online-safety
  10. See footnote 4
  11. Identity Fraud Reaches Record Levels. Cifas Press Release 15 March 2017
  12. Holly Bentley, Orla O’Hagan, Annie Raff and Iram Bhatti (2016) How safe are our children? 2016 London: NSPCC
  13. See footnote 6
  14. See footnote 7
  15. https://www.net-aware.org.uk/
  16. https://www.saferinternet.org.uk/
  17. https://www.ncsc.gov.uk/
  18. Alexis Jay (2014) Independent Inquiry into Child Sexual Exploitation in Rotherham 1997-2013. Rotherham: RotherhamMetropolitan Borough Council
  19. Professor John Drew (2016) An independent review of South Yorkshire Police’s handling of child sexual exploitation 1997 – 2016. Doncaster: Doncaster Safeguarding Children Board
  20. Alan Bedford (2015) Serious Case Review into Child Sexual Exploitation in Oxfordshire: from the experiences of Children A, B, C, D, E, and F. Oxford: Oxfordshire Safeguarding Children Board
  21. Professor Tanya Byron (2008) Safer Children in a Digital World. London: Department for Children, Schools and Families
  22. https://www.gov.uk/government/groups/uk-council-for-child-internet-safety-ukccis
  23. ONS (2017) Crime in England and Wales: Year Ending Sept 2016. London: Office for National Statistics
  24. Carron Fox and Gunes Kalkan (2016) Barnardo’s survey on online grooming. Barkingside: Barnardo’s
  25. Department for Education (2015) Keeping children safe in education. London: Department for Education
  26. Ofsted (2015) Inspecting safeguarding in early years, education and skills. London: Ofsted
  27. Professor Andy Phippen (2015) UK Schools Online Safety Policy and Practice Assessment 2015. Exeter: South West Grid for Learning Trust
  28. Home Office (2014) Multi Agency Working and Information Sharing Project: Final Report. London: Home Office.
  29. Cabinet Office/HM Treasury (2016) National Cyber Security Strategy 2016 to 2021. London: HM Government
  30. Ian Levy (2016) Active Cyber Defence – tackling cyber attacks on the UK. London: National Cyber Security Centre
  31. Department for Culture, Media & Sport (2017) UK Digital Strategy. London: HM Government