Cyber security incidents in the education sector are on the rise but embedding good digital habits and awareness can reduce the risk.
The Cybersecurity Breaches Survey 2025 – commissioned by the Home Office and the Department for Science, Innovation and Technology – found that 91% of higher education establishments identified security breaches during the previous year, higher than businesses (43%) who experienced an attack.
With the increasing reliance on digital technologies and persistent threats, it is imperative for educational institutions to adopt robust cybersecurity measures.
“The remote learning movement required by the pandemic has brought about many positive changes in the education sector such as increased flexibility and learning access,” said Brian Sibley, VCTO at Espria
“Schools are expanding their use of technology for administrative tasks, as well as teaching and learning, and therefore distributing resources across various devices.
“However, this convenience has also accelerated cyber vulnerabilities.
“Entrusted to be stewards of student data, educational organisations have an additional responsibility to protect their student, and other stakeholder information that is now stored digitally.
“A single set of credentials from a privileged user is all a cybercriminal would need to execute an impactful breach of student or organisational financial data.
“Changing the culture around cybersecurity can improve perceptions of the risks involved.
“When staff and students become more aware, they can achieve a better understanding of security measures needed to strengthen the entire organisations posture.”
Sibley urged all educational establishments to take action with a comprehensive security approach that integrates basic cyber hygiene and mitigating measures.
“Just like personal hygiene, maintaining good health by taking regular recommended actions can avoid any bad outcomes.
“Cyber hygiene practices involve a combination of technical controls, policies, and user behaviours.
“The goal is not to eliminate all external threats as these are out of your control but reduce the risk of an attack occurring and having the measures in place to keep sensitive data secure.
“An easy but effective first step solution is security awareness training. By conducting ongoing training sessions for administrators, staff and students, these organisations can keep everyone informed about the latest threats and embed best cyber hygiene practices into the everyday rhythm of school, college or university operations.
“These training efforts can also help individuals understand their role in safeguarding digital assets, networks and identities while fostering a proactive security culture across the organisation.
“Though it might seem like a compliance activity, it can create a strong first line of defence that prevent attacks from occurring.”
Sibley continues to describe the quick and cost-effective cybersecurity controls that institutions can implement to protect staff and students on school systems and networks.
“Education systems that aggregate vast amounts of confidential information should never be exposed without multi-factor authentication. Allowing broad access creates a single-point-of-failure that can be easily breached through one set of misplaced credentials.
“Implementing a mandatory two-factor authentication, access control permissions based on privileges principles and regularly checking your systems for security vulnerabilities can reduce your attack surface. Institutes can take a further step to secure both their security architecture and network by eliminating unnecessary internet connections, restricting remote access, and protecting data through regular system backups so all essential work is secure and available.
“Clear policies are also essential to guide staff on the best cyber approaches and ensure everyone understands their responsibilities in maintaining security. Coupled with a simple reporting mechanism to raise awareness of suspicious activities without fear of reprisal will allow individuals to feel confident alerting IT teams and inspire widespread adoption of best practices.”
Sibley concludes: “The education sector is embracing remote learning and digital access, but they must still practice good cyber hygiene by empowering individuals with cyber knowledge and fortifying the organisation’s network. It requires policy, procedure, time and consistent training but if done right, the success rate of attacks can be significantly dampened, and digital environments will become safer for staff and students to use.”
