Unfortunately, cyber-attacks are not new anymore. From big to small-level attacks, they’re happening every day. And one sector that’s particularly vulnerable is education. From primary schools to universities, these institutions store sensitive personal information of students and proprietary research, sometimes in outdated systems and often with a lack of adequate cybersecurity measures.
126 incidents were reported in the UK’s education sector in 2023 alone, higher than any year prior. A UK government research says 70% of secondary schools identified a breach between 2023- 2024. The most recent is the ransomware attack on a London high school that forced them to close the school and send students home.
The trend is clear – cyber attacks are increasing in quality and quantity. It’s high time educational institutions prioritise and relook at their security strategy and be prepared to counter them.
Is cyber security a priority for educational institutions?
Despite the growing threat, do educational institutions understand the gravity of the situation and prioritise cyber security enough?
According to the UK government research, while universities and higher education institutions are more aware and better equipped, schools lag behind, with less sophisticated approaches and unaware of basic cybersecurity measures like Cyber Essentials.
But recent incidents show everyone can be a target. An attack targeted at a Gloucestershire school resulted in hackers stealing and publishing sensitive student data, including details about children with special needs, staff contracts, and even child passport scans—putting victims at risk of identity theft.
When you do not prioritise cyber security, you are potentially compromising on student and staff security, and if you think ‘it’s not going to happen to us’, the implications can be costly.
However, the research further suggests even if they identify cybersecurity as a high priority, limited funding and budgets and a reactive approach make it difficult to invest in them.
So simply identifying cyber security as a priority and raising awareness is not enough anymore; we need proactive, cost-effective strategies to enhance security in educational institutions, and, most importantly, protect their students and staff.
Practical ways to improve your cybersecurity in educational institutions
2) How is cyber security training delivered?
We all know security training is important to fight cybercrime. But how is it delivered in your institution? Do you expect students and teachers to complete a security questionnaire annually? If yes, this might end up being a tick-box exercise, where no one ends up benefitting. Chances are they pressed a few buttons just to show they completed the training.
So how can you improve the way you deliver security training? Simulations are a great start. For example, help staff and students familiarise themselves with real-world threats through phishing simulation exercises and monitor the progress.
And make the process fun. No one said cyber security training has to be boring.
If someone reports a suspicious email, recognise them for it. We’ve seen instances where schools and colleges made a fun game out of this training, by doing phishing tests and creating a leaderboard and rewarding those with gift cards who reported it first.
Make cybersecurity a habit for your people. That comes only when they do it regularly, not when you ask them to complete an online assessment once a year.
3) A proactive approach to cyber security
This means you don’t just react after a breach has occurred. You continuously monitor your systems using tools that flag when suspicious activity occurs so you can act before it can cause further harm.
While some advanced Extended Detection and Response (XDR) tools may be costly, depending on your cyber maturity, there are affordable tools in the market that will help you adopt this proactive strategy. Consider starting with basic network monitoring or endpoint protection tools. It’s better to start small than not start at all. If you are new to this, take advice from an external managed services partner.
Also, align yourselves to a recognised standard such as Cyber Essentials which requires you to implement controls like Multi-Factor Authentication and regular software patching etc that protect against common threats.
4) So you think you’ve been hacked. What next?
No one is 100% unbreachable. A mistake can happen to anyone. It’s getting increasingly harder to differentiate a phishing email so on a bad day you might click on a malicious link. What’s important is how quickly the issue is reported and managed. Reporting a phishing attempt to your IT department as soon as it occurs can go a long way in reducing the damage caused by cyber-attacks.
The security mindset we spoke of earlier is not just about teaching people not to click the wrong links, it’s also about informing the right people at the right time if you suspect you’ve been phished. It’s about giving users the confidence to report an incident when a breach happens.
Start tracking how many people report potential phishing attempts or suspicious activities. This data can serve as a valuable metric for measuring the effectiveness of your cybersecurity awareness efforts.
5) Rising insider threats
With enough resources available that are just a quick search away, the technical knowledge required to perform such hacks is lower than ever before. What starts as a curiosity can quickly become a security breach with legal consequences.
So what can you do to stop this? Instilling a ‘security-first’ culture we spoke of can definitely help. Make them aware of the potential consequences of such acts. Segment student and staff network, restricting their access to sensitive systems and data. Such role-based access controls ensure they only have access to resources they absolutely need and nothing more.
6) Prioritising overall child safety
It’s not just about protecting children from hacking attempts; it’s also important to ensure your students are safe while browsing the internet and that exposure to harmful content is kept to a minimum.
Schools have a responsibility to filter out inappropriate content, monitor browsing activities, and make sure kids aren’t seeing anything they shouldn’t.
Implementing robust filtering and monitoring systems helps to maintain compliance with child e-safety regulations and prevents exposure to content that could be damaging.
It’s also not just about blocking some content and sites, you also need to monitor their digital behaviour outside the web browser, which means knowing what they’re typing in a Word doc, what phrases are used etc they use to flag any issues, identify children at-risk or vulnerable and safeguard them better. That’s why filtering and monitoring systems together are needed to ensure children are safe in the digital world.
7) Don’t forget supply chain security
An often overlooked area, but extremely critical is supply chain security. We saw this with the recent NHS attacks. Many educational institutions rely on third-party vendors for software, hardware, and even cloud services. If one of your suppliers gets hacked, you could be at risk too, no matter how strong your own security measures are.
There should be systematic approaches to ensure your suppliers meet the necessary cyber security standards. For example, you could check if they have all the relevant accreditations like Cyber Essentials Plus or ISO 27001.
This is an area where it’s harder to ensure completeness. Doing proper due diligence with all your suppliers takes time and effort. But it shouldn’t be ignored and it shouldn’t be a one-time task; it should be part of an ongoing assessment to ensure that all partners and vendors adhere to your security expectations.
The path forward
In short, if you want to improve your student safety, prioritising cyber security is the way forward. The Department of Education also mandates that colleges and special post-16 institutions (SPIs) will now be required to achieve Cyber Essentials during the 2024 to 2025 funding year.
If you’re not sure where to start or need guidance on meeting these requirements, taking stock of your current setup and identifying gaps is a good first step. Strengthening your defences today will pay off in the long run.
