New research highlights crucial cybersecurity gaps in education sector

New research highlights crucial cybersecurity gaps in education sector

New research highlights the need for on-going concern for the UK education sector’s cybersecurity posture in the light of a growing threat landscape.

ESET’s findings reveal that nearly three-quarters (73%) of institutions surveyed have experienced at least one cyberattack or breach in the past five years, with a fifth reporting three or more incidents.

This aligns with government data from 2024, which found that 77% of education organisations had experienced a breach or attack in the previous year – far higher than the 50% of UK businesses overall that had been targeted.

Despite being a key target for cyberthreats, one-third of education institutions surveyed still lack fundamental protections, such as antivirus software (33%) and strong password policies (35%2). Additionally, the majority (79%) have not adopted advanced measures like managed detection and response.

Another key but often overlooked safeguard is cyberinsurance, which, according to government data, under half of primary schools (44%) and even fewer secondary schools (36%) report having in place. In fact, the ESET findings reveal that 7% of institutions operate without an annual cybersecurity budget at all.

This cybersecurity shortfall not only jeopardises organisational data but puts sensitive student information at risk.

As cybercriminals increasingly target educational institutions, students’ personal and academic data remain highly vulnerable to theft or misuse. Compounding the issue, one in five (21%) education organisations surveyed admit they feel unprepared or not confident to tackle the rising tide of AI-driven cyberthreats.

When asked about the main reasons why they wouldn’t take out a cyberinsurance policy, many stated that they prefer to prioritise the budgets they have for cybersecurity measures (37%). Others cited concerns about payout reliability (33%) and complex or unclear policy terms (32%). Meanwhile, 28% believe cyberinsurance is too expensive, while 18% revealed they simply don’t understand its value.

Top threats persist

These revelations all come at a time when education organisations continue to battle familiar foes, with data breaches (61%), malware (55%) and phishing (43%) topping their list of concerns. While three-quarters (76%) of education organisations surveyed believe their staff have excellent or good knowledge and awareness of cybersecurity best practices and online safety, over half still plan to prioritise increasing staff awareness and training and expanding their cybersecurity tools or software over the next 12 months (55% and 51% respectively).

The case for managed support

Over three-quarters (77%) believe their institutions would benefit from enhanced cybersecurity measures with managed support from an external, specialist cybersecurity provider.

However, nearly half (47%) of education organisations surveyed said they would need evidence of a cyberattack’s potential detrimental and financial impact on their institution to help convince their finance department to approve a larger cybersecurity budget.

Jake Moore, Global Cybersecurity Advisor at ESET, said: “Education organisations are sitting on a ticking time bomb. While it’s clear that the sector recognises the critical importance of cybersecurity, there is a huge disconnect between budget allocation, lack of insurance and its misconceptions, and inadequate measures, which is leaving institutions highly vulnerable.”

Browse our latest issue

Intelligent CISO

View Magazine Archive