Cybersecurity in education does not always receive the attention it deserves, despite the role educational institutions play in shaping society. Universities, schools, and research bodies sit quietly behind many of our public systems, producing knowledge, talent, and innovation. They are foundational, and that also makes them increasingly exposed.

When we look at cybersecurity in education today, the picture is mixed. Over the past 12 months, we have seen genuine progress. Many institutions have increased their investment in security, and core controls have improved. That progress should be recognised.

At the same time, around 65% of educational institutions still have meaningful gaps. These gaps are rarely the result of neglect. They are usually driven by structural constraints such as limited budgets, difficulty hiring skilled staff, and reliance on legacy systems that cannot be replaced quickly. These challenges are particularly acute in primary and secondary education, where funding is often extremely limited and progress has been slower.

‍

Why Cybersecurity in Education Remains a Target

Educational institutions hold large volumes of sensitive data. Personal data, research data, and intellectual property are all highly valuable to cybercriminals. As a result, cybersecurity in education continues to be shaped by persistent targeting.

Ransomware remains one of the most common threats we see, and phishing continues to be one of the most effective entry points. Phishing works because it targets people rather than systems, which is why continuous monitoring and response capabilities play such an important role in reducing risk. While technical controls have improved, human behaviour remains difficult to defend at scale, and attackers understand this well.

Once access is gained, attackers often encounter outdated systems and unmanaged devices, particularly in environments that have not been modernised due to budget constraints.

‍

Structural Challenges in Cybersecurity for Education

Cybersecurity in education is complicated by the nature of educational environments themselves. Networks are large and distributed. User populations are diverse. Openness is necessary for teaching, research, and collaboration. Security teams are usually small, which makes sustained monitoring difficult to maintain internally, particularly in smaller institutions.

Even where commitment is high, these factors make defence difficult. Complexity increases exposure, and limited resources restrict how quickly gaps can be addressed. This is especially true for smaller institutions that cannot afford round-the-clock coverage or extensive tooling.

‍

The Human Impact of Cybersecurity in Education

One of the most significant and often overlooked aspects of cybersecurity in education is the pressure placed on people. IT directors, CISOs, and security teams operate under sustained strain. Anxiety and burnout are common, and in many cases the pressure is comparable to what we see in healthcare.

When an incident occurs, that pressure intensifies. Operational disruption, reputational damage, and long-term consequences often extend well beyond the incident itself. Cybersecurity is carried by people, and when those people are exhausted, risk increases regardless of how many controls are in place.

‍

Security Awareness and Cybersecurity in Education

As organisations adopt more controls and improve their foundations, certain gaps continue to appear. Legacy systems remain difficult to retire. Unmanaged devices reduce visibility. Security awareness and social engineering training is often still relatively traditional, particularly when it comes to phishing.

This is why awareness training continues to play a critical role in cybersecurity in education. Modern security tooling is powerful, but it is also complex. For organisations with limited resources, training is often one of the most achievable and effective ways to reduce risk. It is easier to fund than new infrastructure and can significantly reduce exposure to phishing-based attacks.

‍

The Future of Cybersecurity in Education

Looking ahead, cybersecurity in education will continue to be shaped by increasing attack pressure, regulation, and governance. Cyber incidents affecting educational institutions are becoming more visible. Regulatory expectations around resilience and data protection are rising. Boards are more engaged and more informed on cybersecurity decision making.

Together, these factors are accelerating the adoption of security controls. Cybersecurity will always involve uncertainty and judgement. The objective is not perfection, but resilience that is realistic, sustainable, and aligned with how educational institutions operate.

Cybersecurity in education is not just a technical challenge. It is an organisational challenge, a human challenge, and increasingly, a leadership challenge.