Home / Explore our latest insights / Why Higher Education Institutions are a prime target for cyber-attacks?

Published: 31st August 2021 | In: Insights

Introduction: Cyber Security in Higher Education

The National Cyber Security Centre (NCSC) issued the first of many alerts to universities and colleges nearly a year ago. With the rising number of cyber-attacks threatening to disrupt the start of the academic term, the education sector has continued to face a surge in cyber-attacks. There are no immediate signs this is slowing down.

In part one of this five-part series, we will explore the official trends to explain why universities and colleges are under threat from cyber-attacks. As the new academic term fast approaches, we will explore the security challenges facing this sector and guide you to manage your cyber security risk.

Why are Higher Education Institutions a target?

Cyber-attacks are not a new threat to the education sector. Dating as far back to September 2017, worrying Freedom of Information (FOI) figures released by the Times reported 1,152 security breaches in 2016-17. The number of recorded attacks had doubled in two years, with British universities being actively targeted by cyber attackers.

On a global scale, according to the Microsoft Global Threat Activity tracker, the education sector was the most affected industry, reporting 62% (circa 5.7 million) malware encounters within the past 30 days. Informed by over 8 trillion daily security signals, the Microsoft Digital Defence Report presents telemetry and insights about the current state of cyber security. In the September 2020 report, education appears in the Top 10 targeted industries for Business Email Comprises (BEC) and Top 6 by Nation-State Threats. STRONTIUM, PHOSPHORUS, BARIUM, THALLIUM, and ZINC threat actors targeted universities from July 2019–June 2020.

Microsoft Security Intelligence: Global Threat Activity

Accordingly to security incident figures collected by the Information Commissioners Office (ICO), the education sector was reported to have the third-highest ransomware incidents since April 2020. This was behind manufacturing and financial services. So, what makes higher education establishments an appealing target for cybercriminals?

  • Personal & Sensitive Data. Education institutions are responsible for securing significant volumes of sensitive student and staff, personal data, valuable intellectual property, and world-leading research, makes them a tempting target for cybercriminals.
  • Frequency & Scale of Student Community. Due to the transient nature of higher education institutions, with a vast and frequently changing student population, universities and colleges are further exposed to potential cyber-attacks. As we approach the start of the academic term, there is a renewed warning around phishing campaigns. Attempting to gain access to sensitive student credentials, financial details under the decoy of student loans or grants in the weeks leading up to payment dates or for threat actors to deploy ransomware by encouraging users to open a malicious file.
  • Reliance on Internal Education. Even with the most sophisticated cyber security systems, the weakest link is always the user. Successfully gaining access to network systems is made simpler by the unique number of users in higher education environments. All it takes is one carefully crafted phishing email and one user to click. Phishing attacks remain a popular method for hackers to distribute damaging malware, such as ransomware, that encrypts valuable data and demand payment to decrypt. Phishing is also low risk, minimal cost yet, potentially high reward for cybercriminals.
  • Security Skills, Resource & Budget Constraints. As the threat environment evolves and more sophisticated tactics are used, it is challenging to stay ahead of the latest security vulnerabilities. Even when a new critical vulnerability is identified, significant time and resources are required. Legacy IT systems, budget constraints and, often limited dedicated security staff adds overwhelming pressures to the education sector.

According to the Center for Internet Security (CIS) Control 7: Continuous Vulnerability Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers.

Threat Actors Thriving on Uncertainty

Threat actors and targeted cyber-attacks thrive on uncertainty. There has never been more of an opportunistic time than that presented by the pandemic.

Universities, colleges, and schools, around the globe, closed their premises and made an accelerated move to completely adapt their existing operating models. With entire infrastructures shifted to allow for remote teaching and learning practices, not all were ready. UK education institutions quickly became a persistent target for cybercriminals.

It was not just in the operational changes that we saw threat actors take advantage of. We also witnessed in person-centred, social engineering, cyber-attacks, such as Phishing attacks. Criminals sought to manipulate and prey on the general aura of fear, anxiety, and tension prevalent in the presence of Covid-19.

The threat environment we face continues to evolve. Cybercriminals are creative, well-resourced, well-organized, and innovative. They move quickly to discover new threat vectors, use new exploits, and respond to new defenses.

– Microsoft

Credential Phishing: Security Guidance for Universitities

See our latest security guidance on targeted phishing attacks on Universities from our Managed Services Team.

Managing the Cyber Security Risk in Higher Education

Following a wave of ransomware attacks on education establishments, the renewed warning came from the NCSC in June 2021. With the intent to cause maximum disruption during a vital time in the academic year, such as clearing and enrolment processes, universities and colleges should be prepared for similar activity as they prepare to welcome students back to in-person teaching on campus, following the easing of lockdown restrictions.

Significant and sustained cyber-attacks can not only halt the university operations, but the reputational damage can also have long-term financial consequences for a sector that relies on students for income. Preparation and early detection can improve internal processes, provide confidence, safety, and security to staff, students, and partners, and reduce the impact and overall time it takes to recover from the incident.

The latest warning from NCSC reaffirms the necessity for education establishments to transform their existing approach and prioritise managing their cyber risk.

People (staff, students, and partners) are some of the best intrusion detection mechanisms your organisation has. Embed good behaviours that work both at home and on-campus, such as multi-factor authentication. This extra layer of security makes it extremely difficult for the attacker to get past; access cannot be gained by either knowing or cracking the password.

In addition, set out a reporting process for when, not if, an individual clicks on a malicious link. This will help build awareness and maintain vigilance amongst students and staff. Implementing a vulnerability and patch management policy will also ensure your software and applications are up-to-date, helping to reduce your cyber risk.

As we see the adoption of new, cutting edge technologies across the industry so too does the risk and vulnerabilities to cybercrime increase exponentially. In addition to raising awareness, universities and colleges should implement a Zero Trust approach – “never trust, always verify”.

A diagram of Zero Trust security. At the centre is a security policy enforcement engine providing real-time policy evaluation. See full details.

The Microsoft Zero Trust model …

requires that every transaction between systems (user identity, device, network, and applications) be validated and proven trustworthy before the transaction can occur.

 – The guiding principles of Zero Trust include verify explicitly, use least privileged access, assume breach.


In the second part of this Cyber Security in Higher Education series, learn how we are helping education institutions implement appropriate measures to manage their cyber security risk, the Zero Trust model and, how to embrace this security strategy in your organisation.

In the meantime, join us on Wednesday 8th September at 10:30 AM (GMT), for ‘Cyber Security Priorities for Higher Education in 2021’. Registration details here.

Cyber Security Incident Response for Higher Education

If your school, college, or university suffers a cyber-attack or breach, contact the Quorum Cyber Incident Response Team for immediate assistance on +44 333 444 0041. Our dedicated team operates 24×7 to keep your organisation moving.