Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first
Back to Knowledge & Insights

Cybersecurity In Education: Mitigating The Risk Of Cyber Attacks To Schools And Universities

A 2021 survey run by the Department for Digital, Culture, Media and Sport revealed that 39% of all UK businesses identified a cybersecurity breach or attack in the previous year. It also found that 36% of primary schools, 58% of secondary schools and 75% of further education colleges identified a breach or attack. Incidents included phishing attacks, user impersonation, viruses (including spyware and malware) and more.

Key takeaways from the report included:

  • 26% of further education colleges experience breaches or attacks at least once a week, compared to 6% of primary schools and 15% of secondary schools;
  • 33% of further education colleges had a material outcome from these breaches, such as a loss of control, data or money;
  • This is similar for secondary schools (33%) but lower for primary schools (24%);
  • 21% of the colleges that were breached saw user accounts being compromised.

With cyber attacks on the rise, how can cybersecurity in education be improved?

User awareness and training

Phishing attacks are one of the most common types of cyber attacks, amounting to 83% of attacks on businesses and 91% of attacks on further education colleges in the UK government survey. In addition, the IBM Security Services 2014 Cyber Security Intelligence Index found that over 85% of all incidents recognise “human” factors as a contributing cause. This included:

  • System misconfiguration;
  • Poor patch management;
  • Use of default usernames and passwords or easy-to-guess passwords;
  • Lost laptops or mobile devices;
  • Disclosure of regulated information via use of an incorrect email address;
  • Clicking on an unsafe URL or infected attachment.

To mitigate the risk of these attacks, user awareness is key, especially in a sector like Education, where funding and support is severely lacking.

Raising user awareness

Regular, organisation-wide training is essential to ensure user awareness and decrease the risk of a successful cyber attack. For example, consider training staff how to identify a scam email and the signs to look out for. You should also encourage them to verify the identity of an email sender against the email address used – is an email purportedly from a member of staff, but the sender email address is not correct? Train your staff to consider whether a link or attachment looks legitimate or if it could be infected with malware.


Passwords that are easy to guess are another way threat actors can gain access to organisational information. Research by NordPass, using a four-terabyte database, found the most common password in 2021 was ‘123456’, which was used 103,170,552 times and would take an estimated less than one second to crack.

Ensuring users choose stronger passwords than ‘123456’ and ‘password’ is important, so consider requiring passwords with a combination of capital and lowercase letters as well as numbers and special characters, or encourage your staff to use a string of three random words. However, it’s also key that you take further steps as an organisation to prevent breaches. Consider implementing two-step verification or using authentication apps like Microsoft Authenticator, which generate time-limited codes when your staff log in to software.

The UK government is beginning to implement information security requirements for further education organisations. In 2020, the Education and Skills Funding Agreements (ESFA) update outlined the need for organisations to meet the requirements for the government-backed Cyber Essentials scheme, with progression to Cyber Essentials Plus from the 2021 to 2022 funding year. The update also stated that the requirement for preparatory work towards ISO 27001 will be introduced at a later date.

Another approach to risk mitigation is to implement a full information security management system (ISMS). This comes part and parcel of the ISO 27001 certification, which also allows you to protect your data as well as manage and reduce risk. This can be delivered at low cost if an automated solution like Hicomply is used. Below, we’ve created a brief outline:

  • ISMS scoping – the first step is to define the scope of your ISMS, which ensures your ISMS suits your organisation. By doing so, you define the information your organisation intends to protect, up to and including personal information and data.
  • Asset register – Creating an asset register defines the physical and informational assets your ISMS will protect, such as information, hardware, software and physical assets.
  • Risk assessment and task management – this step enables you to identify possible risks to your assets and identify treatments to mitigate these risks, including assigning relevant tasks to specific members of staff or your entire organisation.
  • Policy and procedure creation – to ensure the risks are mitigated and your assets are fully protected, create the policies and procedures required for ISO 27001 certification.

Undertaking the above steps enables you to create an ISMS to protect your data and implement a thorough plan to mitigate risk for each identified organisational asset. To learn more about ISO 27001 certification and how Hicomply’s software can make the process easier, faster and less time-intensive, visit our ISO 27001 hub.

Implementing and improving cybersecurity in education

To reduce the risk of cyber attacks, educational organisations will see huge benefits from implementing the three solutions mentioned – user awareness, software implementation and information security management.

Looking to align your organisation with an internationally-recognised security standard and protect your data by working towards ISO 27001 certification? Get in touch with Hicomply.

Useful links

More Insights

How to solve a problem like third-party vendors
Spread your ISMS audit over three years
Understanding e-commerce requirements for PCI DSS

Get ISO 27001 certified in months, not years

Choose the plan that's right for you