The education industry faces a security crisis, one that goes beyond protecting the classrooms and hallways. IT professionals in the education sector see cybersecurity as their top priority, consistently ranking it as their No. 1 concern.

However, more than three-quarters of employees in the education field lack the cybersecurity awareness required to handle common privacy and security threats. This creates another level of undetected, yet preventable, risks for students, faculty and staff.

Education Is a Prime Target for Cybercriminals

When your network is compromised, cybercriminals are most often searching for personally identifiable information (PII). This information, which includes everything from full names and Social Security numbers to birthdates and bank accounts, has great value on the Dark Web.

Individually, each piece of PII may not do much damage, but when pieced together, criminals can recreate your identity or play the role of a digital Frankenstein, creating a brand new “person” out of multiple pieces of data belonging to different people (e.g., your credit card number, your co-worker’s phone number, the address of a student rental house) to make illegal purchases.

Few industries handle as much PII as the education industry, especially data associated with minor citizens. This PII covers every aspect of an individual’s life. In the eyes of a threat actor, this represents a goldmine to either sell or repurpose for identity theft.

The PII of young people is attractive due to the lack of monitoring. Adults can consult credit reports or leverage identity theft monitoring if their information is compromised in a data breach, but those services may not apply to children. When their PII is stolen, it often goes undetected until they apply for some type of credit, such as a college loan.

There is also a physical security component at work when it comes to PII. Think of how much information could be revealed about your child in one data breach: his or her age, home address, school-related activities, bus route, grades and health records, just to name a few. A malicious actor who accesses PII through the school’s network could theoretically gain physical access to your child. This is an uncommon reason for a cybercriminal to launch a campaign against a school, but it’s something that school leaders and IT professionals must keep in mind when thinking about data protection.

Education is also an easy target because the population is always changing. On a college campus, for example, not only is there an influx of new students and faculty each year, but there is a steady flow of visitors who leave a digital footprint. Widespread use of public Wi-Fi, a forgotten laptop with sensitive research files and careless mistakes by sleep-deprived undergrads can all result in a massive data breach. Cybercriminals know that and will take full advantage.

Lack of Awareness Leads to Social Engineering Attacks

In addition to the abundance of PII, intellectual property and financial records, the poor security posture within the education sector make academic institutions a particularly juicy target. According to one report, 76 percent of education sector employees surveyed earned security awareness scores low enough to land them in the “novice” or “risk” category, which means their behavior is likely to lead to a data breach.

These poor security skills set up the education sector for social engineering attacks. According to Verizon’s “2018 Data Breach Investigations Report,” most attacks in education are initiated by outsider actors. The most popular type of social engineering attack is a W-2 scam whereby school offices are tricked into turning over W-2 paperwork to crooks masquerading as legitimate school or tax officials. This scam may work so well in education due to the fluid nature of the school environment.

Boosting Cybersecurity Awareness Among Educators

There’s a touch of irony in saying that educators need to become better educated, but that’s exactly what must happen to decrease the risk of threats against school networks.

Security awareness training should be geared toward the school environment and involve everyone with network access. Students are often ignored when it comes to security training, even though they access the network from computers at school and from remote locations in the evening. If a fifth-grader accidentally opens a phishing message he or she thinks is coming from a teacher, it could spread malware throughout the entire school.

Because of the nature of the industry, education has an opportunity to lead the way when it comes to good security stewardship. Given the amount of data available to be breached, it’s imperative for IT professionals in the education sector to improve internal security awareness and limit the high risk potential.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today