Guy Hawkridge
Head of Cyber Security
October 15, 2025
The latest Cyber Security Breaches Survey 2025 makes for uncomfortable reading, but not a surprising one. With 91% of higher education institutions reporting a breach last year, education remains one of the most targeted and most vulnerable sectors in the UK.
Why? Because it’s a perfect storm.
Universities, colleges, and schools hold a treasure trove of data; personal details, financial information, and valuable intellectual property. For attackers, this isn’t only about disruption, but profit too. The data can be sold, ransomed, or used for leverage against the institutions themselves. Add to that a traditionally decentralised IT landscape (multiple departments, independent systems, and a mix of staff and student access) and you have a sector that’s difficult to defend consistently.
Attackers know this. Education is still seen as an “easy win”. Not because teams don’t care, but because they’re often working with constrained budgets, legacy infrastructure, and an environment where consistent policy enforcement is a constant battle.
People, processes, and technology
The survey reveals that impersonation and denial-of-service attacks are significantly higher in education than in other sectors. This highlights that vulnerabilities stem not only from technology, but also from culture and structure.
In many institutions, security teams face the triple challenge of limited investment in technology, difficulty attracting or retaining top talent, and processes that simply don’t fit across such diverse environments.
Even where the right tools exist, they’re often undermined by inconsistent application or lack of awareness. Flat networks, outdated systems, and exposed services remain common entry points. And business email compromise (BEC), still the number one attack vector, succeeds because attackers don’t need sophisticated tools. They exploit operational gaps.
When they get in, they usually stay undetected long enough to cause maximum damage.
Board engagement: more talk than action
On paper, education boards appear highly engaged with cyber security. In practice, though, there’s often a disconnect between talking about risk and taking responsibility for it.
Meaningful engagement means backing security teams, not just by attending briefings, but by approving the budget, resources, and authority they need. Too often, cyber is discussed at a strategic level, only for IT and security leaders to be left fighting fires with minimal support.
In my experience, board interest peaks right after an incident. There’s a rush to review, respond, and rebuild. But the reality is that many of those breaches could have been prevented had the board acted sooner. It shouldn’t take a crisis to drive commitment.
Frameworks without foundations
Another worrying finding is the low awareness of NCSC guidance particularly the 10 Steps to Cyber Security, despite widespread policy adoption. The issue isn’t ignorance, it’s capacity. Many schools simply don’t have dedicated cyber staff. One person may be juggling IT, support, and safeguarding duties all at once. Security becomes something managed “when time allows.”
That lack of focus means institutions miss out on the basics – the “solid foundations” that the NCSC framework provides. Following those 10 steps won’t solve everything, but it will dramatically reduce risk. It helps establish a consistent baseline for protection and resilience, something every institution needs.
The real challenge is bridging the gap between policy and practice. Cyber frameworks are only effective when lived day to day, not when they exist as documents that tick audit boxes. As I often say, you can have the best policy in the world, but if people aren’t following it, it’s just paper.
Convincing leadership of this can sometimes feel like “screaming into the void.” The key is communication by speaking their language, showing evidence from real breaches, and connecting the dots between investment, risk, and reputation. The NCSC’s Board Toolkit is a great resource for this, helping leadership see cyber as a business enabler, not a technical cost.
-
Culture still trumps technology
If there’s one recurring theme across every breach, not just in education, it’s this: you can’t buy your way out of a weak security culture. The real weakness isn’t the people themselves, but how organisations support them. You can deploy the latest tech stack, but without clear policies, training, and leadership leading by example, even the best tools won’t deliver the protection they should.
And this isn’t unique to education. Every sector suffers from the same issue: chasing shiny new technology while neglecting the fundamentals. The basics; access control, network segmentation, vulnerability management are what stop breaches, yet they’re often seen as boring or routine.
-
AI, automation, and the reality check
There’s a lot of noise about AI-driven attacks, and while there’s potential for greater automation on the attacker side, the truth is stark: they don’t need to evolve, because what they’re doing already works. Phishing, BEC, and exploiting unpatched systems continue to yield results. The hype around AI risks distracting organisations from fixing the vulnerabilities that actually matter.
That said, the rise of hybrid learning and increased cloud adoption will continue to reshape the threat landscape. Institutions should already be preparing instead of waiting for the next buzzword to dictate priorities.
The real call to action
If education leaders take one thing from this year’s report, it should be this: listen to your IT and security teams.
They’re the ones at the coalface, seeing the attacks, identifying the weak points, and understanding what needs to change. Cyber security can no longer be treated as a compliance checkbox – it’s a core part of operational resilience.
Real progress will come when boards move from statements of intent to meaningful action when they start backing their teams with trust, resources, and support.
In a single sentence:
Listen, back your people, and make real change.
