22 January 2025

ESET ‘s findings reveal that 73% of institutions surveyed have experienced at least one cyber-attack or breach in the past five years, with a fifth reporting three or more incidents. This aligns with government data from 2024, which found that 77% of education organisations had experienced a breach or attack in the previous year – far higher than the 50% of UK businesses overall that had been targeted.

Despite being a key target for cyber threats, one-third of education institutions surveyed still lack fundamental protections, such as antivirus software (33%) and strong password policies (35%2). Additionally, the majority (79%) have not adopted advanced measures like managed detection and response.

Another key but often overlooked safeguard is cyber insurance, which, according to government data, under half of primary schools (44%) and even fewer secondary schools (36%) report having in place. In fact, the ESET findings reveal that 7% of institutions operate without an annual cybersecurity budget at all.

This cybersecurity shortfall not only jeopardises organisational data but puts sensitive student information at risk. As cybercriminals increasingly target educational institutions, students' personal and academic data remain highly vulnerable to theft or misuse. Compounding the issue, 21% education organisations surveyed admit they feel unprepared / not confident to tackle the rising tide of AI-driven cyber threats.

When asked about the main reasons why they wouldn’t take out a cyber insurance policy, many stated that they prefer to prioritise the budgets they have for cybersecurity measures (37%). Others cited concerns about payout reliability (33%) and complex or unclear policy terms (32%). Meanwhile, 28% believe cyber insurance is too expensive, while 18% revealed they simply don’t understand its value.

These revelations all come at a time when education organisations continue to battle familiar foes, with data breaches (61%), malware (55%) and phishing (43%) topping their list of concerns. While 76% of education organisations surveyed believe their staff have excellent or good knowledge and awareness of cyber security best practices and online safety, over half still plan to prioritise increasing staff awareness and training and expanding their cyber security tools or software over the next 12 months (55% and 51% respectively).

Over three-quarters (77%) believe their institutions would benefit from enhanced cyber security measures with managed support from an external, specialist cyber security provider. However, nearly half (47%) of education organisations surveyed said they would need evidence of a cyber-attack’s potential detrimental and financial impact on their institution to help convince their finance department to approve a larger cybersecurity budget.

“Education organisations are sitting on a ticking time bomb. While it’s clear that the sector recognises the critical importance of cybersecurity, there is a huge disconnect between budget allocation, lack of insurance and its misconceptions, and inadequate measures, which is leaving institutions highly vulnerable. A comprehensive strategy that includes both cutting-edge security tools, like managed detection and response, and appropriate insurance coverage, is essential to protect against potentially devastating financial and operational impacts,” said Jake Moore, Global Cybersecurity Advisor at ESET. “These findings underscore the urgent need for education organisations to adopt a more robust and integrated approach to cybersecurity. Institutions can better safeguard their operations, staff and students, by increasing investment, educating stakeholders, implementing advanced solutions, enhancing training, and collaborating with specialised providers.”