Security in the UK Education Sector

How do Information Security Attacks threaten the UK Education Sector? Over the last several years, the education sector in the UK has seen many of the same issues that face industries across the world. The increased inter-connectivity of systems and networks has undoubtedly increased efficiencies in work, though it has also opened the door to information security attacks.

Research shows that around 69% of schools surveyed have suffered a phishing attack, whilst 35% have experienced periods with no access to important information. A 69% rise in cyber-attacks launched against schools was also seen between 2017 and 2018 alone.

As the reliance on digital solutions in schools has increased, so has the importance of securing these technologies

Sarah Lyons, Deputy Director for Economy & Society, NCSC

There are many kinds of sensitive and personal information that educational institutions are required to handle, and as many school administrators will acknowledge, methods and practices of handling personal information are not always perfectly secure. Exacerbating this issue is the fact that the majority of schools do not train non-IT staff in cyber security.

The Facts

  • 69% of schools suffered a phishing attack. Though many of these attacks will be unsuccessful, it’s estimated the open rate of phishing emails in schools is 2%
  • Only 35% of schools surveyed train non-IT staff in cyber security, meaning two thirds of school staff are susceptible to information security attacks
  • Only 41% had a business continuity plan. In the eventually of a ransomware attack, operations would potentially grind to a halt
  • Only 49% were confident of their preparedness regarding cyber-attacks

Given the obvious vulnerabilities that exist within the UK education sector, it is unsurprising that cyber criminals are threatening schools. Though outside threat is merely one component of the information security problem.

As with all organisations, many of the information security issues that affect the education sector are not external, and are in fact a result of user negligence; with around 21% of all breaches involving internal actors. One survey of schools shows that 75% believe the biggest threat to their information security was accidental loss by staff.

‘92% would welcome more cyber security awareness training for staff’

Regardless of the sector in which you operate, there are certain standards and best practices to which staff should adhere. It is not so frequently that complex and technically sophisticated attacks are targeted against schools, but it is far more likely that a breach will be as a result of basic information security mistakes.

Top 3 Threats to UK Educational Institutions

Data Breaches

A data breach is defined as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to data. A breach can come in many forms, such as the unauthorised access to a database, in the case of a hack, or even the accidental loss of a physical storage device, e.g. leaving a USB drive in a taxi, and though they don’t have to: they happen scarily often.

Though there many technical elements to defending against a data breach, there are plenty of ways standard users can help minimise the chances of sensitive information being lost, disclosed or improperly accessed.

Firstly, it is critical that every organisation understands the value of investing in comprehensive information security awareness training, covering proper encryption practices, various types of data and the responsibilities that come with possessing them, and how to best ensure the confidentiality, integrity and availability (CIA) of data.


Despite best efforts, phishing emails are now an unavoidable reality of life and independent of sector. Phishing attacks can vary wildly in sophistication and their objectives; with some aiming to manipulate users into directly giving up sensitive information, such as log in details, while others may be trying to direct users to malicious URLs.

Despite the variety of methods, there are several key practices to keep in mind to reduce the chances of an effective phishing attack:

  •  Be suspicious of unsolicited emails, especially if they contain promises of prizes, unexpected invoices or unrealistic deals
  • Double check the email address. Many times, scammers will intercept communications with addresses that seek to mimic the genuine article
  • Be wary of communications that implore urgency. Attackers often attempt to coerce users into acting quickly and making snap decisions
  • Have protocols and procedures in place. Giving employees at your business specific technical guidance will greatly help to mitigate risk


One of the common objectives of phishing attacks is to introduce malware into a system, of which, ransomware is an increasingly common type. As a type of malware that takes your data hostage, ransomware works by encrypting the files on your computer so that they may only be accessed in exchange for payment (often in the form of cryptocurrency).

Awareness of ransomware increased greatly in 2018, following the WannaCry worm which infected around 200,000 computers and cost the NHS an estimated £92 million. The vulnerability stemmed from the use of outdated IT systems and was likely introduced via a phishing attack. Illustrating, with grave consequences, the importance of up-to-date systems and simulated phishing training.

It may sound simple, but in addition to anti-virus software, the easiest way to defend against malware is to avoid the point of infection. Having security conscious users and a staff adequately informed and trained in information security awareness issues will undoubtedly save time, energy, and more importantly: costs in the long term.

If you’d like to learn more about information security awareness training and how it can help protect your business, click the link below.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Cloud Storage Security

Is Information Stored in the Cloud Secure?

There remains concerns about the overall security of storing and processing information in the cloud. Is Information Stored in the Cloud Secure?

Data Breaches 2019

The Biggest Data Breaches and Hacks of 2019

The Biggest Data Breaches and Hacks of 2019: As a new year begins, it's time to begin reflecting on what has been observed. Blog by Hut Six

Google Chrome Password Security

Google Chrome Goes for Gold in Password Security

Google Chrome introduces new password safety features. Cybersecurity blog by Information Security awareness training provider Hut Six.

Pseudonymisation in GPDR

What is Pseudonymisation?

What is pseudonymisation, and why it important to GDPR compliance? Blog from information security awareness training provider Hut Six.

Windows Security Flaw Discovered by NSA

NSA Discloses Severe Windows 10 Security Flaw

An extremely serious Windows 10 Security Flaw has been exposed by the NSA. Blog by cyber security awareness training provider Hut Six.

WiFi Network Security

Top 5 WiFi Safety Tips: The Guide to Staying Secure

How safe is WiFi? Use these WiFi safety tips to help keep you secure online. Blog from cyber security awareness training provider Hut Six.

Travelex Ransomware Attack

Travelex Ransomware Attack Enters Its Third Week

Travelex enters its third week of shutdown at the hands of a ransomware attack. Cyber Security blog by cyber security awareness training provider Hut Six.

Malware and Stalkerware Pandemic

Malware, Stalkerware – Beware: The Growing Market for Privacy Invading Apps

Malware is a persistent threat that can affect every aspect of our digital lives. Identifying, avoiding and removing it are essential to your information security.

Phishing Simulation for Employees

Sending Simulated Phishing Attacks to Employees

How can simulated phishing attacks improve your organisation's security awareness? Blog from information security awareness training provider Hut Six.

The CIA Triangle in Information Security

Information Security Principles: What is the CIA Triad?

The CIA triad consists of three principles upon which professionals typically focus. Blog by Information Security awareness training provider Hut Six.

Speak to us about your Cyber Awareness