Penetration testing

Under Attack, Underfunded: Cyber Security in Education

5 min read
Stay ahead of the game
Loading

click here to copy URL

Introduction

Cybersecurity in education is facing a crisis. Schools, colleges, and universities are under constant attack, yet many remain ill-equipped to defend themselves. With rising threat volumes, constrained budgets, and a shortage of dedicated cybersecurity staff, the sector has become a prime target.

In this blog, we combine insights from Joe Wells’ child-focused initiative, CyberHerd, and our experience supporting educational institutions through Rootshell Security’s continuous testing services. Our aim is to spotlight the challenges, show how online risk spills into the real world, and share practical ways to build resilience.

“Understanding online risk isn’t just ‘IT stuff’. When systems fail, lessons are lost, recovery is costly, staff are stretched, and pupils miss vital support. We tell children it’s okay to ask for help; the same should be true for schools.” — Joe Wells.

The State of Play: What the Data Tells Us

According to the UK Government’s 2024 Cyber Security Breaches Survey:

  1. 71% of UK secondary schools and 52% of primary schools reported breaches in the past 12 months.
  2. 97% of higher education institutions and 86% of further education colleges experienced cyber incidents.
  3. In the US, 82% of K–12 schools were affected by cyber threats between mid-2023 and 2024, with 9,300+ confirmed incidents (CIS Security).

Phishing remains the top attack vector:

1. 92% of affected primary schools and 89% of secondary schools experienced phishing attacks.
2. In higher education, phishing was reported by 100% of institutions, alongside 90% reporting impersonation attacks and 77% malware incidents.

Why Education Is an Easy Target

Cyber criminals know that many schools are underfunded and underprepared:

  1. Legacy infrastructure and outdated security software are still common.
  2. Weak passwords such as “123456” and “password” remain in use.
  3. Budget pressures mean dedicated cybersecurity roles are rare.

Awareness of official guidance is also mixed:

  1. Only 41% of schools are aware of the NCSC’s cybersecurity guidance, compared with 74% of higher education institutions (Gov.uk).

The Human Cost and Operational Impact

Beyond breach statistics, the real-world impact is significant and immediate:

  1. Lost learning time: lessons cancelled, pupils sent home, and catch-up time that rarely features in budgets.
  2. Financial strain: six and seven-figure recovery costs diverting funds from teaching and support.
  3. Staff pressure: IT and safeguarding teams firefighting instead of supporting classrooms.
  4. Community disruption: interruptions to exams, free school meals, and safeguarding services.

Some UK school trusts have faced ransom demands exceeding £5 million, with recovery costs around £3 million (The Sun). Individual institutions have spent £300,000 just to resume basic operations.

The lesson is simple: incidents online have consequences offline.

Normalizing Help-Seeking: A Safeguarding Mindset

We encourage pupils to speak up when something isn’t right. IT/InfoSec staff should feel just as comfortable asking specialists for help before, during, and after cyber incidents. Making “ask for help” a visible part of policy and culture reduces risk and speeds recovery.

“If something feels off, ask. If you’re unsure how to harden systems, ask. If you need a second pair of eyes, ask. Safer schools start with safe questions.” — Joe Wells.

CyberHerd: Building Cyber-Safe Habits in Pupils (Ages 7–14)

CyberHerd is a cyber-safety education platform for children aged 7–14. Its mission is to “empower every child with the knowledge and skills they need to navigate the digital galaxy safely, confidently, and responsibly.”

CyberHerd complements a school’s technical controls by strengthening pupil awareness and everyday digital habits. It provides:

  1. Curriculum-aligned, classroom-ready resources for Key Stage 2–3, including lesson plans, activities, and assembly packs.
  2. Gamified learning experiences that teach practical skills such as spotting phishing, creating strong passwords, and reporting concerns.
  3. Teacher guidance and parent take-home materials to keep messages consistent across school and home.

CyberHerd focuses on prevention through education—reducing classroom-level risk and building a culture where pupils know when and how to ask for help.

How Rootshell Security Supports the Sector

Rootshell Security provides continuous security validation to educational institutions, helping teams:

  1. Move beyond once-a-year testing towards continuous assurance.
  2. Prioritize remediation based on real, validated risks.
  3. Track fixes and maintain visibility via the Rootshell Platform.
  4. Improve compliance with data protection standards such as GDPR and Cyber Essentials.

These services are designed with constrained budgets in mind, offering education-sector pricing and vendor-neutral support—so schools can ask for help with confidence.

Recommendations for IT and Security Teams in Education

  1. Normalize help-seeking: make “ask for help” part of your safeguarding and IT culture; rehearse who to call and when.
  2. Teach the basics early: adopt age-appropriate cyber-safety education (e.g., CyberHerd for ages 7–14) to reduce everyday risk.
  3. Implement continuous testing: identify and fix gaps early, not just for audits.
  4. Run regular staff training: phishing awareness, password hygiene, and safe data handling.
  5. Keep a simple risk register and incident response plan: know your high-impact assets, recovery steps, and communications playbook.
  6. Align with NCSC and Cyber Essentials: raise baseline controls using affordable tools and clear standards.
  7. Communicate with parents and carers: extend safe habits beyond the school network.

Conclusion: Stronger Together

The cybersecurity challenges in education are real and rising. By investing in pupil-centered education like CyberHerd and continuous security validation from partners such as Rootshell Security, schools can move beyond baseline compliance and become truly resilient.

“When one school strengthens its defences, everyone benefits—from the classroom to the wider community.” — Joe Wells.

Let’s move from overwhelmed to empowered, together. And remember: it’s okay to ask for help.

Picture of Joe Wells
Joe Wells
Joe is a Cyber Security Adviser & Founder, CyberHerd. He is a vocal advocate for child-centered, classroom-ready cyber-safety education. Through CyberHerd, he equips teachers, pupils, and families with practical skills to navigate the online world safely.

Other posts you might like