Last year, KnowBe4’s report “Exponential Growth in Cyber Attacks Against Higher Education Institutions” illustrated the growing cyber threats facing universities and colleges.
The report highlighted the perfect storm of factors making educational institutions prime targets: vast data repositories, open networks, limited security resources, and decentralized governance structures.
Unfortunately, as we approach the midpoint of 2025, the latest data from the UK Government’s Cyber Security Breaches Survey reveals this trend isn’t merely continuing—it’s accelerating at an alarming pace.
The Numbers Don’t Lie: A Widening Attack Surface
The percentage of educational institutions identifying breaches has increased dramatically across all sectors. Higher education institutions have reached near-universal victimization, with 97% reporting breaches in 2024, up from 85% the year before. Even primary schools—once considered lower-risk targets—saw a concerning 11% increase in breach identification.
What’s particularly concerning is how this compares to the broader business landscape. While all UK businesses experienced an 18% increase in breach identification between 2023 and 2024, higher education institutions are now nearly twice as likely to face attacks as the average business.
Phishing: The Universal Gateway
Phishing attacks remain the dominant entry point for attackers, with 100% of higher education institutions reporting such attempts. The troubling new development is the increased sophistication of these attacks, with impersonation techniques showing substantial growth across all education sectors:
- Higher education impersonation attacks: 86% → 90%
- Further education impersonation attacks: 64% → 78%
- Secondary schools impersonation attacks: 42% → 58%
These aren’t simple spam emails anymore—they’re targeted, contextual attacks leveraging social engineering and institutional knowledge.
The Rise of DOS Attacks
Denial of service (DOS) attacks have become significantly more prevalent, now affecting 40% of higher education institutions, up from 30% the previous year. Secondary schools saw this threat nearly double from 8% to 14%. These attacks don’t merely steal data—they disrupt operations, causing substantial financial and reputational damage.
The Malware Escalation
Perhaps most concerning is the dramatic increase in malware across all educational sectors, with higher education institutions experiencing a 13% increase (64% to 77%). This suggests attackers are investing in more sophisticated techniques specifically targeting educational environments.
The Human Element: Internal Threats Growing
Unauthorized access by staff increased across all educational sectors, with further education colleges seeing a concerning jump from 11% to 19% and higher education reporting 27% of breaches originating from staff. This underscores a crucial point from KnowBe4’s initial report: technological defenses alone cannot protect educational institutions when the human element remains vulnerable.
Human Risk Management: The New Security Frontier
The 2024 data confirm KnowBe4’s assessment that education needs more robust cybersecurity strategies. As evidenced by the increase in account takeovers (16% to 20% in higher education) and unauthorized access indicates that attackers are finding ways around standard defenses.
The most sophisticated firewall can’t prevent an authorized user from making a security mistake. Which is why educational institutes need a comprehensive human risk management program which includes:
- Threat intelligence powered defenses that prevent threats from reaching the users to begin with
- Security awareness training that goes beyond annual compliance checkboxes
- Simulated phishing programs that create measurable security behavior change
- Just-in-time training interventions that provide guidance at teachable moments
- Security champions programs that embed security-conscious individuals throughout the organization
- The right tools are provided to empowered users so that they can report issues
- Controls that can protect users if they do make mistakes and fall victim to an attack
The Path Forward: Institutional Commitment
The trends revealed in the latest breach data suggest that cybersecurity can no longer be relegated to the IT department alone. Educational leadership must recognize cybersecurity as an institutional risk requiring board-level attention and investment.
The costs of inaction are growing. While technological defenses and human risk management programs require investment, they pale in comparison to the potential financial, operational, and reputational damage from serious breaches.
As we continue through 2025, educational institutions face a choice: proactively develop comprehensive security programs that address both technological and human vulnerabilities, or risk joining the growing list of organizations making headlines for catastrophic data breaches.
