While higher education might not be the sector most people immediately associate with cyber attacks, the fact is that these types of threats are on the rise within higher ed institutions. As of mid-2019, Moody’s characterized cyber risk to higher ed institutions to be medium, but increasing, noting that there are a handful of distinct factors that make higher ed an attractive target for hackers and cyber criminals.

In this article we’re making the case for why higher education institutions need to make cyber security a priority as the threat of attack continues to loom ever larger.

Institutions make good targets for attack

Staff, faculty, and students at colleges and universities spend their time focused mostly on learning and research, perhaps without ever realizing how vulnerable the systems they rely on are to attack. Cyber security is usually left to a single specialist or small team to manage across a large organization.

This is unfortunate because in fact, higher education institutions are uniquely appealing targets for cyber attacks. These institutions collect and store huge amounts of information (including some of the most personal and sensitive data) on faculty, staff, students, and even parents if they are the ones paying the tuition bills on behalf of students.

Some factors that leave higher ed particularly vulnerable

Not only are institutions high value targets, they’re also vulnerable targets. A handful of key factors contributing to this vulnerability are:

  • Like many large enterprise organizations with a lot of bureaucratic oversight, it can be difficult to effect structural change at higher ed institutions. As a result, technology is often outdated and vulnerable to attack.
  • On a related note, tenured faculty and long-serving staff may be particularly resistant to change or lack the technical understanding to keep up to date with security best practices.
  • Students are likely to have a better grasp on proper use of technology but may be less cautious about things like data security, potentially exposing themselves and others to hacking attempts.
  • Many institutions operate on very tight budgets and are reluctant to undertake the expense of implementing the most modern and effective cyber security systems.
  • Outside of the occurrence of something like a major breach, cyber security has not typically been on the radar of those at the highest levels of management at the institution (i.e.; the president and his or her cabinet). The result is that cyber security can become an institutional blind spot, both undervalued and underfunded.
  • Colleges and universities are, by nature, quite fragmented. Every department within the organization has its own objectives and priorities. Without top-down guidance (see above), implementation of cyber security systems is often piecemeal which leaves the organization as a whole in a more vulnerable position.

Turning to a proactive cyber security approach

Data breaches and cyber attacks have the potential to cause serious harm to higher education institutions. There is risk that attacks can tarnish institutional reputations, result in financial losses (the average higher ed breach costs $200 per record), and disrupt both learning and operations.

Over the coming years we will certainly see a growing number of institutions fall victim to these types of attacks, but it shouldn’t take suffering a major breach for institutions to begin to take cyber security seriously. Cyber security is something institutions should be investing in early to prevent a potentially devastating attack from happening in the future.


Higher education institutions have been slower than other sectors to recognize and address the threat of cyber attacks and data breaches. These types of attacks are actually on the rise in higher ed and require institutions to adopt a proactive approach to cyber security, especially given the volume of data institutions collect and store, and the unique vulnerabilities of educational organizations.


This block is broken or missing. You may be missing content or you might need to enable the original module.