Facing the threat of cyber security breaches
Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.
Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.
Internal fraud can be demoralising. Staff exploiting weaknesses in internal processes to set up false suppliers, abuse the company credit card or claim additional expenses appear minor, but all amount to fraud and could have serious repercussions for the individuals concerned.
A recent decision in the Supreme Court in R v Andrews [2022] UKSC 24 has highlighted that anyone falsely claiming qualifications on their CV can be stripped of the profits of their deception. The Supreme Court permitted a Proceeds of Crime Act 2002 (POCA) confiscation order on the basis of the pre-appointment earnings. Ensuring that validation in recruitment processes is properly and diligently carried out would avoid the worst excesses of CV fraud, but would also deter appointments of people who may see education as a soft target.
But what of the external actors who target education and charities, who rely on volunteers, community support, co-operation and public goodwill to operate effectively and generate additional income? The sophistication and variety of modes of the attack has certainly evolved over the past two years, as has the frequency of experience and level of disruption caused.
“92% of HEIs identified a breach”
The Department for Digital Culture Media and Sport has surveyed the education sector as part of its aim to inform government policy on cyber security in its annual Cyber Security Breaches Survey 2022 . The results show 92% of higher education institutions identified a breach, while the education sector as a whole, experienced some of the highest levels of the most dominant form of attack in phishing emails, outstripping even the business sector.
But one concern is the survey identified that most education establishments experienced some form of attack or breach on a weekly basis. Spoof emails or impersonation attacks, and attempts at gaining unauthorised access through malware, were also a common occurrence.
The high levels of reporting could point to increased security, senior management engagement and staff vigilance underlining their preparedness to invest in approaches to prevent attacks – such as security monitoring or penetration testing, as well as maintaining risk assessment and disaster plans to trigger appropriate responses.
In reality, where these attacks were effective, a significant proportion of the institutions experienced a negative outcome, with loss of data for illicit purposes or financial losses or accounts systems being compromised. As a consequence, they reported significant disruption with increased manpower and staff time to deal with the reporting and stakeholder engagement, post event.
Kudos to the education sector
One key feature of the report is the kudos given to the education sector as a result of its cyber security planning and policies, the level of knowledge of directors and trustees and how they dealt with breaches – including external reporting (with stakeholders, insurers, regulators) and implementation of additional controls (passwords and two factor authentication). In fact, it was regarded as the equivalent of large businesses, who are considered to be the most well-equipped to deal with these issues.
It is perhaps testament to the education sector’s reported high levels of compliance with the 10 Steps to Cyber Security and its proactivity in seeking guidance and enhanced security that has led to its overall rating which, in some instances, outperforms businesses. Despite the concerning levels of attacks which target educational institutions, these efforts go a long way to block potential disruption. Regrettably, in the digital and online times in which we live, it does not eradicate the risk, but it mitigates the harm and allows educators to focus on what they do best, which is heartening news.
Contact
Paul Wainwright
Partner
paul.wainwright@brownejacobson.com
+44 (0)121 237 4577
Related expertise
You may be interested in...
Podcast - #EdInfluence
#EdInfluence podcast (series 4): In conversation with inspiring leaders
Legal Update - Be Connected (schools)
Be Connected: Schools and academy trusts July 2025
Legal Update
Consultation on the new School Support Staff Negotiating Body
Guide
KCSiE 2025 guidance: What schools need to know
Legal Update
Unveiling the hidden pitfalls in IT contracts
Press Release
Browne Jacobson’s School Leaders Survey shows exclusions and suspensions at an all-time high
Legal Update - Employment Rights Bill
The Employment Rights Bill: Is it here yet?
Legal Update - School leaders survey
Survey shows growing dissatisfaction with government policy amidst financial uncertainty
Online Event
AI at the coalface: Navigating the practicalities in education
Legal Update
Academy Trust Handbook 2025: Managing public money
Opinion
Updates to academy trust governance: A missed opportunity?
Legal Update
Executive pay and the Academy Trust Handbook: Clarity, challenge and good governance
Legal Update
New DfE AI guidance: A welcome start, but needs further development
On-Demand
School exclusions: A review of the latest developments and looking to the year ahead
Legal Update
Medr reform: What you need to know
Opinion
Pride Month: A time to review DEI
Guide
Legal project management: A cornerstone in operational delivery of inquiries
Opinion
Employer redundancy guide: Sourcing alternative employment
Press Release - Firm news
Browne Jacobson delivers record-breaking growth as strategic vision drives exceptional performance
Legal Update
What might the public inquiry on child sexual exploitation look like
Legal Update
DEI in school governance: Key themes and insights
Opinion
Spending Review: Setting the stage for UK investment
Guide
The socio-economic duty: Shifting mindsets for true social mobility
Press Release
Spending Review 2025: Browne Jacobson lawyers respond to Chancellor’s announcement
Legal Update
Charity law update, June 2025
Press Release
Browne Jacobson’s School Leaders Survey illustrates concerns over financial resilience ahead of spending review
Legal Update
ESG and sustainability report: Rethinking communication and credibility
Press Release
Majority of UK organisations remain committed to sustainability and ESG, says new research
Opinion
Addressing the gender pay gap in school trusts
Legal Update
The OfS agrees a settlement with Leeds Trinity University
Legal Update
Consultation on proposed changes to Estyn inspection regime in Wales
Press Release
Browne Jacobson’s latest School Leaders Survey to focus on schools exclusions and early years funding
Press Release
UK-EU reset deal: Comments from Browne Jacobson experts
Opinion
Disciplinary procedures and mental health: Employer considerations
Legal Update
Supporting mental wellbeing in the workplace: Practical steps for businesses
Legal Update - Be Connected (higher education)
Be Connected, higher education: Spring 2025
Published Article
Learning from Europe: Funding models for UK schools infrastructure
Legal Update - Be Connected (schools)
Be Connected: Schools and academy trusts, May 2025
Legal Update
New novel, contentious and repercussive transactions guidance
