Cyber resilience in education: Why the sector is at a critical inflection point

Every learner — whether a primary school student, a university graduate or a working professional — expects one thing: uninterrupted, high-quality education. Today, that experience depends on secure digital platforms, AI-driven tools and connected learning environments.

However, this digital shift also heightens the sector’s exposure to cyberthreats. Cyberattacks on schools and universities are accelerating, placing education among the three most targeted industries. At the same time, institutions face tight budgets and a global shortage of cybersecurity talent, with millions of roles unfilled.

The cyberthreats facing educational institutions include:

• Ransomware attacks: Cybercriminals encrypt critical systems and demand payment to restore them. When such incidents occur, classroom technology fails, assessment systems go offline and communication tools become unavailable.
• Nation-state activity: The education sector ranks second among sectors targeted by nation-state actors.
• Phishing and quick response (QR) code exploits: QR code phishing has become a prominent tactic, enabling attackers to bypass traditional email filters and gain unauthorized access to sensitive data by pretending to be genuine information seekers.
• Vulnerabilities: The widespread use of legacy systems and expansion into elearning environments have significantly increased the sector’s attack surface.

Why education is uniquely exposed

Educational institutions operate in open campus cultures that prioritize collaboration and accessibility. Faculty and students expect broad access to resources and may resist security measures perceived as burdensome. At the same time, institutions face:

• Limited cybersecurity budgets and competing academic priorities
• Aging infrastructure, including Windows 7 systems and legacy academic software
• Increasing reliance on cloud platforms and shared devices
• Remote learning and bring-your-own-device environments that expand the attack surface

School systems host massive volumes of personally identifiable information, private health information and research data. This makes them highly attractive targets for cybercriminals.

• ALSO READ → From point-in-time to all the time: Why security testing needs to evolve

Structural complexity across education types

Primary, secondary and K-12 schools, tertiary institutions, government-affiliated institutes and international schools all operate with different definitions of cyber resilience maturity, depending on:

• The courses they offer
• The data and assets they protect
• The research they conduct
• Budget constraints and risk appetite

Higher education adds further complexity through research networks, federal funding requirements, international collaborations and valuable intellectual property.

The Mobile Guardian incident: A local wake-up call

In August 2024, the device management application Mobile Guardian suffered a global cyberattack, resulting in approximately 13,000 students’ personal learning devices in Singapore being remotely wiped. Of the affected devices, fewer than 5% were unable to recover their data because it had not been backed up.

This incident occurred despite the original equipment manufacturer having had the required certifications and government clearance. It demonstrates that even when basic hygiene appears to be in place, threat actors can still exploit trust assumptions. This is precisely what zero trust security emphasizes — never trust, always verify.

• ALSO READ → In Singapore and beyond, AI is supercharging educational technology

A layered approach: From foundational controls to advanced cyber resilience

NTT DATA recommends that educational institutions first focus on foundational security controls and then progressively adopt advanced capabilities. While definitions of these controls may vary, the objective remains the same: To protect the most common entry points where attacks occur.

Here are some of the most basic — yet highly effective — controls and actions institutions should take:

• Email security: Since a high proportion of cyberattacks originate via email, a strong email security solution is critical. This should go beyond monitoring traffic based on standard protocols, and instead analyze behavioral patterns to detect phishing, ransomware and other malicious activity.
• Human awareness: The human element is the strongest defender in an educational institution, but it can also be the weakest link. An aware individual will quickly identify suspicious activity and alert the cybersecurity incident response team, helping to contain damage early. A less vigilant individual may unintentionally click on a malicious link, enabling malware entry and subsequent impact. Regular cyberawareness training for faculty, students and affiliated vendors is therefore a foundational requirement.
• Third-party security assessments: Regular assessments using frameworks such as MITRE ATT&CK® are necessary to validate that controls are appropriately implemented for the institution’s exposure and to continuously fine-tune them as threats evolve.
• Vulnerability assessment and penetration testing: Ongoing vulnerability assessments and penetration testing are equally important for identifying weaknesses, misconfigurations and areas of exposure before they can be exploited.

Why “cyber resilience” matters more than prevention

Cyber resilience in education is no longer about preventing every attack; it’s about ensuring continuity of learning, rapid recovery and institutional trust when controls fail. It’s also about testing existing controls, knowledge and the behavior of people, and helping them continuously improve.

NTT DATA brings extensive global expertise in cybersecurity and digital transformation, protecting organizations across critical sectors, including education. In Singapore, we pair this worldwide experience with a deep understanding of local regulations and the operational realities of educational institutions.

We partner with leading organizations globally and locally to design, implement, operate and modernize next-generation cybersecurity frameworks. Our experience covers advanced threat protection, including defenses against nation-state–level attacks, beyond traditional institutional threats.

• ALSO READ → Future-ready higher education: A strategic guide to digital transformation in Singapore’s universities