top of page

Why are schools and universities such an attractive target for cybercriminals?

Cyber-attacks against schools continue to be a concern across the Eastern region.

The reasons for this are fairly simple:

  • Schools possess large quantities of high value and sensitive data that they may have to pay for to get back

  • Schools networks and processes offer a lot of vulnerabilities through either underinvestment or weaknesses in their underlying processes. In many cases these vulnerabilities are caused by the necessity of having so many people and devices to attach to the network

Photo of child walking through school gates

A number of education ransomware alerts have been published by the National Cyber Security Centre throughout 2020 and 2021, and more are expected over the coming year. 1000s of schools have been attacked over the past few years and many have resulted in long term problems for the organisations affected, including the staff, students and parents.

Whilst the rise in attacks was blamed partly on the pandemic and a rise in remote learning, the risk to schools will persist until they are provided with the tools to fight back. And these attacks are happening right now in our region.

In the summer of 2021 a ransomware attack against schools in Kent actually caused several of them to close for several days whilst the data breach was resolved.

Are there any free tools that schools can use to protect themselves from these attacks?


It is fully understood that schools are both vulnerable to attack, and that they have limited budgets to pay to strengthen their resilience. The good news is that there are loads of free tools and guides specifically aimed at the education sector.

  1. Look at the free tools and guidance available on the ECRC site Education & Resources at the Eastern Cyber Resilience Centre ( All of the below are free and fully supported by the National Cyber Security Centre as well as the ECRC

  2. Mail Check helps organisations assess their email security compliance and adopt secure email standards which prevent criminals from spoofing your email domains. Now freely available for schools as well as universities and colleges.

  3. Web Check helps you find and fix common security vulnerabilities in the websites that you manage. Another tool that has recently become freely available for schools.

  4. Cyber Security Training for School Staff. The NCSC has produced free cyber security training to raise awareness and help school staff manage some of the key cyber threats facing schools.

  5. Cyber Security in Schools: questions for Governors & Trustees. Questions for the governing body and trustees to ask school leaders, to help improve a school's understanding of its cyber security risks.

  6. Early Years practitioners: using cyber security to protect your settings. How to protect sensitive information about your setting and the children in your care from accidental damage and online criminals.

What next?

The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of data and permanent loss of reputation. But all is not lost.

So, what can I do?

Here at the centre, we would advise you to do three things now

  1. Join our free core membership by clicking through to You will be supported through implementing the changes you need to make to protect your organisation, staff and students.

  2. For all of schools across the Eastern region we would recommend that you look at improving your overall cyber resilience by working to Cyber Essentials standards – the basic government backed kite mark standard for cyber security. An organisation operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks. Join the centre as a free member and we will take you as far as the CE accreditation process. And if you want to pay for the assessment, we can refer you one of our Trusted Partners – all regionally based cyber security companies that can help you become accredited.

  3. We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf.

Whatever you decide to do, doing nothing is no longer an option.

Here at the ECRC we are already working closely with dozens of schools and academic institutions across the seven counties to help them tackle the continually changing cyber threats that they face. So come and join our community as free members and let us help you protect your organisations from the ever presents threats out there in the cyberverse.

Reporting a live cyber-attack 24/7

​If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing ​

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page