Australia’s schools are increasingly in the firing line of cyber criminals — and the worrying part is how little effort it’s taking to breach them. In many cases, attackers are slipping in through weak passwords, forgotten legacy accounts and inconsistent security settings across sprawling staff and student networks.
For schools, the scale of this problem is hard to ignore. According to the Australian Cyber Security Centre’s latest annual threat report, the education and training sector accounted for 5% of all cyber incidents reported nationally in 2024–25, with phishing still the dominant tactic, featuring in around 60% of cases.
Meanwhile, the Office of the Australian Information Commissioner recorded more than 500 notifiable data breaches in the first half of 2025 alone, with malicious or criminal attacks driving the majority. For school leaders already stretched thin, the message is clear: cyber hygiene is fundamental.
One company helping leaders address this issue is Yubico, a global cybersecurity company best known for inventing the YubiKey — a simple, hardware-based authentication device that makes accounts far more secure by blocking phishing and credential theft with strong, phishing-resistant login protection.
The Educator recently sat down with Geoff Schomburgk, Vice President, Australia & New Zealand, at authentication and security key specialist at Yubico, to discuss the company’s expansion into more than 100 Australian schools, why education remains a prime cyber target, and how phishing-resistant passkeys can strengthen security without adding friction for staff or students.
TE: Can you tell our readers about the genesis of Yubico’s involvement with K-12 schools and roughly how many schools Yubico is now working with?
Yubico’s involvement with K–12 schools began with a simple belief: protecting students and educators online should not rely on having complex passwords. Schools were struggling with password resets, shared credentials and increasing phishing attacks. We saw an opportunity to make secure logins both stronger and easier through passwordless authentication. Just as importantly, we recognised the value of embedding good cyber hygiene habits early in life among schoolchildren.
After three years of participating in EduTech in Melbourne, the demand has been crystal clear. Today, more than 100 government and independent schools across Australia are at various stages of deploying YubiKeys for staff and students.
TE: Why does education remain a soft target for attackers?
Schools are rich in highly sensitive data. They hold student identities, academic records, behavioural and medical information and often parent contact information and financial details. That makes them extremely attractive to cybercriminals. At the same time, many education environments still rely heavily on usernames and passwords, creating a predictable entry point for attackers.
According to the Australian Cyber Security Centre (ACSC) Threat Report, education consistently ranks among the top ten targeted sectors, with incident rates rising significantly in recent years by as much as 17% since 2023. Limited IT resources and distributed campuses can further increase exposure, making schools a comparatively soft and valuable target.
TE: What are the real cyber hygiene gaps being exploited in schools today?
The most significant gap remains the reliance on passwords. Industry data shows that around 80 per cent of breaches stem from compromised credentials. Phishing is now the dominant attack vector, and artificial intelligence (AI) has dramatically increased both the volume and realism of phishing campaigns. Attackers no longer need to break in; they simply log in by tricking users into handing over their login details. Once credentials are captured, systems are accessed legitimately.
The ACSC’s Essential Eight highlights phishing-resistant multi-factor authentication (MFA) as a key mitigation. Moving to passkeys and hardware-backed authentication closes the gap in credential theft and significantly reduces the risk of account compromise.
TE: Why are traditional MFA and password policies no longer sufficient?
Legacy MFA methods such as SMS codes, one-time passwords and even some authenticator apps can still be phished. As AI-driven phishing becomes more sophisticated, these controls are increasingly bypassed. Strong password policies alone do not solve the underlying vulnerability if credentials can be socially engineered.
There is also a practical challenge in schools where mobile phones may be restricted in classrooms, limiting reliance on app-based authentication. Phishing-resistant MFA, such as FIDO-based passkeys stored on a hardware security key, prevents credential re-use entirely because authentication cannot be intercepted or reused by attackers.
TE: What practical, low-friction controls should education providers prioritise now?
The Essential Eight provides a clear and practical roadmap for schools. Among those controls, deploying phishing-resistant MFA delivers one of the fastest and most impactful security gains. Hardware-backed passkeys, such as YubiKeys, align with the highest maturity level of the Essential Eight and remove the risk of credential theft. They are simple to deploy across common education platforms and require minimal behavioural change once implemented.
Beyond strengthening the security posture, this approach can also support cyber insurance requirements and reduce the operational burden of password resets. It is a control that delivers immediate risk reduction without adding complexity.
TE: How can Principals balance security uplift with usability for staff and students?
Security and usability no longer need to compete. Passkeys developed through the FIDO Alliance deliver strong protection with a seamless user experience. A simple tap of a security key replaces complex passwords and one-time codes.
Most schools operate on Microsoft and Google platforms, which already support passkeys. Logins become faster and more consistent, while phishing risks are dramatically reduced. By adopting phishing-resistant authentication, such as YubiKeys, school leaders can strengthen security posture without adding friction, reduce the risk of data breaches and simplify access for staff and students.