With cybercriminals evolving their tactics and harnessing AI to scale attacks, prevention alone won’t cut it, a new report cautions.
The fifth annual Sophos State of Ransomware in Education report, which studied 441 IT and cybersecurity leaders worldwide, found more than two-thirds (66%) of respondents lack human expertise (skills or capacity) to detect and stop an attack in time.
However, the education sector is getting better at reacting and responding to ransomware, citing improved recovery times. A surprising 97% of victims recovered encrypted data, causing ransom payments to fall sharply.
However, as schools strengthen their cybersecurity, cybercriminals are evolving their approach to find new workarounds, the report cautions.
Better safe than sorry
Aaron Bugal, Field CISO APJ at Sophos, said the report shows ransomware has become one of the sector’s biggest threats, making robust cybersecurity education and tools more critical than ever.
“Given the increasing volume and complexity of cyberthreats, schools need to consider investing in detection and response cybersecurity services to ensure they are protected 24/7, especially as 66 per cent cited they lacked expertise or employee capacity to stop attacks,” Bugal told The Educator.
“By engaging professionals to manage your cybersecurity, schools can receive around-the-clock protection, allowing educators to focus on what they do best – educate.”
Coupled with the right security tools, schools should provide exercises and training for everyone, from staff to students, on cyber awareness and proper hygiene, says Bugal.
“This is especially crucial for students, who often use school devices for personal internet browsing and use, expanding the potential attack surface for institutions.”
‘AI is a double-edged sword’
With the rise of AI tools in educational settings, Bugal said this presents a “double-edged sword”, as both defenders and attackers can use it to increase productivity.
“On one hand, schools, the defenders, can use it to effectively speed up their response to threats. While on the other hand, attackers, the cybercriminals, are harnessing it to scale their phishing operations dramatically,” he said.
“This creates seemingly credible yet fraudulent websites and other scam-based campaigns in seconds. AI is also being harnessed to automate vulnerability scanning of organisation’s systems.”
When asked what practical steps school leaders can consider to protect students, staff, and research data, Bugal highlighted the importance of a methodical approach.
“Start with a plan. K–12 leaders must be prepared to deal with a ransomware attack,” he said. “This includes developing a solid, realistic incident response plan that’s regularly reviewed and stress-tested. When a breach happens [and chances are, it will], schools need to respond quickly to contain damage and protect student, staff, and research data.
For those not sure where to begin, Bugal said it helps to “get another set of eyes on it”.
“Security advisory services can help uncover areas of immediate need – whether it’s understanding your external attack surface, running internal penetration tests or adversary emulation, or tightening up policy around incident response,” he said.
“This kind of insight focuses your efforts, cuts waste, and ensures your cyber spend actually makes a difference.”
‘Disruption isn’t just inconvenient, it can be devastating’
Bugal said schools must ensure they get their cybersecurity right by keeping all systems, especially endpoints and servers, up to date and defended with effective anti-ransomware tools.
“But don’t rely on prevention alone,” he cautioned. “Assume someone will get in, and have 24/7 detection and response in place to catch and contain threats – even after the last bell rings.”
In an era where cyberattacks are becoming increasingly sophisticated, it’s prudent for schools to take a “prepare for the worst” approach.
“Protect backups, isolate critical data, and have a tested recovery process ready to go. K–12 environments hold sensitive personal and research information – disruption isn’t just inconvenient, it can be devastating,” he said.
“These practical steps shift schools from being easy targets to resilient institutions – not by chance, but by design.”