The education sector is at a crossroads, constantly having to stay abreast of the latest technology developments to manage children’s education in an ever-digital world. But with this comes a struggle to balance rapid technological advancement with the ever-present threat of cyberattacks, writes Nicola Pearce, Head of Education, BenQ.
As schools and universities become more dependent on digital tools for everything from administrative tasks to classroom instruction and teacher assistance, the need for robust cybersecurity measures has never been more urgent. To help support teachers’ workloads, increased use of educational technology (ed-tech) in the classroom is necessary, but then it is the educational institution’s responsibility to ensure each device within a school is security compliant.
Yet, recent developments such as the UK’s Product Security and Telecommunications Infrastructure (PSTI) regulations highlight a critical oversight. While these regulations impose stringent cybersecurity standards on consumer products, they conspicuously sideline the rapidly expanding realm of ed-tech and business technologies. This omission raises pressing questions about the priorities in safeguarding our most vulnerable institutions—leaving schools and universities in a precarious race against time to fortify their defences before it is too late.
With classrooms increasingly integrating smart devices, online learning tools, and cloud-based systems, the attack surface for cyber threats has expanded exponentially. Educational institutions, which often lack the robust cybersecurity infrastructure of larger corporations, are prime targets for cybercriminals seeking to exploit vulnerabilities.
Yet, the current regulatory framework seems to overlook the unique risks faced by the education sector, failing to enforce the same stringent protections required for consumer products. This gap in legislation not only leaves sensitive student data and intellectual property at risk but also undermines the trust placed in educational technology as a whole. As the digital landscape evolves, it is crucial to address these shortcomings and ensure that the tools shaping the future of education are as secure as those in any other sector.
Escalating cyber risks in the classroom
As schools continue to embrace new digital technologies and learning tools, the increase in technology has led to an increased threat of cyberattacks. This threat has escalated significantly, impacting businesses and education institutions across the world. From the threat of ransomware attacks to exposing sensitive student information, the education sector is increasingly becoming a prime target for cybercriminals.
As reported by the BBC, in 2021, the Harris Federation, a group of 50 primary and secondary academies in London unfortunately fell victim to a ransomware attack, that temporarily disabled emails and saw data on systems being encrypted and hidden by attackers. This ransomware attack was the fourth academy trust to be targeted, with another six schools affected in the Scholars Education Trust data breach in 2022.
Recent data from the Cyber Security Breaches Survey 2024 has found that over 71 per cent of secondary schools, and 52 per cent of primary schools, identified a data breach or cyber-attack in the past year. Alarmingly, a staggering 97 per cent of higher education institutions experienced a breach or attack, with six in ten organisations that have been negatively impacted by a breach. These examples and alarming statistics underscore the real and growing danger that schools face as they integrate more technology into their classroom.
The responsibility to protect students and ensure that all educational technology is secure and safe falls on both teachers and IT managers. Teachers, who are often the first line of defence, need to be vigilant in ensuring that devices are used safely and that students are aware of basic cybersecurity practices.
Meanwhile, IT managers must prioritise the implementation of strong security measures, such as regular software updates, secure network configurations, and comprehensive training programs for staff. In addition to this, IT managers can look to deploy ed-tech devices such as interactive displays and projectors with built-in security measures as an added layer of protection for both teachers and students.
By working together, educators and IT professionals can create a safer digital environment, mitigating risks and ensuring that technology enhances learning without compromising the security of the classroom.
Bridging the regulatory gap
The latest PSTI regulations mark a positive step toward enhancing cybersecurity for consumer products in the UK. However, the exclusion of ed-tech from this regulation raises significant concerns. Schools house sensitive data on children and staff, making them prime targets for cyberattacks, yet these institutions are left outside the scope of PSTI’s security measures. This regulatory gap highlights an unsettling discrepancy between consumer and ed-tech devices, when vulnerable children can use both.
Addressing this disparity is crucial, as educational environments increasingly rely on digital technologies that are as integral as consumer products. By overlooking ed-tech, the current legislation fails to account for the specific risks in education, where breaches can lead to severe consequences and disruptions in learning.
As a result, the PSTI regulation should be expanded to include educational technology, recognising that ed-tech products carry risks similar to consumer devices. Therefore, a comprehensive approach is necessary and would involve mandating stronger security standards for any technology used in schools, including data encryption, regular security updates, and strict access controls.
These new regulations set a strong precedent for cybersecurity, but until they are expanded to include ed-tech, schools remain exposed by potentially installing interactive displays or other technologies that may not comply with PSTI, undermining the broader goal of safeguarding all digital environments, especially those involving children.
Developing cybersecurity standards within education is essential to protect both students and the educational infrastructure. While the PSTI regulations set important benchmarks, similar protections must be enforced across all ed-tech platforms and internet enabled devices used by children, such as interactive displays, to ensure the safety of student data and educational integrity.
Schools should implement mandatory cybersecurity protocols, including regular system audits and updates, strong password policies, and data encryption to maintain both teachers’ and students’ safety when using devices in the classroom. IT managers should ensure that any new technology being installed into schools complies with PSTI and has sophisticated security features built in to prevent any security vulnerabilities.
Edtech that chooses to go the extra step and become PSTI certified, although not mandated by the government, will give IT managers peace of mind that they have taken the extra steps to ensure a secure classroom environment. Additionally, the inclusion of cybersecurity training for educators and administrators is vital, equipping them with the knowledge to recognise and respond to potential threats posed to the school’s IT ecosystem.
Alongside this, integrating cybersecurity awareness into the curriculum is key to fostering a digitally responsible generation. Teachers can incorporate lessons on online safety, data privacy, and recognising cyber threats into everyday classroom activities. This not only helps students understand the importance of protecting their personal information but also empowers them to be proactive in securing their digital presence.
Fortifying cybersecurity in education is not just a necessity but a responsibility, so by embedding cybersecurity education at all levels, schools can create a culture of awareness that extends beyond the classroom, preparing students for a world where digital literacy and security are increasingly interconnected.
See also the BenQ blog.
