Cyberattacks on education are increasing
The 2026 cyberattack on Canvas, an educational platform operated by Instructure, highlighted a worrying trend. Education is increasingly becoming one of the most targeted industries for cyberattacks.
Higher education institutions tend to have large attack surfaces, open networks, and resource constraints making cyber defense a difficult order.
A single breach can cause major harm to a university’s reputation; highly personal data can be exposed, leading to broken student and alumni trust and future funding issues.
With so much to lose, relying on traditional perimeter-based security models or bespoke approaches is not enough. A Zero Trust deny-by-default security framework is what’s needed to protect higher education.
Why higher education is a prime target for cyberattacks
Universities face a number of security challenges and hold a large amount of sensitive information, making them a prime target for cyberattacks.
Some of the challenges facing high education institutions are:
Open networks and decentralized environments
Universities are spread across multiple campuses, departments, and systems and support thousands of users.
Students and staff connect personal devices to campus networks. Many of them may use specific software for their work. Contractors, vendors, and partners also require occasional access.
For IT teams, visibility and control of the environment are difficult to maintain.
Staffing and resource limitations
A problem across all levels of education is IT staffing. Many schools and universities have smaller IT teams who are expected to manage aging infrastructure and growing security concerns.
Many institutions also lack consistent security policies across all departments and systems.
Consequences are growing
The potential damage threat actors can inflict on a college or university only increases the threat level.
Cybersecurity risk management is a board-level concern because of the financial, operational, and reputational damage a single cyber incident can cause.
A breach can break student trust, harm research integrity, damage financial stability, and affect funding eligibility.
Biggest cyber risks facing education
One of the fastest growing threats in the education industry are “ghost” students.
Cybercriminals use AI-assisted or automated techniques to create fake identities, enroll, and apply for financial aid.
They remain enrolled long enough to receive aid disbursements and obtain legitimate .edu credentials before disappearing.
Detection usually doesn’t happen until after the “student” has disappeared and the money has been lost.
Identity management is another weakness because universities often maintain years of legacy permissions, reused access templates, and over-privileged accounts. A breach of the University of Pennsylvania in 2025 showed that a single compromised account can quickly become a high-value entry point for attackers and increase the threat of ransomware or malware.
Bring your own device policies also affect security because managing environments with thousands of personal devices makes securing networks a tall order.
Personal endpoints introduce risks of unapproved applications, malware, unauthorized software execution, and limited visibility.
How AI is expanding the attack surface for universities
AI has impacted every industry in positive and negative ways.
In education, many universities have adopted generative AI tools and AI automation in administrative workflows and to provide 24/7 support. But these same AI tools typically have access to data repositories, cloud applications, and administrative systems.
Universities aren’t the only ones using AI to their advantage.
If these tools have excessive permissions, they create the same risks as identity sprawl.
AI has reshaped cybercrime and made it easier for less-skilled threat actors to deploy widespread campaigns that are faster and much harder to detect. AI adoption by legitimate and malicious actors has expanded the attack surface and made Zero Trust principles increasingly important.
Traditional defenses don’t work for modern cyber threats
Traditional security models were largely built around trust. But with the rise in credential theft, malicious activity is frequently missed because it is coming from a “trusted” user.
Furthermore, attackers have numerous techniques to bypass multi-factor authentication (MFA) and other authentication protections.
Instead of implicit trust, universities need a security model that assumes compromise and focuses on prevention and damage limitation.
What Zero Trust means for cybersecurity in higher education
Zero Trust is built on deny-by-default, verify continuously. Instead of implicitly trusting users or devices inside the network, Zero Trust continuously validates actions and access and restricts activity to only what is necessary.
This is achieved with:
Least privilege access
Users and systems are only provided with the minimum level of access required to perform their roles and nothing more. This way, compromised accounts are less valuable because attackers do not have permission to move freely across environments.
In higher education, networks that contain the most sensitive information, such as the registrar and administration, need tightly controlled access and should be separate from networks used by students and staff.
In the previously mentioned Penn breach, the attackers initially gained access through an employee’s account, which allowed them access to the school’s VPN, Salesforce data, SharePoint files, and more.
Application control and allowlisting
One of the most effective Zero Trust strategies is to block any unknown application or script from executing. This significantly reduces the risk of malware, ransomware, and unapproved software installations, which is especially important in decentralized environments.
In a higher education environment where researchers and professors need to be able to use various tools and download large data sets, it is crucial to find an application control tool that simplifies approving new software without increasing risk.
Application containment
Even approved applications need restrictions. This way, even if an attacker gains access to a device or account, they won’t be able to abuse your trusted applications. Containment and access controls help reduce the blast radius and prevent an account compromise from becoming a widespread breach.
Continuous verification
In a Zero Trust environment, you are continuously verifying users, devices, applications, and behaviors to ensure access and actions are legitimate.
How to begin adopting Zero Trust
Implementing Zero Trust should not be complex.
The first and most important step is to recognize that Zero Trust is meant to increase control over your environment, simplify daily work, reduce alert fatigue for the IT team, and strengthen resilience.
Practical first steps include:
- Identify all applications and processes running. Determine which are vital and restrict the rest.
- Identify over-privileged accounts and apply least privilege policies.
- Segment critical systems and research environments.
- Treat AI agents as managed identities.
- Reduce unnecessary administrative rights.
The goal is not to restrict workflows or eliminate openness from your environment. It is to eliminate unnecessary trust.
How ThreatLocker simplifies Zero Trust for higher education
ThreatLocker simplifies Zero Trust adoption with practical controls that don’t require a system overhaul.
The ThreatLocker agent automatically catalogs all your apps and dependencies, and with 13,000+ pre-built apps recognized, the process is quick and seamless. When new apps are needed, users can request approval via popup, and it can be reviewed and handled in minutes by your internal team or the ThreatLocker Cyber Hero Team.
You decide what actions your applications need to take, what programs they can interact with, and whether they can connect to the internet. All other actions are blocked, so even if compromised, your applications behave exactly how you want.
Gain complete visibility into all inbound and outbound connections, and control access by port, source IP, device identity, and more. Secure remote connections and prevent rogue devices from accessing your internal systems.
EDR Real-Time Threat Detection
Detect abnormal activity and instantly isolate compromised endpoints before attackers can pivot. Enforce predefined policies to catch suspicious activity the moment it occurs, so your SOC team has time to investigate and respond.
Zero Trust helps schools stay open, not exposed
Cybercriminals are actively exploiting identity abuse, unmanaged devices, unpatched software, and decentralized environments, and traditional security models relying on detection and perimeter-based controls are struggling to keep up.
That’s why Zero Trust adoption is increasing, and more compliance frameworks and governments are recommending Zero Trust.
Zero Trust gives organizations control over their environments by focusing on containment and prevention first.
In higher education, the question is no longer whether compromise is possible, but when it will happen and how effectively can institutions limit the impact.
To see how Zero Trust works in your environment, book a ThreatLocker demo today.
