According to Microsoft’s Cyber Signals report from 2024, education is the third most targeted sector for cybercrime. But why are schools so tempting for cybercriminals?
Paul Carnemolla, Strategy Development Leader at Digipro IT, says, ‘Traditionally, we think about organisations like banks holding sensitive information, or intelligence organisations like ASIO. We don’t necessarily think of schools.
But the data schools hold – identity details, medical information, data relating to child protection – is very sensitive for the individual. And cyber hackers know that. That’s why they’re targeting schools and holding data to ransom if they’re able to exfiltrate it.’
So what are the security gaps that put student data at risk? In this post, we’ll highlight six critical student data security risks we see in K–12 schools, and what happens when those gaps remain open.
Explore Digipro IT’s IT and cybersecurity services.
Critical data security risks in schools
1. No defined cybersecurity structure
Too often, schools approach cybersecurity in pieces. One department locks down its system, another brings in a new app without vetting, while IT tries to patch together policies on the fly. Without a framework, these actions don’t add up to protection. They just create uneven defences.
‘The Australian government continues to strengthen legislative requirements with recent enforcement action undertaken by ASIC (Australian Securities & Investment Commission) for inadequate cybersecurity measures,’ says Paul Carnemolla. ‘The Australian Signals Directorate specifically calls out schools as being targets with data as sensitive or even more sensitive than other organisations, while often without governance controls that they need in place.’
So, what’s the solution?
‘We advocate that all schools implement a cybersecurity framework of some sort.’
Without a defined structure, schools are always reacting, never getting ahead of data security threats.
2. Lack of cybersecurity staff protecting student data
Most school IT teams are small and generalist by necessity. They manage classroom devices, networks, support tickets, and software rollouts all at once. But student data security is a highly specialised discipline that evolves constantly and requires focus and constant updating.
This doesn’t mean that school IT teams aren’t capable. It means they need backup. Strengthening data security often requires additional support in the form of specialised training, dedicated cybersecurity staff, or trusted external partners who can sharpen your school’s focus on safeguarding sensitive information.
3. A huge variety of devices and software to control
A modern school environment is an expansive web of devices and applications. Students and staff use school laptops and tablets (or may even log in from their own devices), classrooms rely on interactive screens, and administration runs on specialised systems. Add cloud platforms, and you have a vast ecosystem to protect.
Every one of these devices and systems is a doorway for a hacker to come through and exfiltrate sensitive student data. Without centralised visibility and control, it’s difficult to enforce consistent security policies like patching, access management, and endpoint monitoring.
A single unpatched operating system, unmanaged personal device, or poorly configured cloud application represents a critical student data security gap. The sheer variety of hardware and software in use makes standardised security challenging. That’s exactly where attackers focus.
4. Unrealistic understanding of cyber risks and student data consequences
When people think of student records, they picture enrolment forms or grades. But the reality is far broader: medical histories, counselling notes, behavioural data, family circumstances, even payment details. It’s some of the most personal information an organisation can hold.
What happens if this sensitive data is compromised? Students and families may face identity theft or financial fraud, leaked addresses and custody arrangements can put children at risk, and schools themselves are subject to legal liability, regulatory penalties, and lasting reputation damage.
Underestimating the sensitivity of this data leads to risky decisions. If leadership assumes the information is ‘low stakes’, they may allow it to be stored in systems that aren’t secure enough or shared in ways that aren’t monitored. It’s like leaving the master key to every classroom on a hook by the front door. The assumption that ‘no one will take it’ ignores the real value of what’s inside.
5. A wide mix of users accessing student data
Schools are unique in how many different kinds of people access their systems: young children, teenagers, teachers, administrators, parents, contractors, and even occasional guests. Each has different levels of digital literacy, different habits, and represents different risks to student data security.
Without clear user management, students might have access to more than they need, parents might log in through insecure channels, and staff might reuse weak passwords. The diversity of users is one of a school’s greatest strengths, but also one of its biggest vulnerabilities.
6. Inadequate or inconsistent data security measures
A major risk to student data comes from relying on systems and apps that simply aren’t secure enough for the data they hold. Legacy apps, outdated platforms, or tools designed without privacy in mind can leave critical student data exposed.
Paul Carnemolla recalls an anecdote about an application used at a school to store sensitive information related to counselling: ‘The solution was on-premise, but it didn’t meet our security criteria. We immediately disconnected it from Internet access, stopped using it, and went back to pen and paper for counselling notes until we found an appropriately protected solution or alternative.’
Schools can’t afford to use systems that aren’t fit to manage student data. Continuing to rely on them creates unacceptable risk. Schools must be prepared to identify where systems fall short (engaging an external partner if needed) and take decisive steps towards stronger student data security.
What’s the first step towards student data security?
Closing these security gaps doesn’t require every school to become a cybersecurity powerhouse overnight. What’s needed is a cybersecurity framework that ensures decisions aren’t made in an ad hoc manner.
We recommend the NIST Cybersecurity Framework. Paul Carnemolla says, ‘The best balance we’ve found so far is the NIST CSF. It can be tailored to the school’s needs, and it’s sufficiently broad to cover all the aspects of schools’ operations.’
The NIST Cybersecurity Framework helps schools identify what data they hold, decide how it should be protected, detect issues early so that they respond effectively, and recover when things go wrong. Unlike narrow technical checklists, it looks at people, processes, and partners, as well as technology. For schools with limited resources, that balance matters.
Download our Guide to Choosing NIST CSF or Essential 8 for your school.
Close your school’s student data security gaps
Student data is too sensitive to be protected with patchwork fixes. These six risks – missing structures, lack of expertise, underestimated risk, device sprawl, user diversity, and inadequate safeguards – are cracks in the foundation. Left unaddressed, they’re exactly where attackers strike.
Digipro IT helps schools close data security gaps with tailored solutions designed specifically for education. Explore our cybersecurity services or contact Digipro IT today to strengthen your school’s defences.
More articles related to student data security
- Data Privacy in Schools – Best Practices for Managing Student Information
- Kingswood College: Education Security Assessment
- Brisbane Boys’ College: Cyber Incident Preparedness
