Schools, colleges, and universities are among the most heavily targeted organisations in the UK for cyberattacks. Not because they hold high-value financial data, but because they combine an unusually large and diverse user base, constrained IT resources, and an environment where disruption carries immediate, and often serious consequences.
The UK government's Cyber Security Breaches Survey 2025 found that 85% of further education colleges and 91% of higher education institutions identified a breach or attack in the past 12 months. Even among secondary schools, the figure was 60%, well above the 43% reported across UK businesses overall[1].
Why Education Is a Target
Educational institutions are rich in personal data: staff records, student information, financial details, safeguarding documentation. The systems holding it are often harder to defend than in a corporate environment. User populations are larger, more transient, and significantly harder to manage consistently. A secondary school or college might have hundreds of staff with very different levels of digital literacy, alongside contract workers, supply staff, and in higher education the annual churn of thousands of students. Unlike a corporate environment where IT can enforce consistent behaviour, education institutions operate with a level of openness that is structurally harder to lock down.
Budget compounds the problem. Education IT teams are typically small and stretched across infrastructure, support, compliance, and day-to-day operations. The ESET Education Cybersecurity Report 2026 found that 7% of UK educational institutions operate with no annual cybersecurity budget at all[2], and one in three still lack fundamental protections like strong password policies. High-value, structurally exposed, and under-resourced: the ideal combination for attackers. A successful attack carries consequences that go beyond data loss. Schools have seen staff locked out of safeguarding systems, lessons disrupted, payroll delayed, and sensitive student records exposed. In some cases, systems have been offline for weeks. For institutions with no redundancy and no dedicated incident response capability, recovery is slow and costly.
Phishing Is the Dominant Threat
Across every tier of education, phishing is the most reported attack vector. The DSIT Cyber Security Breaches Survey 2024 found that 92% of primary schools and 89% of secondary schools that experienced a breach identified phishing as the main form of attack[3].
This is not surprising. Educational staff receive high volumes of external communications: invoices, supplier queries, event notifications, system alerts. In Microsoft 365-heavy environments, attacks increasingly target Teams notifications, SharePoint file shares, and MFA prompts alongside email — channels staff trust implicitly. The conditions for social engineering are near-constant.
What has changed is the quality of the attacks. AI-generated phishing emails now mimic supplier language, internal communications, and tone convincingly enough that traditional “spot the typo” training is no longer sufficient. A fake safeguarding escalation, payroll update, or supplier invoice request can now be written in near-perfect internal tone and formatting. Staff who completed awareness training two years ago are being tested against threats that look nothing like the examples they were shown.
The Training Problem Schools Face
Most educational institutions recognise that staff awareness is critical. The issue is often the delivery.
Teachers operate under tightly managed workloads. Even a short training module competes for time that is already allocated. IT teams know that pulling staff into mandatory sessions and chasing completions generates resistance and rarely produces lasting behaviour change. The result is awareness activity that happens once a year, satisfies compliance requirements, and is forgotten within weeks.
The administrative burden compounds over time. Scheduling campaigns, updating templates, chasing non-completions, compiling reports for governors: each task is individually manageable but collectively they add up to a meaningful overhead on IT teams that have no spare capacity.
What works is continuous, realistic training that IT teams do not have to manually sustain: regular automated simulations built around the communications staff receive, adaptive difficulty based on individual performance, and reporting that is ready when leadership asks for it.
What Effective Awareness Training Looks Like
For most institutions, the challenge is not recognising the importance of awareness training. It is finding an approach that runs without creating additional operational overhead.
Practice from Pistachio is built to solve this:
- IT teams can launch organisation-wide simulations without managing campaigns manually — it integrates natively with Microsoft 365 and deploys in under 10 minutes
- Staff receive phishing scenarios relevant to the communications they actually handle, so finance teams see invoice fraud attempts and IT staff receive vulnerability alert impersonations, not generic templates
- Training difficulty adapts automatically based on individual performance, removing the need for manual segmentation or intervention
- Reporting is built in, so when governors or senior leadership ask for evidence of ongoing awareness activity, the answer is already there
The impact of this approach is already visible across UK education, with institutions including Berkhamsted School, CATs Global, Heath Mount School, and Lighthouse Schools Partnership all successfully using Practice.
Real-World Results: University of St Andrews
The University of St Andrews had been running phishing simulations manually, with compromise rates sitting at 20-25% and training completion around 20%. After deploying Practice, the compromise rate dropped to 1-2%, completion improved significantly through automated follow-up, and admin time fell from days per quarter to minutes per month. Sam Foster, IT Security Specialist at St Andrews, described it simply: "We used to spend hours writing phishing emails and chasing people for training. Now I check the dashboard once a month. The system handles the rest."
Building Cyber Resilience in the Education Sector
As phishing attacks become more sophisticated and education environments remain operationally stretched, awareness training is shifting from a compliance exercise to a resilience requirement. The institutions seeing measurable improvement are typically those treating training as a continuous operational process rather than an annual event.
If your institution is still relying on annual awareness training, it may be time to assess whether it is producing measurable behavioural change. Practice helps education IT teams automate continuous phishing resilience training without adding operational overhead.
Email contact@pistachioapp.com to arrange a 15-minute demo.
