Spectrum of student-driven risks
Student-induced risks generally fall into two categories:
- accidental and
- intentional.
The “accidental” threat is often a byproduct of digital curiosity or non-critical thinking. Students may often prioritize convenience, adopting weak or shared passwords, which remain a top attack vector.
The global education sector experienced an average of 4,356 weekly cyberattacks between January and July of 2025, representing a 41% increase from the previous year.2 Attackers utilized a variety of tactics: from credential-harvesting phishing campaigns to complex malware infections designed to breach networks and extract sensitive data.
The “intentional” insider threats are particularly alarming for those operating in the educational sector. Student-driven incidents can originate from guessed or compromised login credentials. These methods are often quite simple: observing teachers entering passwords, sourcing credentials written on notes or using commonly available hacking tools obtained online. Regardless of the intent, the result is the same: a compromised network.
There were nearly 14,000 security events and over 9,000 confirmed incidents recorded in just 18 months.i However, recent trends reveal that one of the most significant vulnerabilities may, in fact, be students themselves.
Real costs beyond the breach
For the ASBO community, student-driven cyber incidents may result in significant financial and operational impacts:
- Service downtime: Schools may be forced to close for extended periods, affecting educational continuity.
- Increased insurance premiums: Many insurance carriers increasingly evaluate robust internal security controls before providing coverage. A survey of educational tech leaders revealed that 59% of districts faced increased insurance premiums, while 24% experienced higher deductibles.3
- Data breach costs: If students successfully breach systems, IT teams need to divert resources from strategic initiatives to patch vulnerabilities and investigate incidents. These response efforts come with a steep price tag — the average cost of data breach in the education sector was reported at approximately $3.65 million in 2025.4
- Reputational damage: Stolen student and faculty data published on the dark web undermines community trust and can sometimes lead to prolonged, expensive lawsuits.
Limitations of traditional security measures
The challenge for school business officials lies in the unique nature of the threat. Traditional perimeter defenses, designed to block external actors, are largely ineffective against legitimate users who already have system access. Students have authorization to use school networks and devices, making their online activities harder to identify from regular usage patterns.
While content filters are required by the Children’s Internet Protection Act (CIPA) in the US, they are not a complete security solution. At least 50% of students admit accessing inappropriate websites, often using VPNs or proxy apps to “blind” IT staff to their behavior.5
Also, many educational institutions still use legacy platforms, including outmoded versions of Windows, dated learning management systems or unpatched server environments. These legacy systems create high-exposure vulnerabilities, turning student curiosity into a potential network-wide crisis.
How to transform student engagement
Schools can move beyond traditional “don't click this” warnings to interactive cybersecurity education. Effective programs are designed to include hands-on activities where students learn to identify phishing scams, recognize social engineering tactics and understand malware threats. Simulated phishing exercises, problem-solving activities and collaborative projects are designed to be more effective than passive instruction-only approaches.
By collaborating with students on cybersecurity, schools can help improve threat detection, faster incident reporting and reduced successful phishing attempts. Students develop online safety awareness that extends beyond the classroom, while schools benefit from a more resilient security approach. Ultimately, the goal is for cybersecurity to become a shared responsibility to protect institutions, faculty and students alike.
[1] “Center for Internet Security Releases K-12 Cybersecurity Report,” Center for Internet Security, 6 Mar 2025.
[2] Subhra Dutta, Tushar. “Cyber Attacks Targeting Education Sector Surges Following Back-to-School Season,” Cyber Security News, 29 Aug 2025.
[3] Merod, Anna. “How to Navigate the Rising Cost of Cyber Insurance for Schools,” K-12 Dive, 30 Oct 2024.
[4] “Cybersecurity Guide for Education 2025,” ThreatDown, accessed 12 Feb 2026. PDF File.
[5] “Understanding the Five Most Common Cybersecurity Mistakes to Empower Students to Protect their Privacy Online,” The Social Institute, 20 Dec 2025.
[i] “Center for Internet Security Releases K-12 Cybersecurity Report,” Center for Internet Security, 6 Mar 2025.
These views reflect Gallagher’s experience in the sector and are provided for general information only
Disclaimer: This article has been prepared by Gallagher for informational purposes only. It does not constitute advice and should not be relied upon as such. The views expressed are general in nature and not intended to address the circumstances of any particular school or institution. While we endeavor to provide accurate and timely information, Gallagher makes no representation or warranty, express or implied, as to the completeness or accuracy of the information contained herein. This article does not replace the need for appropriate insurance coverage or legal advice.
The Cyber Risk Management Service is a non-insurance risk management service. It is not regulated as an insurance product under US law. Services are provided by the UK-based Cyber Risk Team of Arthur J. Gallagher Insurance Brokers Limited, which is authorised and regulated by the UK Financial Conduct Authority. This service does not replace the need for appropriate insurance coverage or legal advice.