As higher education institutions and other organizations continue to embrace digital transformation, they are also becoming more exposed to a rapidly evolving cyberthreat landscape. Universities are not only custodians of sensitive personal and financial data, but they are also stewards of cutting-edge research and intellectual property. This makes colleges and universities prime targets for cybercriminals and opportunistic hackers.
The following article explores five of the most pressing cybersecurity risks facing higher education today, offering strategic insights and practical recommendations to help your institution build resilience and safeguard its mission.
1. Data Governance, Security, & Privacy
This issue tops the list because universities manage an extraordinary volume and variety of data. They hold student academic records, financial aid information, and sensitive research data subject to federal and, in some cases, state regulations. However, this data may be stored and managed across departments, labs, and administrative units, leading to inconsistent security practices and increased risk of exposure or non-compliance. It is mission-critical to secure all this data from prying eyes and bad actors. Not only is data security vital but losing data could decrease trust with the student body, professors, academic community, and research partners, and harm the school’s public reputation.
Effective data governance begins with a complete inventory and classification of institutional data. Once data is categorized by sensitivity and specific regulatory requirements, institutions can implement appropriate access controls, encryption standards, and monitoring tools. Compliance with frameworks such as FERPA, GLBA, HIPAA, PCI-DSS, and CMMC must be embedded into everyday operations, not treated as a one-time checklist. Data loss prevention (DLP) technologies can further help monitor and protect your institution’s sensitive information from accidental or malicious leaks.
2. Managing Application Systems, Platforms, & Emerging Technologies
Universities have been modernizing their platforms for years.
However, we are seeing the pace of technological change in higher education accelerating with the adoption of cloud platforms, AI-powered tools, and automation to enhance learning and streamline operations. Another example is vibe coding, which is the software development process where a user provides prompts to a generative AI model to create, refine, and debug code, allowing even non-technical individuals to build functional applications.
With these examples, we are seeing big technology changes, emerging technologies, and the speed to get from idea to product has never been faster or at more employees’ fingertips. In this environment, universities need to balance innovation and risk management. Guardrails need to be in place with up-to-date system inventories and structured change management processes. Without governance and controls, even well-intentioned innovation can introduce significant risk.
3. Artificial Intelligence Threats
A much-talked-about technology is artificial intelligence (AI). It is transforming the world, including higher education, by augmenting the way we approach learning, research, and task automation. But the rapid adoption of AI technologies, without adequate oversight, can introduce new and not well-understood risks. This again is the balance between innovation and potential risk. As an example, users of generative AI tools may leak sensitive data or compromise academic and institutional integrity.
To address these challenges, institutions can establish robust AI governance frameworks that help define acceptable use, ensure transparency, and enforce ethical standards. NIST has an AI Risk Management Framework (AI RMF). In addition, the International Standards Organization (ISO) has issued a standard.1 These frameworks can become a model for schools to follow.
There is no doubt that organizations should adopt AI technologies, but schools must have an intake process where they review, adopt, and harden those technologies.
4. Third-Party Risk Management
More organizations are outsourcing solutions to third parties, such as software-as-a-service (SaaS) cloud software companies. Universities are experiencing this trend as well. They are sharing access to systems and data on a broader and more frequent basis, whether it’s access to a building, software, a piece of hardware, or data.
Unfortunately, some organizations lack a centralized approach to managing third-party risk, resulting in inconsistent vetting, oversight, and contract enforcement. Because data sharing is practically unavoidable in the current environment, it is important to ask some questions.
- What data do we have?
- Who are we sharing that data with?
- Who are the lower, medium, and higher risk suppliers that we use?
- How are they making sure our data is secure, and their systems remain available?
- Has anything changed in their organization that they or we should be aware of?
It’s critical to understand who you are doing business with and how to manage the risk with them. Before onboarding, each vendor should undergo a thorough risk assessment that evaluates their security controls, data handling practices, and incident response capabilities. Contracts should include clear requirements for data protection, breach notification, and compliance with institutional policies. Ongoing monitoring and periodic reassessments are essential to help ensure that vendors remain aligned with changing security expectations.
5. Business Continuity & Cyber Resilience
When people traditionally think of cyber risks, most likely targeted attacks such as viruses and malware come to mind. Those risks are still very real. Ransomware attacks have crippled university administrative systems. These attacks are not only disruptive but can also result in significant financial and reputational damage. Lincoln College in Illinois could not rebound from the double punch of COVID-19 and a ransomware attack. After 157 years, they were forced to close their doors in 2022. Collegis Education found that in 2023, 79% of schools fell victim to ransomware, with 56% paying to recover their data.2
The decentralized and complex IT environments typical of universities make them especially vulnerable to cyberattacks. With thousands of endpoints, legacy systems, and varied user groups, attackers may have a better chance to exploit unpatched software, misconfigured systems, or unsuspecting users.
To counter these threats, institutions must adopt a layered defense strategy rooted in zero trust, which is an approach that can feel at odds with the open, collaborative nature of academic environments. The challenge lies in balancing protection with innovation, research, and usability. Security measures must support rather than hinder the university’s mission.
While the goal would be solid prevention and detection, higher education institutions also need to be prepared for when an incident or a breach occurs. Cyber incidents can threaten to bring university operations to a standstill and could disrupt everything from payroll and enrollment to research and classroom instruction. Universities cannot afford to have cyber incidents jeopardize grant funding, delay academic progress, or erode stakeholder trust.
Protocols and plans of action should be in place now so you can maintain or get back to business as usual as quickly as possible. Business continuity planning should involve scenario testing, training, and exercises from trained professionals. These professionals can help you identify critical systems, define recovery priorities, and establish clear communication protocols.
How Forvis Mazars Can Help
Cybersecurity is a strategic imperative that touches every aspect of university life. As stewards of knowledge, innovation, and personal data, many higher education institutions are leading by example in building secure, resilient, and ethically grounded digital environments. This is quite the endeavor, as it requires investment, leadership, and a shared commitment to protecting the people, data, and mission that define the academic enterprise. Have questions or want help fortifying your organization’s cybersecurity strategies? Reach out to a cybersecurity professional at Forvis Mazars.
Are you a CFO, CIO, CTO, head of security, or IT manager and want to learn more about cyber risk reduction? Register now for our 2025 Cybersecurity Symposium in October.