Phishing was the most common access vector for ransomware infections at lower education institutions over the past year
As schools continue to expand their digital footprint, the threat of phishing, spam, and other cyberattacks is increasingly impacting institutions for students up to 18 years old. These institutions may be referred to as primary, elementary, and secondary schools, or collectively as “lower education” or K-12 schools.
The Center for Internet Security reports that 82% of K-12 schools experienced a cybersecurity incident between July 2023 and December 2024. And these incidents are costly. According to Sophos’ 2025 State of Ransomware in Education report, the average cost for an educational institution to recover from a ransomware attack was just under $1M globally, even before considering ransom payments.
As students return to school, administrators and IT teams must stay vigilant against opportunistic threat actors. These attackers aim to exploit any vulnerabilities, putting students, staff, and teachers at risk.
Device and network considerations
Ensuring that systems are protected is the first step to improving a school’s resilience to attacks.
Increasing connectivity
Classrooms today rely heavily on technology, with internet-connected learning devices and school-assigned computers and Chromebooks becoming the norm.
Each of these devices may contain hardware and software vulnerabilities that can be difficult to continually patch and keep updated.
The Sophos 2025 State of Ransomware in Education report reinforces the importance of patching. Exploited security vulnerabilities were cited as the cause of 21% of all successful ransomware attacks against educational institutions.
An industry of industries
Technology shifts in schools aren’t limited to computers replacing physical textbooks and internet-connected “smart boards” replacing chalkboards. Backend processes are also digital. Schools may host payment processing and data storage systems, as well as other infrastructure. This convergence creates hundreds of digital touchpoints in each school.
As technology becomes more deeply embedded in both learning and administration, the number of potential cybersecurity vulnerabilities increases.
Third-party contracts and external hosting
Schools often rely on third-party contracts for various services, including scheduling, e-learning, and messaging systems. These services may rely on a combination of internal and external hosting or may be fully hosted externally.
The reliance on vendors introduces additional avenues for risk, as these third parties must be responsible for their own security measures to prevent and patch security vulnerabilities. A compromise of the vendor’s platform could render services unavailable or could provide access to the school’s data.
BYOD and remote learning
Remote learning and the increased prevalence of children having personal cell phones introduce bring your own device (BYOD) considerations. Students may be issued school-administered laptops that they carry between school and home each day, or they may bring personal devices that they connect to the school’s network.
These devices can create entry points for attacks. If a student’s device becomes infected outside of the school and is then connected to the school’s network, the malicious software (malware) could gain access to the network.
The threat of phishing
Spam and phishing are common methods used by attackers to infiltrate school networks. In phishing attacks, a threat actor impersonates a person or organization over email to trick individuals into revealing sensitive information. The 2025 Sophos State of Ransomware in Education report showed it was the top reported technical root cause of ransomware attacks on lower education (22%). Spam involves bulk, less customized emails in a “spray-and-pray” approach.
Email as an attack vector
Many students are assigned their own email addresses when they reach an appropriate age. This practice could result in phishing affecting students as young as six years old. New to digital learning, young students are more likely to unknowingly click on malicious links, download malware, create easily guessable passwords, and reuse passwords. Without robust security and authentication, they can unwittingly open the door to devastating ransomware attacks.
Phishing beyond email
Phishing scams have evolved, now targeting users on social media platforms, streaming services, and subscription services. These platforms and services are popular among K-12 students, who may use school-provided devices to try to access these services (or spoofed versions of them) outside of learning hours. These scams can impersonate well-known companies to deceive users into providing sensitive personal information.
These attacks can be extremely costly. According to the Sophos 2025 State of Ransomware report, which encompasses all industries, K-12 schools have the highest recovery costs among industries, averaging $2.28 million. This amount doesn’t include any ransoms paid by victims.
Limited resources, expanding risks
Schools and educators are facing numerous challenges, including larger class sizes, shrinking budgets, and limited resources. Additionally, the Information Commissioner’s Office has reported a rise in cyber attacks in schools in the U.K. stemming from insider threats, particularly from students who may inadvertently or maliciously compromise school networks. Making sure that technology is operating correctly for staff and students can consume most of the available IT resources. Additionally, there is little the IT team can do to control students’ digital activities once students are outside the classroom and the school’s network protection.
The general 2025 State of Ransomware report found that 42% of lower education (K-12) schools reported challenges in detecting and stopping attacks in time. This underscores the critical need for proactive measures to prevent attacks before they occur. The education sector’s rate is comparable to other industries, such as energy, oil/gas, and utilities at 43%, and manufacturing and production, highlighting the widespread nature of this issue.
How K-12 schools can better guard against cybersecurity threats
As K–12 schools increasingly embrace digital learning, they also face growing cybersecurity risks that threaten student privacy, disrupt operations, and strain IT resources. To stay ahead of evolving threats, administrators and IT teams must adopt a prevention-first mindset — one that combines robust security controls, continuous education, and strategic partnerships.
- Prevent attacks before they start: Sophos emphasizes the importance of stopping threats before they cause harm. Schools can reduce the risk of ransomware and other malware by implementing layered security controls and teaching students and staff to recognize and avoid risky behaviors. For example, deploying a third-party email security solution like Sophos Email can help scan messages for malicious URLs and QR codes, blocking phishing attempts before they reach inboxes.
- Empower users with strong authentication: Requiring multi-factor authentication (MFA) or passwordless access helps students and staff take ownership of their digital security. However, because students may seek workarounds, ongoing education and monitoring are essential to ensure these measures are effective.
- Coordinate and simplify IT strategies: With sprawling IT environments, schools must unify their cybersecurity strategies to close visibility gaps and reduce risks. A coordinated approach helps prevent adversaries from exploiting weak links across systems and campuses.
- Extend capabilities through trusted partnerships: Ransomware places a heavy burden on IT teams. Schools can relieve pressure and enhance their response capabilities by partnering with providers for managed detection and response (MDR) services, ensuring 24/7/365 coverage and expertise.
- Prepare for incidents with strong response plans: Even with strong prevention, incidents may still occur. Schools should build robust incident response plans, conduct simulations, and ensure readiness with continuous monitoring and support services like MDR. Use our free Incident Response Planning Guide to get started.
These recommendations are backed by Sophos’ work protecting thousands of educational institutions, as well as findings from the 2025 Sophos State of Ransomware in Education report, based on a vendor-agnostic survey of 441 IT and cybersecurity leaders across 17 countries. The report highlights the real-world impact of ransomware on both lower and higher education institutions and offers actionable insights for building resilience.
Download the full report on Sophos.com.
