Latest News

Shopping Cart

No products in the basket.

Subscribe
From education to employment

Cybersecurity in FE: Together we’re Stronger 

Jisc March 18, 2026
0 Comments
David Batho

New insights from Jisc highlight key priorities for leaders and identify support and guidance for effective cyber posture 

The cyber threat landscape facing further education (FE) is rapidly evolving, and it has never been more important for leaders to address the disconnect between the scale of the threat and the ability to defend against it. 

Here’s a stark example. Three years ago, the shortest observed time for a full breach of an IT system by a cyber attacker was around a week. A recent report from cybersecurity experts CrowdStrike revealed that figure is now just 27 seconds. 

This acceleration is being driven by AI. Almost nine out of 10 attacks are now AI-powered, and we are seeing from experience that threat actors, including state-sponsored groups, are targeting FE and HE. 

This is the grim reality now facing FE leaders, and ignoring it is not an option. 

Cybersecurity is a broad responsibility 

The UK government has made it clear that cyber security is a governance issue. Not just a problem for IT teams, but a critical strategic responsibility for boards. 

This was made explicit in the National Cyber Security Centre (NCSC) Annual Review 2025, which warns: “Cybersecurity is now a matter of business survival and national resilience.” 

In October 2025, this position was reinforced by a ministerial letter sent to boards and CEOs across the country, urging the use of the Cyber Governance Code of Practice as a framework for action, supporting the development of measures to respond to an attack, maintain operations during an incident, and for effective recovery. 

The forthcoming Cyber Security Resilience Bill (CSRB) will introduce a new legislative framework that aims to improve digital resilience across the UK economy.  

Following the ransomware incidents targeting UK retail and manufacture during 2025, the government wrote an open letter to business leaders in October 2025, requesting that they apply Cyber Essentials across their whole supply chain and apply the NCSC Cyber Assessment Framework (CAF) for all critical services. Across UK FE and HE, Jisc advocates for this approach and offers support to ensure vital security precautions are in place for our members. 

Challenges and conflicting priorities 

Even FE leaders who recognise the scale of their threat and their responsibility to address it are up against significant challenges. 

Many operate with lean IT teams, complex estates, ageing infrastructure and tight budgets. FE institutions manage large numbers of user accounts and devices and have a broad attack surface. 

Capacity is the single biggest constraint facing them. Only 37%* have any dedicated cyber staff, a decrease of 7% from 2024. The question we hear most from FE is: How can I protect my organisation while making the best use of the limited funding available? 

The good news is that there are cost-effective steps that can be taken in all settings to help minimise risk and strengthen resilience. 

Focus funding where it has most impact 

Clearly FE leaders need to operate within their constraints, but two areas should be essential: threat monitoring and identity security. 

Protecting the identity of users within an organisation is non-negotiable and requires investment. An area of vulnerability is around securely identifying individual students, staff, contractors and third parties – colleges may have thousands of students, hundreds of staff, and many ways to access services. Methods such as multi-factor authentication greatly enhance resilience against threats. 

FE leaders must also make sure they invest in appropriate monitoring of the core services within their institutional infrastructure, because flagging attack attempts and breaches as soon as they happen reduces the chances of them spreading. 

Don’t re-invent the wheel 

The NCSC provides a Cyber Security Toolkit for Boards. It’s free – please use it! 

The Toolkit helps boards understand cyber resilience and ensures risk management is embedded throughout an organisation as part of its culture, incorporating people, processes and technologies. Using this resource and its checklists is an effective way to ensure institutions implement the actions outlined in the NCSC’s Cyber Governance Code of Practice. 

Cyber awareness, everyone is part of the solution 

With the focus on technology, it’s sometimes easy to forget that people are a key cyber security vulnerability – but also a key strength. Leading from the top down, encouraging awareness and training in a way that is accessible and engaging costs relatively little for the results it can achieve. 

As an example, a recent investigation into a cyber incident at an organisation I worked with identified delayed reporting due to a staff member’s concerns about personal repercussions. The individual’s actions slowed containment of the issue and led to the incident escalating unnecessarily. This highlights the importance of fostering a positive, learning-led culture where transparent accountability enables faster detection and response. 

Rehearse, rehearse and rehearse 

The cost of falling victim to an attack is devastating, with the average major incident causing £2m to recover from, and around 10 to 20 days of downtime. It’s often said that it’s not a question of “if” but “when” an institution is attacked. 

I’d add that it’s also a question of how quickly you can respond when it happens, and the more an institution prepares, the better they will cope.  

Rehearsals for managing an incident should be thorough and regular, looking at every possible scenario and its impact, refining reporting procedures, and ensuring everyone knows their roles and responsibilities. 

The power of community 

The emphasis is now on us all to take collective responsibility for cyber security, which involves effective sharing of threat intelligence between counterparts and other organisations. 

A highly effective means of sharing information, knowledge and best practice is through Jisc’s cyber security community of practice, which has grown to more than 3,000 members in recent years and brings together a diverse network of senior executives from across UK FE and HE. 

The faster we can share intelligence, the more effectively we can defend as one. It is one of the many examples of where we are stronger together. 

By David Batho, Director of Security at Jisc 

*Via Jisc’s 2026 Cyber Posture Survey 

Published in: Exclusive to FE News, Education News | FE News, EdTech - News on Education Technology, Skills and Apprenticeships - News and Insights, Social Impact News, Accessibility News | FE News
Topics: , , , ,
Jisc

Responses

Report

Contains abusive or derogatory content
Contains mature or sensitive content
Contains misleading or false information
Contains spam, fake content or potential malware
Harassment or bullying behavior

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts

Please allow a few minutes for this process to complete.

Report

You have already reported this .