Students Remain Higher Ed’s Cybersecurity Weak Link

Just 22 percent of chief technology officers say students at their institution receive adequate cybersecurity training, according to Inside Higher Ed’s 2026 Survey of Campus Chief Technology/Information Officers. By comparison, 68 percent say faculty and staff receive adequate training. Another 70 percent say their institution’s leadership prioritizes cybersecurity investments.

Students constituting a gap in their institutions’ cybersecurity ecosystems is nothing new. In last year’s survey, just 26 percent of CTOs reported requiring student cybersecurity training, versus 79 percent for faculty and 86 percent for administrative staff.

But cybersecurity threats to higher education are only increasing, as the recent attack impacting the Canvas learning management system underscored. And artificial intelligence promises to accelerate this trend. Convincing phishing attacks, for instance, are much easier to draft, personalize and deploy at scale with AI. Agentic tools represent new risks. And models have also been used to discover and weaponize “zero-day” vulnerabilities—those previously unknown to developers—in software systems. This spring, AI giant Anthropic said it was withholding its own Claude Mythos model from public release due to its unprecedented ability to exploit such weaknesses. That reportedly caused the White House to rethink its laissez-faire approach to AI regulation, though an executive order issued last week introduces a voluntary oversight framework for new models.

Cybersecurity is also a growing concern for CTOs in 2026: Nearly six in 10 (59 percent) identify critical cybersecurity breaches or ransomware incidents as a top institutional risk through 2030, making it the second-most-cited threat, behind difficulty recruiting and retaining IT talent (62 percent). The No. 3 threat is unsustainable cost trajectories for technology services (56 percent). These factors are at least somewhat related: With scarce resources, institutions must triage who and what gets cybersecurity attention. Historically, faculty and staff have been prioritized, given their access to sensitive information by virtue of their roles. But experts told Inside Higher Ed that continuing to put student cybersecurity on the back burner hurts not only the institution but students themselves.

“Most universities do not enforce cybersecurity training for students, which opens up that category of users to be at a higher risk than others,” despite their being the largest campus constituency, said Rob Groome, chief information officer at the University of Southern California’s Institute for Creative Technologies. “Universities in general need to engage the student population early on in the admission process regarding cybersecurity expectations, once they are accepted. This will create a culture with the incoming student population, and the requirements will just be part of their journey through the university.”

Ben Woelk, governance, awareness and training manager for Rochester Institute of Technology’s Information Security Office, explained that many faculty members have access to valuable research data, while administrators and staff members handle other kinds of sensitive institutional information—making them critical groups for training. But while students may not have access to their college’s highest-value data, they are often among its most vulnerable targets. In this light, student cybersecurity training is as much about protecting them as protecting the institution.

“Across higher education, we’re seeing students targeted in credential theft so that the attacker can attempt to file tuition refund requests,” Woelk said, adding that these events can be cyclically timed around key dates in the academic calendar. Additionally, “We’ve had incidences of attackers victimizing international students with visa-related scams.”

In this latter kind of scheme, Woelk said international students receive messages, including calls or texts, that appear to come from government agencies or law enforcement officials warning of visa problems—queries that may seem more credible in the current political environment. Victims are pressured into sending money, sometimes losing thousands of dollars within 24 hours. The Federal Bureau of Investigation and colleges and universities themselves have warned students about such attacks.

Job scams targeting students have also become common, Woelk continued, with hackers promising flexible campus employment in exchange for personal or financial information. Often the initial email comes from an account that appears to belong to the student’s institution.

“Is it a direct risk to the university? No, not so much,” Woelk said of some of these incidents. “But it’s a horrendous impact on the students.”

Staying Current

At RIT, cybersecurity fundamentals are included in the virtual student orientation curriculum. The training is similar to what faculty and staff members receive, but tailored to students’ unique vulnerabilities and more focused on storytelling and real-world scenarios. Woelk said his team has also worked with international student affairs leaders to raise awareness. The university has experimented with cybersecurity escape rooms, online and off, to increase engagement.

Student attention and staff capacity are challenged across higher ed, he said, but the case for proactive defense is strong: Hackers “can send out 10,000 emails, as many as they need, and if they get half of 1 percent to respond and give things up, they’re still getting some return on investment … The attacker does not have to be sophisticated.”

‘Don’t click the link’ looks quaint against a tool the student deliberately installed.”

—Strategist Aviva Legatt

Strategist Aviva Legatt, author of the Higher Ed AI Playbook newsletter, agreed that student cybersecurity training is a worthwhile pursuit—and that it’s a fast-moving target. Whereas it used to mean “spotting a clumsy phishing email,” she said, “the newest layer is autonomous agents—agentic browsers and open agents like OpenClaw—that students install and point at their own accounts, then let act on their behalf inside the LMS, email, even financial aid portals, using the student’s own legitimate access, and with no guardrails the institution controls.” This intersects with data governance, she continued, as some students serve as school officials in ways that make them subject to federal student privacy laws.

“‘Don’t click the link,’” Legatt added, “looks quaint against a tool the student deliberately installed.”

CTOs are also concerned about the rise of agentic AI browsers: 26 percent agree that they’ve become a serious privacy and/or safety issue at their institution, while 24 percent agree they’ve become a serious academic integrity problem.