A majority of chief information security officers in the U.S. education sector believe they’re likely to experience a material cyber attack in the next 12 months, and a majority have dealt with a material loss of sensitive data in the previous 12 months, according to the newest Voice of the CISO report published this week by cybersecurity company Proofpoint.

For the 2023 edition of the annual report, researchers at Censuswide surveyed 1,600 CISOs from organizations with 200 employees or more across different industries in 16 countries, on behalf of Proofpoint. The survey was conducted in late January and early February and included 112 CISOs from education organizations, whose responses were shared exclusively with Campus Technology.

When asked how likely they believed a material cyber attack against their organization to be in the next 12 months, 63% of U.S. education CISOs surveyed answered “somewhat likely” or “very likely”; just 25% believed it unlikely.

Nearly two-thirds of U.S. education CISOs, 63%, agreed that “if impacted by ransomware within the next 12 months, their organization is likely to pay a ransom to restore systems/prevent the release of data,” according to the survey results, while 25% said they disagreed. 

More than half, or 61%, of all respondents agreed that their organization is unprepared to cope with a targeted cyber attack. Among education CISOs in the United States, 38% agreed they are unprepared, with a full 50% answering “neither agree nor disagree.” Not a single U.S. education CISO indicated that their organization is prepared for such an attack.

Proofpoint’s Voice of the CISO findings “reveal that most CISOs have returned to the elevated concerns they experienced early in the pandemic”.

Key Findings From Education CISOs 

  • Education CISOs from the United States said they believe their biggest threat — by a longshot — is ransomware, with 63% listing it as their biggest concern. 
  • Other types of cyber threats top of mind for education respondents were:
    • DDoS attacks (38%)
    • Cloud account compromise (38%)
    • Smishing/vishing (38%)
  • 75% agreed that “human risk, including malicious and negligent employees, is a key cybersecurity concern for me in the next two years.” Not a single education respondent disagreed on this question.
  • 52% of U.S. education respondents agreed that their board sees eye to eye with them on the issue of cybersecurity — the lowest of all sectors surveyed.
  • 67% of U.S. education CISOs said they agree that “cybersecurity expertise should be a board-level requirement.” The U.S. average from all sectors was 70%, “suggesting that many believe technical knowledge is lacking in the boardroom,” Proofpoint said in the report.