"The challenge for the sector is that openness and collaboration is fundamental to how higher education institutions operate," said Ambrose Neville, head of information security at Queen Mary University of London.
Quorum Cyber's findings: a 63% surge in recorded incidents
Quorum Cyber, in its 2026 Global Cyber Risk Outlook for Higher Education, reports a sharp year-on-year rise in cyber-attacks against schools and universities. Using FalconFeeds.io threat intelligence covering November 2023 to October 2025, the firm recorded 425 incidents in the period November 2024–October 2025, up from 260 incidents in the prior year — a 63% increase in total recorded attacks.
The report places those incidents across 67 countries and quantifies several specific trends: data breaches rose by 73%, hacktivist activity increased by 75%, and ransomware incidents grew by 21% over the same comparative periods.
Nation-state targeting of AI, quantum computing and advanced materials
Quorum Cyber attributes part of the uptick to nation-state efforts focused on stealing high-value research materials. The report explicitly identifies AI, quantum computing and advanced materials as areas of particular interest to those actors. Universities, it notes, are attractive targets because they hold research that nation-states may seek to acquire.
Hacktivism, DDoS and a noted rise in Iranian activity
Alongside nation-state activity, the report highlights a surge in hacktivist operations against higher education. Quorum Cyber details hacktivist-related distributed denial-of-service (DDoS) attacks, website defacements and data-leak threats. It specifically notes a ramping up of activity from Iranian threat actors as part of that hacktivist pressure on academic institutions.
Persistent malware and the most prolific groups
Infostealer malware and financially motivated ransomware remained persistent threats during the reporting period. Quorum Cyber lists FunkSec as the most prolific group at 23% of activity attributed, followed by Cl0p (10%), INC (10%) and Nova (10%). The report therefore presents a mix of espionage-driven targeting of research and financially motivated criminal campaigns affecting operational continuity.
Quorum Cyber's mitigation recommendations
- Intelligence-led vulnerability management: use up-to-date threat information to prioritise vulnerabilities for patching.
- Dark web monitoring: gain early warning of leaked credentials and third‑party breaches.
- Robust backups: maintain three copies of all critical data on two devices with one copy offline and stored in a separate location.
- Incident response exercises: conduct regular tabletop exercises so plans and playbooks remain fit for purpose and well understood.
- Password management: enforce strong, unique passwords for all accounts and store them in a password manager.
- Social engineering policies: harden helpdesks, deliver user awareness training, deploy phishing‑resistant MFA and enforce the principle of least privilege.
What this means for university technologists, policymakers, and students
Technologists and security teams: Quorum Cyber’s data-driven recommendations centre on intelligence-led vulnerability management, dark web monitoring and regular incident-response exercises — measures security teams can prioritise immediately against the 63% rise and the specific tactics named in the report.
Policymakers and regulators: the report’s cross-border data — incidents mapped across 67 countries and the documented increase in nation-state and hacktivist activity — underscores the transnational nature of the threat environment the report describes, which may inform regulatory and cooperative responses.
Students, researchers and campus users: Ambrose Neville’s observation that openness and collaboration are fundamental to higher education frames a practical tension highlighted in the report. That tension underpins the report’s emphasis on resilience measures such as backups, phishing‑resistant MFA and least-privilege access to protect teaching, research and day-to-day operations.
Quorum Cyber’s report ties a clear set of statistics — a 63% overall increase in recorded incidents, a 73% rise in data breaches, a 75% rise in hacktivist activity and a 21% uptick in ransomware — to specific threat drivers and named attacker groups, and then sets out concrete technical and operational mitigations. As Ambrose Neville put it, institutions "prioritise security resilience" because of the sector’s fundamental openness; the report’s recommendations are presented as the practical steps to make that resilience measurable and actionable.
Read the original report at Infosecurity Magazine.
