Only 22 percent of senior technology executives say students at their institution receive adequate cybersecurity training, according to the report. Within Higher Ed2026 Survey of Campus Chief Technology/Chief Information Officers. By comparison, 68 percent said faculty and staff receive adequate training. Another 70 percent say their institutions’ leadership is prioritizing investments in cybersecurity.
Students creating a gap in their institutions’ cybersecurity ecosystem is nothing new. In a survey last year, only 26 percent of CTOs reported that they needed graduate training on cybersecurity, compared to 79 percent of faculty and 86 percent of administrative staff.
More on Survey
Wednesday, June 10, at 2 pm Eastern, Within Higher Ed will present a free webcast featuring expert panelists to discuss the survey findings and what it takes to lead in technology in today’s rapidly changing post-secondary environment. Sign up for that chat here, even if you can’t attend live.
Within Higher EdThe 2026 Chief Technology/Information Officer Survey was conducted by Hanover Research. The survey polled 130 technology leaders, mostly from public and private nonprofits, with a margin of error of eight percent. Download full results here.
But cybersecurity threats to higher education are only increasing, as recent attacks affecting the Canvas learning management system have highlighted. And artificial intelligence promises to accelerate this trend. Phishing attacks, for example, are much easier to plan, personalize and scale with AI. Agent tools represent new risks. And the models have also been used to detect and mitigate “zero-day” vulnerabilities—those previously unknown to developers—in software systems. This spring, AI giant Anthropic said it was holding back its own Claude Mythos model from public release because of its unprecedented ability to exploit such vulnerabilities. That has reportedly caused the White House to rethink its laissez-faire approach to AI regulation, even though an executive order issued last week introduced a voluntary oversight framework for new models.
Cybersecurity is also a growing concern for CTOs in 2026: Nearly six in 10 (59 percent) identify cybersecurity breaches or ransomware incidents as a top enterprise risk in 2030, making it the second most cited threat, after difficulties recruiting and retaining IT talent (62 percent). Threat No. 3 are unsustainable cost mechanisms for technical services (56 percent). These things are at least somewhat related: With scarce resources, agencies must evaluate who and what gets cybersecurity attention. Historically, faculty and staff have been prioritized, given their access to sensitive information because of their roles. But the experts told Within Higher Ed that continuing to put student cybersecurity on the back burner not only harms the institution but also the students themselves.
“Many universities don’t enforce cyber security training on students, which leaves that user group more vulnerable than others,” despite being the largest campus district, said Rob Groome, chief information officer at the University of Southern California’s Institute for Creative Technologies. “Universities often need to discuss with a number of students early in the admissions process about cybersecurity expectations, once admitted. This will create a culture for the number of incoming students, and the requirements will be part of their university journey.”
Ben Woelk, manager of administration, awareness and training for the Office of Information Security at the Rochester Institute of Technology, explained that many faculty members have access to important research data, while administrators and staff handle other types of sensitive institutional information—making them important training groups. But while students may not have access to their college’s highest value data, they are often among their most vulnerable targets. In this regard, cybersecurity training for students is as much about protecting them as it is about protecting the institution.
“Across higher education, we see students being targeted for identity theft so that the attacker can try to apply for tuition refunds,” said Woelk, adding that these events can be scheduled around important dates in the academic calendar. Additionally, “We have had incidents of attackers harassing international students with visa-related scams.”
In this latest version of the program, Woelk said international students receive messages, including phone calls or texts, that appear to be from government agencies or law enforcement officials warning of visa problems—questions that may seem credible in the current political climate. Victims are pressured into sending money, sometimes losing thousands of dollars within 24 hours. The Federal Bureau of Investigation and colleges and universities themselves have warned students about such attacks.
Job scams targeting students have also become common, Woelk continued, with hackers offering flexible campus recruitment in exchange for personal or financial information. Often the first email is from an account that appears to belong to the student’s institution.
“Is it a direct threat to the university? No, not that much,” Woelk said of some of these incidents. “But it has a negative impact on students.”
Living in the Moment
At RIT, the basics of cybersecurity are included in the student orientation curriculum. The training is similar to what faculty and staff receive, but has been tailored to the unique strengths of students and focuses more on storytelling and real-world situations. Woelk said his team also worked with international student affairs leaders to raise awareness of the issue. The university has experimented with cybersecurity escape rooms, online and offline, to increase engagement.
Student attention and staffing are challenged in all higher ed, he said, but the case for strong defenses is strong: Hackers “can send out 10,000 emails, as many as they need, and if they get half a percent of response and drop out, they’re still getting something out of the investment… The attacker doesn’t have to be sophisticated.”
‘Do not click on the link’ looks bad compared to a tool that a student has deliberately installed.”
— Strategist Aviva Legatt
Strategist Aviva Legatt, author of the Higher Ed AI Playbook newsletter, agreed that training students in cyber security is a worthwhile endeavor—and an urgent one. While it used to be “email phishing detection,” he said, “the newest layer is independent agents—agent browsers and open agents like OpenClaw—that students enter and identify their accounts, and then allow them to act on their behalf within the LMS, email, and even financial aid portals, using legitimate student access, and without institutional control.” This conflicts with data management, he continued, as some students act as school officials in ways that make them subject to federal student privacy laws.
“‘Don’t click the link,'” Legatt added, “looks nice compared to a tool that the student has installed on purpose.”
CTOs are also concerned about the rise of AI browsers: 26 percent admit they have become a serious privacy and/or security issue at their institution, while 24 percent admit they are still a major academic integrity issue.
