top of page
Search

Why Data Protection and Cyber Security is Tough in Higher Education (and How to Get It Right)

  • Jess Pembroke
  • Jul 16
  • 3 min read

Article by Jess Pembroke, Director of Information Law Services at Naomi Korn Associates


A close-up, low-light photograph of a laptop keyboard with the screen partially closed, casting a soft blue glow over the keys. The image conveys a sense of technology, digital security, or late-night computer use.



















In a sector driven by data and reputation, data protection and cybersecurity should be core

to every activity. Yet for higher education providers whether its emerging and smaller

institutions to historic big players these areas remain persistently difficult. I think there are

four key reasons for this:


1. The Data Legacy Problem


Good data protection starts with understanding your data, what you hold, where it is stored,

and why you have it. But in some institutions, especially those that have grown quickly or

undergone significant changes, organisational knowledge has been lost. Staff turnover,

system migrations, and informal workarounds mean that institutional memory is patchy, and

documentation is incomplete. The people who once knew why we did things a certain way

may no longer be around.


The solution: A good Data Protection Officer/Team will regularly review records (some of

which you are legally required to keep) with departments on a rolling basis. This can also

form part of project management and transformation teams responsibility, to make sure that

data and the reasons for having it doesn’t get lost as the organisation grows and evolves.


2. The System Legacy Problem


Linked to the first point many institutions are grappling with what’s increasingly recognised

as a “tech debt crisis” - the accumulation of outdated systems, fragmented platforms, and

short-term fixes that make long-term resilience harder to achieve. Without sustained

investment, IT infrastructure can quickly become outdated, harder to maintain, and more

vulnerable to attack.


The British Library, in its 2024 report into a major cyber-attack said: “The Library’s….

diverse and complex technology estate, including many legacy systems, has roots in its

origins as the merger of many different collections, organisational cultures and functions. We

believe that the nature of this legacy infrastructure contributed to the severity of the impact of the attack”.


The solution: Be intentional about your IT estate; many organisations are too quick to adopt

new platforms without a long-term plan for integration, maintenance, or retirement. Once the excitement of a new system fades, it still needs to be supported and continuously secured.


Instead of continually expanding your digital footprint, focus on limiting the scope of your

platforms and tools to what is necessary. Prioritise key systems that align with your strategic

goals and invest in a sustainable IT strategy that balances innovation with long-term

resilience. This approach not only reduces complexity and cost but also strengthens yhttps://www.ncsc.gov.uk/cyber-governance-for-boards/trainingour

ability to manage risk and maintain compliance over time.


3. Priorities and Risk Management


In the day-to-day reality of leadership, tangible risks often take precedence. The number of

applicants, the state of the estate, or the delivery of a new programme are visible,

measurable, and urgent. Data protection compliance or technical security controls is often

invisible until it isn’t. A cyber-attack can be catastrophic, but the risk and impact are

theoretical discussions, and the return on investment in prevention is hard to quantify.


The solution: Awareness, make sure your senior teams understand how likely a cyber risk

may be, through regulation training and horizon scanning. Free training and

awareness materials are available online, including Governance Training for senior leaders from the NSCS and regular news, blogs and speeches from the Information Commissioner’s Office. You can also sign up to receive a regular newsletter from Naomi Korn Associates.


4. The Culture


Building a culture of awareness and accountability takes time and leadership but smaller

providers often lack the internal capacity to dedicate to this work. And when expertise is split

across a range of roles, confidence and clear direction can suffer. This creates a vicious

cycle: uncertainty leads to inaction, which increases risk.


The solution: Build a strong culture which starts with openness; staff should feel safe and

supported to report issues when something goes wrong (because it will), and leaders should

have a clear, rehearsed plan for responding to major incidents like data breaches or cyber-

attacks.


Next Steps


If your organisation does not have someone championing data protection and cyber why not

consider an Outsourced Data Protection Officer. This flexible, cost-effective solution whether

part-time or interim (Case Study: Liverpool School of Tropical Medicine) can help bring your

compliance up to speed and provide expert assurance where it’s needed most.


Would your team benefit from some additional training, consider our range of CPD

accredited Training Courses or contact us about our in-house offering including our new

course Data Protection and Cyber Security for Execs and Senior Leaders.


AssurED logo with stylised white ‘A’ and teal ‘ED’ on a dark blue background

AssurED is a trading name of Board Excel Ltd. Board Excel Ltd is a company registered in England and Wales with company number 16525638.

Registered office: Unit 8 Old Forge Court, Colchester Road, Elmstead Market, Essex, United Kingdom, CO7 7EA. 

Contact: enquiries@assuredgovernance.com 

​Privacy Policy  

Accessibility Statement 

© 2035 by AssurED and secured by Wix

bottom of page