Key points:
- Zero trust is an ongoing journey toward cyber resilience
- AI vs. identity fraud: 3 threats putting student safety at risk
- Why access control must be higher education’s top cybersecurity priority
- For more news on zero trust, visit eCN’s Cybersecurity hub
In today’s digital-first higher education environment, the traditional notion of “safe inside the firewall” no longer holds true. Institutions are more connected, more distributed, and more vulnerable than ever before. Students, faculty, and researchers access institutional resources from anywhere, on any device. Meanwhile, adversaries exploit these same connections, often using stolen credentials or VPN vulnerabilities to slip inside undetected.
Universities are now facing more sophisticated attacks than ever before–ransomware, phishing, and data breaches have all become daily realities for institutions managing sensitive student and research data, with a recent report showing a 25.8 percent year-over-year rise in ransomware incidents across campuses. Additionally, the education sector has become one of the most targeted industries for cyberattacks, witnessing an alarming 861 percent increase in Internet of Things (IoT) malware activity. This surge is largely driven by the rapid adoption of connected technologies across campuses, from smart classroom devices and digital learning tools to physical security systems and facility management sensors. While these innovations have revolutionized learning and campus operations, they’ve also expanded the attack surface drastically.
Threat actors are now motivated by opportunities to disrupt education, steal sensitive student and faculty data, or deploy ransomware against understaffed IT departments. With limited cybersecurity budgets and sprawling networks of unmanaged devices, many institutions are struggling to secure their increasingly interconnected environments, making them prime targets for exploitation.
The stakes are far from theoretical. The operation of a modern university depends entirely on the resilience of its network. A single cyberattack has the potential to halt not just online learning or research access, but the entire campus ecosystem. Institutions function like small cities, and a successful ransomware attack can effectively bring that city to a standstill. Resiliency in the face of these digital threats requires zero trust architecture, which assumes breach, removes implicit trust, and continuously verifies users, devices, and connections before granting access.
Beyond the buzzword
“Zero trust” can often be dismissed as a buzzword throughout the education community, much like “cloud” once was. But it’s far more than marketing. Grounded in NIST SP 800-207 and CISA’s Zero Trust Maturity Model, it’s a proven framework for rethinking how access and data protection should work. The principle is simple but powerful: Never trust, always verify. Instead of assuming that users inside the network are safe, zero trust verifies every connection each time.
Campuses are designed to connect people and ideas without borders: Researchers share data with global partners, students access digital learning tools from personal devices, and visiting scholars or contractors often require network access. This culture of decentralization and inclusivity not only makes institutions uniquely dynamic, but also uniquely vulnerable. With countless unmanaged endpoints, independently run systems, and fluid data exchanges, traditional perimeter-based defenses cannot keep pace.
Zero trust enables institutions to preserve this essential openness while maintaining control, continuously verifying users, devices, and applications to ensure that freedom of access does not come at the expense of security. Because campuses are BYOD-heavy, zero trust network access avoids placing unmanaged devices on a VPN. Instead, a proxy/broker presents only the specific applications a user is authorized to reach–via secure browser access or lightweight agents–so the device’s full IP stack is never brought “inside” the network.
Modernizing without disruption
Many institutions know they need to modernize but remain paralyzed by the scale of transformation. Cultural resistance, tight budgets, and legacy infrastructure can make zero trust feel unattainable. The key is to start small and build momentum. Institutions can begin by identifying high-value assets or systems, such as student information databases or research data, and applying zero trust controls there first. From there, additional protections can be layered in gradually, extending visibility and access control across users, devices, and applications.
Some of the most successful institutions began their journeys this way: with a clear vision of where they wanted to be, even if every detail wasn’t perfect at the outset. They understood that the initial effort brings a return on investment and efficiency–establishing a resilient foundation that contains attacks, minimizes downtime, and safeguards operations. Zero trust isn’t a single product or one-time project–it’s an ongoing journey toward cyber resilience.
Preparing for the future
As institutions adopt more IoT and operational technology (OT) systems, zero trust will become even more vital. As every connected device represents a potential entry point, the only sustainable path forward is building security into the design of these environments. The next generation of network leaders will grow up with zero trust as a default expectation. For today’s institutions, that means starting now, modernizing security to keep research safe, and protecting the mission of higher education.
Threats are not slowing down, and waiting for the “perfect” plan is no longer an option. The most important step is to start. Progress on zero trust is incremental, but every step strengthens defenses, enhances visibility, and prepares institutions for the evolving threat landscape.
Adam Ford is the Chief Technology Officer, State & Local Government and Education at Zscaler. Prior to Zscaler, Adam served as Chief Information Security Officer for the State of Illinois for the past five years. In this role, he had responsibility for cybersecurity for agencies, boards and commissions under the Governor.
- America is turning against higher education. Students are still signing up. - April 1, 2026
- Supporting student health beyond the clinic: Social prescribing in higher ed - March 30, 2026
- Creating educational value in a world of AI - March 25, 2026