National cyber norms for academia: Securing India's campus innovation

India's schools and universities face cyberattacks at more than twice the global average, raising concerns over data security, intellectual property and resilience of the country's knowledge economy

India’s schools, colleges and universities now face an average of more than 8,000 cyberattacks every week — over twice the global average of 3,574 — according to a report by Check Point Software, a leading provider of cybersecurity solutions. The rapid shift to remote learning, AI-powered education systems and cloud-driven research collaborations has resulted in enormous volumes of sensitive personal and institutional data being stored on vulnerable networks. This is not just a technical issue but a socio-political and economic threat that erodes intellectual property, trust among students and India’s position as a knowledge-based economy.

 

Recent breaches underline the scale of the risk. In 2019, the Common Admission Test (CAT) suffered a data breach in which personal details of more than 200,000 aspirants to India’s premier MBA programmes were exposed. In 2020, BYJU’S faced a CRM vendor breach that exposed learners’ and families’ names, email addresses and phone numbers. A year later, Tamil Nadu’s Directorate of Technical Education was hit by ransomware that halted exam schedules and compelled officials to negotiate payments for decryption keys. Espionage campaigns attributed to groups such as APT36, also known as Transparent Tribe, have targeted top research universities, siphoning project data and posting stolen credentials on dark web forums to demonstrate their success.

 

 

Hackers targeting the education sector pursue clear incentives. Student and staff records command premium prices on dark web markets, while biotechnology and AI research attracts state-sponsored espionage groups. Ransomware gangs know universities are more likely to pay hefty sums to restore critical systems. Compromised “.edu” credentials are also prized for social-engineering campaigns. Attackers often time ransomware deployment just before exams or results, exploiting the pressure to restore systems quickly. These cases show that campuses — custodians of sensitive personal data and frontier research in biotechnology, AI, space and atomic sciences — are now as attractive as financial institutions, if not more.

 

A core issue is that educational institutions are still treated as secondary consumers of IT, rather than high-value innovation centres. Unlike ecommerce or banking platforms, universities handle sensitive intellectual property linked to advanced research, which is equally appealing to cybercriminals and state-backed actors. Educational networks also involve a diverse user base, including students, visiting researchers and non-human identities such as laboratory IoT devices, making access control and monitoring far more complex than in commercial organisations.

 

Ignoring these realities risks leaving India’s knowledge sector vulnerable to ransomware, espionage and persistent data exploitation. This is supported by the fact that, as documented by CyberPeace in 2023-2024 simulations, hundreds of thousands of credential thefts have been observed in campus settings, highlighting the scale of potential exposure. Check Point Software’s 2025 report notes a year-on-year rise of 20–30 per cent in attacks, with weekly incidents projected to reach 15,000 by 2030. 

 

Globally, countries treat cybersecurity in academia with the same urgency as banking or other critical infrastructure. In the US, the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) enables universities to share real-time threat intelligence, strengthening defences nationwide. In the EU, the NIS2 Directive links cybersecurity compliance to funding, similar to financial-sector regulations. In India, however, gaps persist. While the National Education Policy, 2020, emphasises digital innovation, cybersecurity receives limited attention. Annual audit requirements focus on compliance but do not foster preventive intelligence-sharing across institutions. There is no equivalent to REN-ISAC, leaving campuses to respond to breaches in isolation — a pattern attackers readily exploit.

 

India needs to adopt a National Education Cybersecurity Framework to strengthen its academic defences through three interconnected strategies. First, consortium-led defence: an Indian analogue of REN-ISAC to enable secure sharing of threat indicators and breach intelligence across campuses. Second, risk-based, tiered baseline standards that differentiate between colleges, universities and elite research institutes, incorporating tools such as identity-aware proxies and AI-driven anomaly detection. Third, mandatory capacity building for staff and students, complemented by incentives for EdTech vendors that meet “Safe Campus-qualified” standards.

 

Recognising campuses as part of India’s critical digital infrastructure would allow national cyber norms to protect academic innovation. By adopting international models, prioritising proactive defence over reactive compliance, and embedding a culture of security into campus life, Indian academia can better safeguard innovation, privacy and the country’s global reputation.

---

(Sreejith Alathur is an Associate Professor and Sreelesh V is Systems Manager at Indian Institute of Management, Kozhikode)  (Disclaimer: These are the personal opinions of the writer. They do not reflect the views of www.business-standard.com or the Business Standard newspaper)