Estonian schools should prioritise cybersecurity

The Estonian Information System Authority (RIA) registers dozens of cyber incidents affecting educational institutions each year, most of which could be prevented with minimal effort. Schools face data breaches, account and website hijackings, scams, denial-of-service and ransomware attacks, and many other threats. Let us explore the most common risks and recommendations for avoiding them.

Data breaches affecting students and staff

Over the past few years, three cases in Estonia have involved the leakage of personal data from students and school staff, with at least one instance where the stolen data was put up for sale. These cases primarily involved contact and account information, which, while serious, are not the most sensitive types of data.

However, schools may also handle highly sensitive information, such as students’ health-related data. For example, development plans for children with special educational needs may include details of behavioural issues, health problems or even interactions with the police. If such information becomes public, it can severely damage a child’s future prospects.

School healthcare workers also handle students’ health data, which is another potential vulnerability. One significant risk arises when a school nurse’s computer is connected to the same network as the rest of the school community (and anyone else with the password). To improve security, schools should segment their networks by creating separate sub-networks for different groups, such as teachers, students, administrative staff and medical personnel. Although this is not a particularly complex task, it is often overlooked due to a lack of awareness.

Illustratsioon: ülestõstetud kätes on palju eri nutiseadmeid ning üks sülearvuti. Eri värvi ekraanidel on tabaluku ikoonid. Seadmete kohal on musta tabalukuga kinnitatud valge kett.

Poorly secured school networks have even been exploited for criminal activities, including drug trafficking, leading to police involvement with affected schools. Cyber incidents jeopardise not only personal data but also the reputation of school staff and institutions. Repeated incidents, such as account hijackings that result in inappropriate mass emails or phishing attempts being sent to students, parents or colleagues, can cause lasting reputational damage.

Such incidents can usually be avoided by vigilance and adherence to basic cybersecurity hygiene.

Account takeovers often begin with phishing links, malware attachments, unpatched software, carelessly discarded papers with passwords, or a teacher leaving their computer unlocked and unattended – an easy temptation for a mischievous student.

Enabling multi-factor authentication is strongly recommended to protect user accounts better.

Years of work can be erased in moments

Many cyber incidents stem from technical failures rather than malicious intent. Today, a significant proportion of teaching materials are created digitally, and learning outcomes are often recorded exclusively in digital formats.

The loss of teaching materials due to technical errors or cyberattacks can impose a heavy burden on teachers, requiring hours of additional work to recreate the lost content.

Years of work can disappear in an instant. Similarly, the deletion or malicious alteration of grades can cause significant confusion for students and future complications when verifying academic records.

In August 2024, all server data at the Järvamaa Vocational Training Centre was lost in a ransomware attack, with no backups available. The Tallinn Health Care College was more fortunate in June, as it managed to restore staff and student files the following day using backups. These cases highlight the critical importance of data backups, which should always be stored separately from other systems.

Estonian schools also frequently experience denial-of-service attacks, which can temporarily disrupt internet access and daily operations. Analysis of attack patterns suggests that many of these incidents are likely orchestrated by students. Such attacks are relatively simple to execute and can even be purchased as a service from cybercriminals. However, school information systems should be designed to withstand these types of large-scale intrusions.

Although it is impossible to eliminate all risks, every incident provides an opportunity to learn. Those responsible for information security in schools should share their experiences with peers to support collective learning and help prevent similar incidents elsewhere. Unfortunately, these stories are often kept quiet. The absence of open discussion within the community reduces awareness and perpetuates the mistaken belief that such incidents are uncommon. As the saying goes, a wise person learns from others’ mistakes, while a fool learns only from their own.

School leaders should seek guidance from stakeholders

Cybersecurity in schools is not always within their direct control. Last year, for example, there were recurring issues with the examination information system and the Moodle learning environment, both managed by the Ministry of Education and Research. These incidents underline the importance of investing in centralised e-services.

Estonian schools also rely on various platforms and services, such as electronic school management systems, provided by private companies, which often have little or no competition, leaving schools with no viable alternatives. Legally, however, educational institutions are responsible for ensuring data protection when outsourcing such services. This can be achieved through informed and well-considered procurement processes, with assistance available through RIA’s online training programme. Schools would benefit from pooling their resources and collectively discussing their needs to strengthen their position when negotiating with service providers. The experience of the Estonian Society of Family Doctors shows that collaboration can facilitate necessary changes to service contracts.

Implementing cybersecurity requirements may initially seem daunting for school leaders, but a step-by-step approach and a clear plan can make it manageable.

RIA experts observe that a school’s level of cybersecurity rarely depends on its size but instead on the leadership’s attitude. It largely hinges on how seriously they value protecting their community’s data and ensuring that modern learning and working tools can be used securely, without fear of cyber threats.

The majority of Estonia’s educational institutions are owned and budgeted by local governments, so school leaders should consult their municipal or city governments to improve cybersecurity. Since municipalities often manage numerous subordinate institutions that rely on shared information systems, a centralised approach to cybersecurity may be more efficient. This could involve hiring dedicated staff or outsourcing the necessary services to a specialist provider. Examples of municipalities that have adopted such a model include Pärnu City and Saaremaa Municipality.

RIA regularly organises information days and training sessions to assist schools in meeting cybersecurity requirements, many of which are specifically designed for educational institutions. RIA experts are readily available to offer direct guidance to schools on cybersecurity requirements, and inquiries can be sent to [email protected].

Recommendations for schools starting with cybersecurity

Raise cybersecurity awareness. Many cyber threats can be prevented by raising staff awareness. We recommend starting with RIA’s free Cyber Test, which around 100 schools across Estonia have already adopted.
Discuss with the school’s owner. School leaders should address information security with the institution’s owner, considering resource allocation and organisational structure. For example, they could explore organising cybersecurity centrally across all local government institutions, hiring an external service provider or similar solutions.
Use RIA’s dedicated tool. RIA has developed the E-ITS profile, based on the Estonian Information Security Standard, which focuses on key security requirements for educational institutions. However, each school should further customise the profile to address the institution’s unique needs and characteristics.

Leadership recommendations. The profile begins with recommendations for school leaders, who play a critical role in promoting information security. Leaders should appoint a responsible person for implementing technical requirements, either from the institution or externally, such as an information security manager, IT specialist or computer science teacher.
Inventory and access review. Effective cybersecurity starts with understanding the school’s IT assets. Create an inventory of devices and software, and review system and network access for staff and students. Immediately revoke access for graduates and departing employees.
Establish information security procedures. Develop an information security policy outlining how IT devices and systems should be used securely within the school.

Review service contracts critically. When outsourcing IT services, carefully examine contracts to ensure clarity on what the service includes and how security incidents will be handled.
Take advantage of RIA’s online training. School information security officers should complete the three RIA-created E-ITS online training modules available on the Digital State Academy website. Each course takes about an hour to complete, provides an overview of the field and offers practical advice:

E-ITS basics
Implementing E-ITS
Secure outsourcing

RIA to increase oversight of schools

Recently, RIA’s supervision department has been paying greater attention to educational institutions, as the high number of cyber incidents suggests schools are not adequately addressing information security.

In 2025, inspections are planned for state high schools and public universities, with some municipal schools likely to be included as well.

The goal of these inspections is not to punish but to prevent significant data breaches and disruptions in critical educational systems.

To achieve this, RIA identifies security vulnerabilities and deficiencies in meeting cybersecurity requirements and guides institutions in resolving any identified issues within a reasonable timeframe. Schools can also negotiate deadlines for implementing the necessary fixes.

If agreements are not honoured or if an institution refuses to cooperate with oversight efforts, RIA has the authority to impose fines. However, fines have only been issued in rare cases.

Beyond addressing specific issues at individual institutions, these oversight activities help RIA gain a clearer understanding of the overall state of cybersecurity in Estonia’s education sector. This enables the agency to highlight common challenges, improve prevention efforts, and, if necessary, propose regulatory changes or advocate for additional funding.

The other articles of "Cyber security in Estonia 2025"

Cyber Security Yearbook

Last updated: 17.02.2025

Data exchange platforms

People-centred data exchange

Data-based governance and reuse of data

Reusing the components of the digital state

Electronic identity (eID) and trust services

State network services

Development of election information systems

Personal services

Raising public awareness about the information society

Studies and analyses

Instructions

National Cyber Security Centre NCSC-EE

Handling cyber incidents CERT-EE

Administrative and national supervision

Cyber defence of critical infrastructure

Management of the state information security measures

National Coordination Centre (NCC-EE)

International projects

Cyberspace analysis and prevention