The True Cost of Security: What 2025 Taught Higher Ed IT About Data Protection

’Tis the season to pause and look back at the year behind us. For anyone running IT or security in higher ed, 2025 put a very specific spotlight on the true cost of maintaining security and its toll on the budget, on the team, and on every decision about where data lives.

In that spirit, let’s take a look at what this past year revealed about cyber resilience in higher education.

Cyberattacks got smarter and more frequent

2025 brought an increase in attacks on colleges and universities. Schools averaged 4,388 cyberattacks per organization every week, more than double the global average and a 31% increase year-over-year (DeepStrike). So if it feels like campuses have a permanent bullseye on them, that’s not your imagination.

One of the leading causes of ransomware has been, and will continue to be, human error (or as we sometimes refer to it, PEBKAC: Problem Exists Between Keyboard and Chair). Social engineering has long been the leading attack vector, and we’re all familiar with the clumsy phishing emails and texts where it’s obvious the sender isn’t a native speaker.

That’s changing fast. Attackers are adopting AI to craft messages that look cleaner, more personal, and much harder to spot at a glance. This is a problem when nobody has extra time to scrutinize every message in the daily deluge. Beyond AI, there’s even ransomware as a service (RaaS). Yep, it’s a thing: essentially a subscription model for cybercrime that lowers the bar for would-be attackers and gives them one more tool to work with.

All of this lands especially hard in higher education because institutions are target-rich environments. It’s not just student records; think of all the applicants sharing detailed financial information, faculty and staff data, and the donor and alumni lists that can fuel future scams. Then layer on advanced research, especially anything with pharma or military applications, and you’ve got a treasure trove of trade secrets.

And it’s not only about ransom anymore. We’re also seeing a growing wave of hacktivists, or attackers going after universities for political, social, or academic reasons. Admissions data, research projects, and even admissions decisions can become targets. Elite universities with high-profile reputations and large endowments are especially attractive here, making the threat landscape more complicated than your average ransomware scenario.

Shrinking IT budgets and skills gaps raised security risk

Another growing pressure on higher ed security is the simple math of doing more with less. According to EDUCAUSE, 42% of higher education institutions expect their IT budgets to decrease in the 2025–2026 academic year. At the same time, campuses are onboarding waves of new users every semester and dealing with relatively high turnover in IT roles, making it harder to keep environments patched, monitored, and secure.

In our recent eBook co-authored with Dell, The Hybrid Cloud Advantage for Higher Education, we outline some of the financial headwinds that make security planning even tougher. This includes everything from summer melt to the looming enrollment cliffs. All of this hits just as attackers are getting smarter and more sophisticated, taking advantage of AI, cloud adoption, remote learning platforms, and other emerging technologies to expand the attack surface.

ESG’s Life and Times of Cybersecurity Professionals report revealed that 59% of organizations impacted by the skills shortage placed heavier workloads on existing staff, and 40% said they were unable to fully utilize the security technologies already in place. In other words, the cost of being secure isn’t just what you buy, it’s the extra hours your team spends trying to keep up.

When things do go wrong, the financial stakes are steep. EDUCAUSE puts the average cost of a data breach for educational institutions at $3.86 million, including data loss, financial penalties, and the often-overlooked cost of recovery: the time spent restoring systems, reporting to authorities, and performing forensics.

Cloud storage costs surprised higher ed IT teams

Figuring out the true cost of cloud storage is harder than it looks. With so many tiers (hot, cool, cold, archive), matching the right tier to the right data can get complicated, fast. And even then, do most institutions really know how often their data is accessed well enough to tier it confidently? The honest answer is usually no.

On paper, cold storage sounds like the obvious place to offload research archives, backups, and older files. The catch is that most of that data isn’t really “cold.” In the Wasabi 2025 Cloud Storage Index, 89% of education respondents said they access archived data at least monthly, compared with 83% of global respondents. Nearly a third of those surveyed reported that slow retrieval has negatively affected their work. And the stakes are high: 56% cited security events as a key reason for needing timely access to archived data.

But the real hidden costs in cloud storage aren’t the terabytes you can see on the bill. There are egress fees, or what you pay when you download data stored in the cloud. Then API fees that you pay every time you touch that data, whether to search it, move it, or maintain features like immutability. In the same 2025 Cloud Storage Index report, respondents in the education sector shared:

• Up to 50% of their cloud storage bills go to fees, not capacity.

• Upload and download request fees, though only a fraction of a cent per GB, add up very quickly at scale.

• Cold storage retrieval can take hours or even days and often ends up costing more than warmer tiers.

• Three out of four education organizations exceeded their budgeted cloud storage spend in 2024, mostly thanks to fees.

In other words, the cost of security in the cloud isn’t just what you store. It’s what it costs every time you need to use your data, especially in the middle of a security event when time and access matter most.

Rethinking data protection for 2026

All of this leaves higher ed IT teams focused on a primary challenge: how to protect what matters without making the whole environment unmanageable or unaffordable. That’s where architecture, especially your backup and archive strategy, starts to matter as much as any individual control. The way you store and retain data either adds to the cost and complexity, or it helps keep both in check.

That’s the problem we tackled in our eBook with Dell, The Hybrid Cloud Advantage for Higher Education: rethinking storage so resilience, recovery, and cost predictability all move in the right direction at the same time. At the center of that approach is the integration between Dell and Wasabi.

How Dell and Wasabi simplify protection and lower costs

Dell PowerProtect Data Manager and PowerProtect Data Domain integrate directly with Wasabi Hot Cloud Storage, giving you faster, simpler, and more predictable ways to back up and recover. Together, they deliver:

• Predictable costs: No hidden egress or API fees, so you’re not penalized every time you restore data, test a recovery, or pull records back during an incident.

• Faster restores: Hot cloud storage eliminates the delays and retrieval games that come with cold storage tiering.

• Built-in resilience: Long-term retention without added complexity, so you can keep the copies you need without juggling multiple tiers and policies.

• Archive to object: A full, non-deduplicated cloud copy stored in Wasabi. This makes it easier to maintain a second cloud copy for cyber resilience while enabling faster restores directly through PowerProtect Data Manager, with no more tiering delays when you’re trying to get systems back online.

What this means for higher ed IT

You can strengthen your cyber resilience without going over budget or burning out your team. With Dell and Wasabi, colleges and universities get faster recovery, simpler compliance, and predictable storage bills, freeing IT to spend more time protecting the institution and less time fighting hidden fees and storage.