Security Intelligence

Education and Campus Security: Universities, Schools, and Research Facilities | CloseProtectionHire

Q: "What are the primary security threats to universities and research institutions?"

"Universities and research institutions face a distinctive threat mix. Intellectual property theft -- particularly targeting high-value research in aerospace, defence, quantum computing, life sciences, and advanced materials -- is the primary concern for national security and research funding bodies. The NCSC/FBI/ASD/CCCS joint advisory (2021) specifically identified academic institutions as targets for state-sponsored research theft, with Chinese and Russian intelligence services identified as the primary actors. Beyond IP theft: student and staff welfare (including safeguarding obligations, mental health crises, and interpersonal violence), protest and demonstration management (which raises both safety and freedom-of-expression considerations), external access control (open campus cultures create specific challenges), and physical security of high-value research equipment."

Q: "Does the National Security and Investment Act 2021 affect universities?"

"Yes, significantly. The National Security and Investment Act 2021 (NSI Act) gives the UK government powers to scrutinise and block acquisitions and investments that may harm national security. In the university context, this affects partnerships with overseas entities in 17 sensitive sectors -- including advanced materials, artificial intelligence, quantum technologies, civil nuclear, and defence -- that could constitute a 'notifiable acquisition.' The NSI Act also affects research collaboration agreements, technology transfer arrangements, and spin-out company structures. Universities are required to notify the Secretary of State of certain acquisitions in the sensitive sectors before completion. Failure to notify or completing a notifiable acquisition without clearance can result in the transaction being void and significant financial penalties."

Q: "How should universities manage the tension between open access and security?"

"The open-campus culture of most universities -- multiple public access points, mixed student/staff/visitor populations, extensive shared facilities -- is not an accident or a security failure. It reflects the educational model. Security measures need to be designed to work within this culture, not to impose a closed-campus model that the institution cannot maintain operationally. Effective approaches include: zoned access control (open zones for general campus use, card-access zones for staff and enrolled students, restricted zones for high-value research equipment), CCTV focused on access points and high-risk areas rather than general surveillance, robust visitor management for research buildings, and staff awareness training focused on social engineering recognition."

Q: "What are a school's legal obligations regarding security?"

"Schools in England and Wales are subject to safeguarding obligations under the Children Act 1989 and 2004, the Education Act 2002 (s.175 -- duty to safeguard and promote the welfare of pupils), and the statutory guidance Keeping Children Safe in Education (DfE, 2023). The safeguarding duty has a security dimension: controlled access to the building, visitor management and ID checking, single point of entry during school hours, and CCTV in appropriate areas (not classrooms). Schools are also subject to the Prevent duty under the Counter-Terrorism and Security Act 2015, which requires them to have due regard to the need to prevent people from being drawn into terrorism. The interaction between safeguarding, Prevent, and general school security is complex and requires specialist advice to manage correctly."

Q: "What is the NCSC/FBI advisory on academic institutions and how should universities respond?"

"The joint advisory issued by NCSC, FBI, ASD (Australian Signals Directorate), and CCCS (Canadian Centre for Cyber Security) in 2021 specifically warned that state-sponsored actors target academic and research institutions for three primary purposes: stealing pre-publication research, recruiting insiders (students and staff), and establishing long-term access to research networks as a stepping stone to other targets. The recommended response includes: identifying and protecting the institution's most sensitive research, applying access controls to research systems commensurate with the research's value, vetting international research partnerships and funding arrangements, and establishing reporting mechanisms for staff and students who are approached for information."

Security management for universities, schools, and research campuses: insider threat, IP protection, access control, protest management, and safeguarding obligations. Enquire today.

12 May 2026

Written by James Whitfield, Senior Security Consultant

Speak to the Team

University campuses combine some of the most valuable intellectual property in the world – pre-publication research in advanced materials, quantum technology, life sciences, and defence-relevant science – with some of the most open physical environments in any sector. The combination is not inherently unmanageable, but it requires a security model designed specifically for the academic context.

The threat picture has changed. National security agencies in the UK, US, Australia, and Canada now consistently identify academic and research institutions as primary targets for state-sponsored intelligence collection operations. The era in which universities could treat security as a primarily welfare and access-control function is over.

The Intellectual Property Threat

State-Sponsored Research Theft

In July 2021, NCSC, FBI, ASD, and CCCS jointly issued an advisory warning that academic institutions were being targeted by state-sponsored actors, specifically identifying the targeting of COVID-19 vaccine research, quantum computing, advanced AI research, and aerospace and defence-related science.

The advisory identified the primary attack vectors as:

Spearphishing against specific researchers with access to target research
Recruitment of insiders – both students and academic staff – to provide ongoing access to research output
Exploitation of research collaboration agreements that provide legitimate access to systems
Academic partnership and joint venture structures used to establish a persistent presence within the institution

The National Security and Investment Act 2021 was in part a legislative response to this threat picture, creating powers to scrutinise partnerships and collaborations in 17 sensitive sectors before they create vulnerabilities that are difficult to unwind.

Export Controls and Deemed Exports

The Export Control Order 2008, administered by the Export Control Joint Unit (ECJU), applies to the transfer of controlled goods, software, and technology. “Technology” includes technical data, technical assistance, and training. A university that involves a researcher from a country subject to export restrictions in controlled research activity may be transferring technology in a way that requires an export licence – even if no physical goods cross a border.

This is the “deemed export” concept. It is well-established in US Export Administration Regulations (EAR) and ITAR enforcement, and the ECJU is increasingly active in enforcing its UK equivalent. Universities with significant international research populations and defence or dual-use research portfolios need an export control compliance programme that specifically addresses the academic working environment.

Safeguarding and the Prevent Duty

Keeping Children Safe in Education

Schools are subject to the DfE statutory guidance Keeping Children Safe in Education (updated 2023), which requires governing bodies and proprietors to ensure appropriate safeguarding arrangements, including controlled access to the building, robust visitor management, and safer recruitment procedures. The security infrastructure required by the safeguarding framework – single point of entry during school hours, visitor sign-in with identity verification, CCTV at access points – is directly aligned with the physical security requirements.

Counter-Terrorism and Security Act 2015: Prevent Duty

The Prevent duty requires specified authorities – which include schools, further education institutions, and universities – to have due regard to the need to prevent people from being drawn into terrorism. For educational institutions, this means having policies and procedures in place to identify and respond to concerning behaviour, referral pathways through the Channel programme, and staff training in Prevent awareness.

The Prevent duty creates a specific governance requirement: designated Prevent leads with defined responsibilities, annual review of the institution’s Prevent risk assessment, and records of Prevent-related referrals and outcomes.

Access Control on an Open Campus

The open-campus model is not a security failure. It is a deliberate reflection of the institution’s educational purpose. Security measures must be designed to function within it, not to replace it with a closed-campus model the institution cannot sustain.

The effective approach is zoned access:

Zone A – Open campus: Public spaces, teaching buildings during teaching hours, library, student union. No access control beyond normal building security.

Zone B – Staff and enrolled student access: Research buildings, administrative offices, server rooms, specialist teaching facilities. Card access or fob required.

Zone C – Restricted research areas: High-value research equipment, sensitive data environments, defence research facilities. Named access list, visitor management system, audit trail of access.

CCTV deployment should follow the same zoned logic – coverage at the transitions between zones, at vehicle access points, and at the perimeter of restricted research buildings. General surveillance of open-zone spaces creates GDPR compliance obligations and public trust issues without proportionate security benefit.

Protest and Demonstration Management

Universities face protest activity more frequently than most comparable institutions. Student protest, external activist targeting of campus events, and conflict-related demonstrations are all recurring features of campus security operations.

The legal framework governing protest management on campus is not straightforward:

The Higher Education (Freedom of Speech) Act 2023 imposes duties on registered higher education providers and their students’ unions to take reasonably practicable steps to secure freedom of speech, and to maintain a code of practice on it. This has implications for how institutions respond to protest against speakers or events.
The Prevent duty requires the institution to assess the radicalisation risk of speakers and events.
The duty of care to students and staff requires the institution to manage the physical safety of anyone on campus during a demonstration.

These obligations sit in tension. Managing protest on campus requires a policy framework that addresses all three, with defined protocols for each scenario type, a communications lead who understands both the freedom of speech obligations and the safety obligations, and a security operation that is capable of facilitating lawful protest while managing the safety risk.

Personnel Security in the Research Environment

The NCSC/FBI/CCCS advisory identified insider recruitment as a primary state-sponsored intelligence collection method in academic institutions. This creates specific requirements for personnel security in research environments:

Vetting for sensitive research roles: Access to high-value research systems should be limited to individuals who have been appropriately vetted. This does not necessarily mean government security clearance – for many research roles, a robust pre-employment screening process (identity verification, employment history, academic qualification check, right to work) combined with an ongoing monitoring culture is the appropriate level. Where research is classified or directly relevant to national security, BPSS or SC clearance may be required and should be a condition of the role.

Reporting culture: Staff and students need a clear, low-threshold reporting mechanism for approaches they consider unusual – requests for information outside their normal professional relationships, social approaches at conferences that feel transactional, requests to share pre-publication research with external parties. The reporting mechanism needs to be simple, confidential, and trusted.

For the insider threat assessment methodology and the indicators of insider recruitment that security teams and managers should recognise, see our insider threat and corporate security guide. For the surveillance detection awareness that is relevant to academic staff travelling to conferences or international research meetings, see our surveillance detection in close protection guide.

Summary

Key takeaways

Research security requires a classified-assets approach to unclassified material

Most pre-publication academic research is unclassified but operationally sensitive -- a competitor state acquiring it early has a strategic advantage, and the research institution loses the commercial value of its IP. The security approach should treat high-value pre-publication research with the same discipline applied to classified material: need-to-know access, system access controls, visitor management, and export control compliance. Many universities have historically not applied this discipline to unclassified but high-value research, creating significant vulnerabilities.

Protest and demonstration management requires a specific policy framework

University campuses are regular locations for protest and demonstration activity -- both by enrolled students and by external groups attending or targeting campus events. Managing protest on campus requires a policy that addresses the institution's legal obligations (freedom of speech, Prevent duty, duty of care to staff and students), the operational response (security team briefing, police liaison, event management protocols), and the communications approach (who speaks for the institution and when). An ad hoc response to each protest event that has not been thought through in advance consistently produces poor outcomes -- both in security terms and in the reputational and legal aftermath.

Visitor management for research buildings is not bureaucracy -- it is security

An open-door culture in research buildings, where visitors are not formally registered and their access is not limited to the areas relevant to their visit, creates the conditions for physical reconnaissance, equipment theft, and the covert placement of devices. Visitor management systems that register visitors, issue time-limited access credentials, and record movement through restricted areas are standard practice in any environment where the assets have national security or high commercial value. For research institutions, this means the practical implementation needs to fit the academic working culture -- not impose the visitor management protocol of a government building -- but the core controls must be in place.

Student welfare and security are not separate functions

Universities' safeguarding, student wellbeing, and security functions often operate in silos. This creates gaps. A student whose behaviour is concerning from a safeguarding perspective may also present a security risk if they have access to research systems or physical areas. Reporting lines between welfare services and security teams need to be defined, with a clear protocol for escalation and information sharing that is compliant with GDPR and the institution's data protection policy.

Export controls apply to knowledge transfer, not just equipment

The Export Control Joint Unit (ECJU) and the Export Control Order 2008 apply to the transfer of goods, software, and technology -- including technology in intangible form (teaching, training, providing technical assistance). Universities that involve students or researchers from certain countries in controlled research may be transferring technology in a way that requires an export licence. This is the 'deemed export' concept, well-established in the US Export Administration Regulations (EAR) and increasingly relevant in UK ECJU enforcement. Universities should have an export control compliance programme that specifically addresses the academic research environment.

FAQ

Frequently Asked Questions

Universities and research institutions face a distinctive threat mix. Intellectual property theft – particularly targeting high-value research in aerospace, defence, quantum computing, life sciences, and advanced materials – is the primary concern for national security and research funding bodies. The NCSC/FBI/ASD/CCCS joint advisory (2021) specifically identified academic institutions as targets for state-sponsored research theft, with Chinese and Russian intelligence services identified as the primary actors. Beyond IP theft: student and staff welfare (including safeguarding obligations, mental health crises, and interpersonal violence), protest and demonstration management (which raises both safety and freedom-of-expression considerations), external access control (open campus cultures create specific challenges), and physical security of high-value research equipment.

Yes, significantly. The National Security and Investment Act 2021 (NSI Act) gives the UK government powers to scrutinise and block acquisitions and investments that may harm national security. In the university context, this affects partnerships with overseas entities in 17 sensitive sectors – including advanced materials, artificial intelligence, quantum technologies, civil nuclear, and defence – that could constitute a ’notifiable acquisition.’ The NSI Act also affects research collaboration agreements, technology transfer arrangements, and spin-out company structures. Universities are required to notify the Secretary of State of certain acquisitions in the sensitive sectors before completion. Failure to notify or completing a notifiable acquisition without clearance can result in the transaction being void and significant financial penalties.

The open-campus culture of most universities – multiple public access points, mixed student/staff/visitor populations, extensive shared facilities – is not an accident or a security failure. It reflects the educational model. Security measures need to be designed to work within this culture, not to impose a closed-campus model that the institution cannot maintain operationally. Effective approaches include: zoned access control (open zones for general campus use, card-access zones for staff and enrolled students, restricted zones for high-value research equipment), CCTV focused on access points and high-risk areas rather than general surveillance, robust visitor management for research buildings, and staff awareness training focused on social engineering recognition.

Schools in England and Wales are subject to safeguarding obligations under the Children Act 1989 and 2004, the Education Act 2002 (s.175 – duty to safeguard and promote the welfare of pupils), and the statutory guidance Keeping Children Safe in Education (DfE, 2023). The safeguarding duty has a security dimension: controlled access to the building, visitor management and ID checking, single point of entry during school hours, and CCTV in appropriate areas (not classrooms). Schools are also subject to the Prevent duty under the Counter-Terrorism and Security Act 2015, which requires them to have due regard to the need to prevent people from being drawn into terrorism. The interaction between safeguarding, Prevent, and general school security is complex and requires specialist advice to manage correctly.

The joint advisory issued by NCSC, FBI, ASD (Australian Signals Directorate), and CCCS (Canadian Centre for Cyber Security) in 2021 specifically warned that state-sponsored actors target academic and research institutions for three primary purposes: stealing pre-publication research, recruiting insiders (students and staff), and establishing long-term access to research networks as a stepping stone to other targets. The recommended response includes: identifying and protecting the institution’s most sensitive research, applying access controls to research systems commensurate with the research’s value, vetting international research partnerships and funding arrangements, and establishing reporting mechanisms for staff and students who are approached for information.

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.