Security for Universities and Educational Institutions

Universities sit in an unusual position in the security landscape. Their function – open intellectual exchange, international collaboration, freedom of enquiry – is structurally in tension with the kind of access control and information security that a corporate organisation would apply to assets of equivalent value.

That tension does not make the security programme less important. It makes it more technically demanding.

The MI5 Annual Threat Assessment and NCSC guidance on academic institutions both identify universities as a high-priority target environment for hostile state actors. UK universities hold defence-relevant research, dual-use technology, and strategic intellectual property that represent significant intelligence value. They are also, by design, more open than the environments those assets would be in if held by a defence contractor or technology company.

Research Security and Intellectual Property

The highest-consequence threat to most research-active universities is the covert exfiltration of IP by foreign state-sponsored actors. This is not a theoretical risk. The FBI, MI5, NCSC, ASIO (Australia), and CSIS (Canada) have all published public statements naming hostile state intelligence programmes targeting academic institutions as an active and significant threat.

The UK’s NCSC published a joint advisory with the FBI and CISA in 2023 titled “Caution: Be Wary of Academic Partnerships with Foreign Institutions from Countries of Concern” specifically addressing the threat to university research in the Five Eyes alliance. It names China’s Thousand Talents Programme as a specific state-sponsored recruitment mechanism for gaining access to sensitive research, and notes that researchers who participate do not always disclose the relationship or understand its intelligence implications.

The threat vectors used by hostile state actors in university environments:

Talent recruitment programmes. State-sponsored programmes offer financial incentives, honorary positions, and collaboration opportunities to researchers, particularly senior academics with access to sensitive IP. The recruits often do not realise they have been recruited into an intelligence relationship; the programme uses the framing of academic collaboration rather than espionage.

Visiting researcher placements. A visiting researcher with legitimate academic credentials and a plausible research purpose can gain access to laboratory environments, research data, and personal relationships with key researchers over an extended placement. The access they acquire in six months is difficult to undo after they depart.

Research collaboration agreements. Formal research partnerships between universities and foreign institutions or companies – particularly in China, Russia, and Iran – can contain IP access provisions that are not carefully scrutinised at the administrative approval stage. The commercial relationship provides legal cover for IP transfer that would not be approved if it were framed as information sharing with a foreign state.

Direct social engineering. Conference contact, professional networking platforms, and direct approach by individuals who present as fellow academics or recruiters are established methods for building relationships with researchers that can later be leveraged for information access.

Practical mitigations

IP classification is the foundational step. Identifying which research outputs are sensitive – defence applications, dual-use technology, commercial IP with strategic value – enables proportionate controls. Not all university research needs the same protection. The classification drives the access controls.

Due diligence on international partnerships is now a legal requirement in some cases under the National Security and Investment Act 2021 (NSI Act). The NSI Act’s mandatory notification regime covers certain acquisitions and research agreements in 17 sensitive sectors including AI, quantum technologies, advanced materials, and defence. Universities that enter research partnerships with foreign entities in these sectors without NSI notification where required face civil penalties.

UKRI grant conditions for certain funded programmes require applicants to conduct due diligence on international partners using the government’s Research Collaboration Advice Team (RCAT). The RCAT provides non-binding but informed guidance on whether a proposed collaboration with a specific foreign institution carries security risks.

Researcher awareness training is the most cost-effective mitigation for the social engineering vector. NCSC’s “Trusted Research” guidance provides a framework for delivering this training and is specifically designed for a university audience.

Physical Security on an Open Campus

The open campus model – where students, staff, and the public can move through most areas without credential checks – is a structural characteristic of most universities, not a failure mode. The security programme must work within it rather than against it.

This creates a distinctive physical security challenge. The controls that a commercial organisation would use – credential checks at entry, visitor management, zone-based access restriction – cannot be applied uniformly across a campus without fundamentally changing the institution’s character.

The result is that physical security in university environments relies more heavily on:

Targeted higher security for sensitive areas. Research laboratories handling dual-use technology, secure computing facilities, data centres, and buildings holding confidential research should be secured to a materially higher standard than the wider campus. Biometric or smart-card access control, CCTV coverage, and documented entry logs are appropriate for these areas even where the surrounding campus is open.

Behavioural detection. Security staff trained in conflict awareness and behavioural observation can identify individuals who are displaying pre-attack or hostile surveillance behaviours in ways that card-checking at every door cannot. This is a skills investment, not a technology investment.

CCTV coverage and management. A campus-wide CCTV system with adequate coverage of entry points, sensitive area approaches, and public spaces provides both deterrence and post-incident investigation capability. The management of the system – monitoring, retention, and response protocols – matters as much as the hardware.

Out-of-hours security. Universities have a 24-hour footprint of students and staff. The out-of-hours security model needs to be configured for this, with clear protocols for who is authorised to be in which buildings at which times and how unauthorised presence is challenged.

Visiting Speakers and Events Security

Universities host a wide range of speakers on contentious political, social, and intellectual topics. The legal framework under the Higher Education (Freedom of Speech) Act 2023 requires registered higher education providers in England to take reasonable steps to ensure freedom of speech is protected, which includes protecting visiting speakers from disruption.

The security implication is direct: for speakers whose topic or profile is likely to attract organised protest or disruption, a specific event security plan is required.

The planning starts with a threat assessment: what is known about the speaker’s specific threat profile (are there named individuals or groups who have previously disrupted events by this speaker?), what is the anticipated protest size and character (supervised protest or potential physical disruption?), and what is the venue’s physical configuration?

For most university speaking events, the security response is venue-based: a managed entry and egress process, briefed stewards, a defined exclusion zone around the speaker, and coordination with university security and, where warranted, local police. For higher-risk speakers, a personal security officer is appropriate.

The decision on whether to provide a speaker with personal security is the university’s responsibility under its duty of care. A speaker who is known to have received credible threats, who has previously been subject to physical intimidation at events, or who is appearing at a publicly advertised location in a contentious context warrants a security assessment.

Safeguarding and the Security Function

University security teams handle a volume and variety of incidents that commercial security operations rarely encounter: mental health crises, relationship violence, stalking, and events involving intoxicated individuals in residential and social settings.

This is not a peripheral issue. UK universities have been subject to significant criticism and legal exposure around failures in student safeguarding, including the Stella Maris Foundation / Student Minds data on student mental health, and the Universities UK report on tackling harassment (2016, updated 2021) which documents the prevalence of sexual harassment and violence on UK campuses.

The security team that operates only to its written physical security mandate – access control, patrol, incident response – and does not have protocols for mental health crises, safe space provision, and safeguarding referrals is not configured for the actual environment it operates in.

Training security staff in mental health first aid, implementing campus safe space provision, and ensuring clear referral pathways to university wellbeing services are operational requirements for a university security programme, not optional additions.

International Student and Staff Considerations

Universities with significant populations of students or staff from certain countries may face targeting of those individuals by their home state’s intelligence or security services. This is documented for students from China, Iran, Saudi Arabia, and Russia, where home-state actors have in specific cases monitored diaspora communities and exerted pressure on individuals to report on community activities or return home.

The NCSC’s “Protect Yourself Online” guidance for higher education institutions includes specific advice on this threat. Universities should provide clear information to international students and staff about their rights under UK law and the support available if they believe they are being monitored or pressured.

For the broader corporate context in which research security and IP protection sit, see our protecting trade secrets during international travel guide. For the physical security assessment methodology that applies to campus environments, see our physical security assessment guide. For the specific security challenges facing researchers who leave campus and conduct fieldwork in high-risk environments – duty of care obligations, GISF framework, digital security in authoritarian states, fixer vetting, and check-in protocol design – see our security for academic researchers and fieldworkers guide.

Source: NCSC (UK) and FBI and CISA Joint Advisory: Caution: Be Wary of Academic Partnerships with Foreign Institutions from Countries of Concern (2023). MI5 Annual Threat Assessment 2024. NCSC: Trusted Research guidance for UK universities (2024). UKRI Research Collaboration Advice Team (RCAT) guidance 2024. National Security and Investment Act 2021 (UK). Higher Education (Freedom of Speech) Act 2023 (England). Universities UK: Tackling Harassment and Sexual Misconduct in Higher Education (updated 2021). UK Home Office: Counter-Terrorism in Education (Prevent Duty) 2023.