According to Check Point’s Mid-Year Report for 2022, the education sector had 44% more cyber attacks than the year earlier. An average of about 2300 attacks against educational organizations were reported weekly.
These figures are alarming — though conservative by some estimates —- because the education sector is a prime target for cyber attacks due to a combination of valuable data, lack of cyber risk awareness, and significant, widespread vulnerabilities.
Why Do Cybercriminals Target the Education Industry?
Educational institutions are targeted for a number of reasons, primarily for the amount of personal student data that they handle, along with student loan information, confidential research data, and a lack of adequate cybersecurity.
From local kindergartens to internationally renowned higher education institutions, all educational organizations keep data on the learners enrolled with them. This data may include personally identifiable information, such as:
- Full names
- Street addresses
- Email addresses
- Phone numbers
- Grades and aptitude information
- Credit card details
- Social security numbers
- Student loan information
The bigger the organization, the more records it is likely to store. Unfortunately, from a cybersecurity standpoint, a larger organization is likely to have organizational and security challenges and large amounts of student data.
This means that threat actors know where they might find large amounts of personal data and where that data is likely to be easy to access.
Valuable Research Data
Universities often perform cutting-edge research and such intellectual property (IP) can be worth millions of dollars. While university researchers might think of the prestige of developing techniques and making discoveries, failing to think about cybersecurity to protect this research can make it vulnerable to data leaks and data breaches.
Cybercriminals able to access a network can steal IPs to sell on the dark web. Alternatively, they may encrypt the data as part of a ransomware attack, threatening to upload or destroy it if the institution does not pay.
Lack of Cybersecurity
The education sector is one of the slowest adopters of modern cybersecurity solutions typically due to a lack of funding which can lead to the use of outdated technology, limited resources to invest in cyber solutions, and ever-growing institution sizes. Public schools receive funding from the government, which in turn can result in many budget constraints, and in turn, cybersecurity is often deprioritized in favor of staff salaries, school resources, and infrastructure upgrades.
However, this has proven to be particularly damaging to educational institutions because cybercriminals often target the schools with the least funding since they typically have poor cyber defenses.
One recent example of this is Lincoln College, which shut down in 2022 due to a ransomware attack that crippled the entire school. Because the school was already facing budgetary issues due to COVID-19, the school would ultimately fail to recover from the cyber attack.
Biggest Threats to the Education Sector
Cybercriminals benefit from access credentials to gain access to a school or university network. The most common way for them to get such credentials is via a successful phishing attempt.
With the personal data acquired during a phishing attempt, cybercriminals can target more high-profile individuals with spear phishing and whaling attacks. Phishing is also a vector for malware, including ransomware.
Ransomware gangs are known to attack specific school districts as they will have researched their cybersecurity capabilities and how much ransom they can afford to pay. This research tells cybercriminals which school systems are prime targets for attacks.
Distributed Denial of Service (DDoS) Attacks
The education sector also has a significant risk of DDoS attacks, which could impact students trying to access learning resources or submit time-sensitive assignments online. DDoS attacks are meant to deny access to various websites or domains and force a server overload, which can significantly impact day-to-day operations.
This attack is a risk for all education facilities since the motivation is not normally financial gain but to cause disruption. A DDoS attack can impact the university’s ability to function and can lead to reputational damage.
Another reason DDoS attacks are a significant threat to the education industry is that it’s relatively straightforward to carry out such an attack compared to other cyber attacks. A disgruntled teacher or student could spearhead this attack successfully, especially if the educational institution were typically ill-prepared for cyber attacks.
University research is frequently scientific, medical, or engineering-related. The theft of this work can give a professional organization an unfair competitive advantage, giving them the knowledge without investing time and money into research. For this reason, cyber espionage is often funded by corporate entities.
Alternatively, a cybercriminal may be focused on data theft because they intend to sell the research on the dark web.
Reasons that the Education Sector is Vulnerable to Hackers
Several factors common to educational institutions make them more susceptible to cyber attacks and hackers than organizations in other sectors. These are as follows:
New Learning Technologies
During the COVID-19 pandemic, many schools and universities turned to remote working and remote learning to minimize the impact on their students. This increased attack surfaces by adding many new endpoints to education networks. These endpoints were frequently unvetted personal devices using unvetted connections.
The increase in endpoints combined with the rapid adoption of new technologies to facilitate online learning meant that networks increased in size and complexity without the corresponding increase in cybersecurity measures to protect them and their users.
Even long after the main thrust of the COVID-19 epidemic, business and education systems are struggling to maintain proper cybersecurity practices to monitor and protect their networks.
Cybercriminals know that many schools and universities lack the resources to defend themselves against their malicious activities properly. K-12 schools are particularly vulnerable due to low cybersecurity spending — less than 1% of their IT budgets — making them a top target for cyberattacks within the education sector.
While cybercriminals know that some schools will not be able to pay ransoms for access to compromised systems, they know that they nevertheless store personal data that can be valuable to cybercriminals wishing to perform identity theft or sell sensitive information on the dark web.
Lack of Cyber Risk Awareness
People working in the education sector tend to be less aware of cyber risk than other sectors. They are likelier to have an open attitude that inspires learning, collaboration, and sharing. Therefore, identifying phishing attempts and scams tends to be more challenging for individuals working in education than in other sectors, such as the tech industry or the finance sector.
Because of the lack of awareness regarding cyber risks, staff in educational institutions — hardworking but untrained in basic cybersecurity — are more likely to make decisions based on a solution’s effectiveness and convenience without considering the consequences of data protection.
Legacy Hardware and Software
Due to budgetary concerns and a lack of focus on cybersecurity in favor of collaboration and learning, educational establishments often use legacy software and hardware, which are vulnerable to cyber attacks.
Most software updates are security patches. Without performing updates, applications are at an increased risk of unauthorized access and compromise by hackers and cybercriminals.
Using old hardware might be cost-effective in the short term, but the major disadvantage from a cybersecurity standpoint is that cybercriminals have had plenty of time to learn the vulnerabilities associated with legacy hardware.
Furthermore, legacy hardware is no longer supported by software developers. Without updates to keep it secure, software and hardware become increasingly vulnerable and prime targets for hackers.
Large educational institutions like major universities have many departments that don’t necessarily communicate well with each other. It’s not unusual for department heads to acquire and install software and hardware unique to their department.
This structural issue leads to compatibility problems and makes each department harder to defend from cyber attacks. Without an overview of the network and the systems in place, any cybersecurity or IT professional will find it more challenging to identify the source of a cyber attack and remediate the problem.
Monitoring an establishment’s information system and ensuring proper security measures like privileged access management are also more difficult.
Without a standardized framework, information security policies, and cybersecurity practices, security gaps are probable, partly responsible for the higher incidence of cybercrime in education compared to other sectors.
Lack of Technical Expertise
Many educational institutions lack a cybersecurity department. In some school districts, no single individual may be responsible for full-time cybersecurity issues, such as protecting networks, monitoring access, and implementing security measures to protect sensitive data.
A general lack of cybersecurity resources and expertise increases the education sector’s vulnerability to attack. It lacks the personnel and technology to identify, prioritize, mitigate, and remediate vulnerabilities or unusual activity.
Educational businesses, especially higher education institutions, tend to have complex structures requiring technical sophistication to protect with a cybersecurity program.
Use of Personal Devices
Even when the educational establishment has tight security, these organizations must account for the fact that their student users will be using personal devices.
Whether they are accessing resources via smartphones, sending assignments via their laptops, or bringing USB drives to campus, students introduce many potentially vulnerable endpoints to the system daily.
What Educational Institutions Can Do to Protect Data
So how can educational institutions protect their most important data and prevent cyber threats from occurring?
Invest in Cybersecurity
At first, cybersecurity may not seem a priority in education, but the safety and security of users and staff must be prioritized, whatever the sector and whether that threat is physical or digital. Just as physical security is essential for staff and students, cyber security must be prioritized for the establishment's longevity.
A learning establishment is unlikely to achieve its goals without a safe environment to work and learn. The chances of a cyber incident are rising, so taking measures to minimize known and emerging cybersecurity threats is necessary.
Investing in cybersecurity means setting aside the time and money to perform a proper risk assessment that prioritizes the organization’s needs and acting on those findings, whether that means focusing on hardware, software, third-party IT security, implementing a trusted cybersecurity framework such as NIST, drafting information security policies, promoting cybersecurity awareness, or, typically, some combination of all these practices.
Follow Cybersecurity Frameworks
HECVAT is a security framework designed for higher education institutions, but it can also be adapted for any organization in the education sector. It helps schools better manage their cloud security, which has become a necessity in today’s world.
Other security frameworks can also be incorporated into the school’s cybersecurity program, such as NIST CSF, which provides general guidelines for helping organizations build stronger IT programs. NIST provides a set of guidelines and best practices for organizations to follow, which can significantly reduce the risk and impact of a cyber attack.
The first thing an educational institution should do to protect its data is to perform a risk assessment.
An organization can improve its security posture most effectively when it fully understands that security posture and what it means in the current cyber threat landscape and identifies what practices it should prioritize to make the biggest impact as quickly as possible.
A risk assessment, therefore, should identify the most likely risks and those that could cause the most damage. This information will guide the institution in its efforts to implement a cybersecurity framework and a vulnerability remediation system.
An internal risk assessment will also identify the key roles responsible for managing cybersecurity. However, cybersecurity mustn’t be considered the concern solely of a particular department. Everyone is a stakeholder in data protection. Everyone within an organization can do their part to reduce its cyber risk.
Awareness and Training
The human element is a significant factor in data breaches and leaks, and there is no sign that this will change dramatically. Even with artificial intelligence handling more processes and monitoring human activity, as long as humans are involved in a process, human error is a risk that must be addressed.
Many staff in the education industry are unaware of the cyber risks that surround them, making them and sensitive data more vulnerable to hackers and cybercriminals. If people don’t know a risk exists, it’s almost impossible to remediate it, so awareness training needs to be an early consideration.
Cybersecurity awareness training should begin during onboarding and may last throughout the employee lifecycle. Ongoing training ensures that staff members — especially those dealing with student data and other sensitive information — stay up to date with the cyber threat landscape and that their knowledge is up-to-date regarding how to identify, report, and otherwise respond to unusual activity, including phishing attempts, which are frequently vectors to malware attacks.
Develop a Cybersecurity Culture
Continuous training can be a significant part of developing a cybersecurity culture. Cybersecurity culture results from continuous cybersecurity awareness training alongside other initiatives to promote awareness and incentivize best practices.
In a mature cybersecurity culture, it is not unusual for cybersecurity to take center stage during meetings. Also, there is engagement from the board level and, from the top, throughout the organization.
This is required to create a workforce that is a line of defense against increasingly sophisticated, unpredictable, and persistent attacks.
One of the main challenges of implementing security measures in large educational institutions is the lack of a common framework. Individual departments tend to have unique ways of doing things, as well as individual hardware and software.
For better security, department heads are encouraged to communicate, collaborate, and work with IT personnel with overall responsibility for IT frameworks.
A unified IT framework is easier to monitor and defend. Cybersecurity personnel will be able to oversee privileged access management and ensure proper authentication is required for sensitive data.
With a single network, IT staff can also more easily apply the upgrades necessary to keep software and hardware up-to-date and safe from emerging cyber threats.
Establish Information Security Policies
Without clear information security policies, it’s too easy for individual departments and the individuals within them to go their way. It’s difficult to identify what went wrong during a cyber incident and fix the problem if everyone uses different security practices- or no security measures.
Information security policies must be transparent and easily accessible for everyone accessing the university network, including students and staff.
Implement Multi-Factor Authentication (MFA)
According to Microsoft, MFA can help prevent almost all data breaches. By requiring more than one form of authentication, typically a password, MFA makes it more difficult for a hacker or cybercriminal to access a system.
MFA is recommended, therefore, throughout the organization, for all users of the network. While it takes a little longer to get data access, it can significantly and rapidly improve a school, college, or university network.
Utilize Strong Passwords
While there are predictions that MFA will replace passwords, it hasn’t happened yet. In the meantime, staff and learners need to maintain strong passwords.
A strong password is a password that would take a long time for a hacker to crack. They normally consist of 8 or more alphanumeric characters, at least one symbol, and no words that you could find in a dictionary. By creating more complex passwords, hackers are less likely to be able to guess or use software to guess passwords.
Good cyber hygiene also involves maintaining unique passwords for each application that stores or accesses financial information.
Email credentials and other account passwords are often compromised for no individual fault. If a business is hacked and access credentials are compromised, hackers will typically try those access credentials against other accounts to see if they have been reused, potentially putting the user’s other accounts at risk.
Use a Firewall
A firewall monitors everything attempting to enter or leave a network. It can block harmful files and flag suspicious activity, making it an essential tool for protecting networks, large and small.
Having said that, the education sector tends to focus more on its perimeter security than what is going on within the network. While maintaining a firewall is essential, it’s also necessary to monitor activity on the network for unusual and malicious activity.
Organizations don’t necessarily know a hacker has gained access to a network the moment it happens. On average, it takes more than 200 days to identify a data breach, which can take several months to repair the system.
With a tendency to have large and complicated internal structures and workflows, it’s imperative that educational institutions implement continuous monitoring of their systems for malicious threat actors.
Consider Third-Party Risk
Third-party risk refers to the risk from software vendors and business partners that can impact the security of the educational institution. This might be a cloud storage provider, for example, or the provider of software used by administrative staff.
Businesses tend not to have a good grasp on the number of third-party vendors they use, let alone the security posture of those vendors. However, organizations increasingly need to understand how third and even fourth parties affect them.
The first thing for a business new to cybersecurity to do is to make sure they have adequate security measures by following cybersecurity best practices. As soon as possible, they should audit their third-party vendors, as they will remain at risk until they understand the risk profiles of those vendors and take steps to remediate or mitigate those vulnerabilities.
Use Virtual Private Networks (VPN)
Cybercriminals use VPNs to help hide their identities and locations. VPNs have legitimate uses, too, however, for individuals and businesses. They protect privacy and help people avoid being tracked by hackers and cybercriminals.
Using VPN software in educational establishments can help users avoid attacks such as man-in-the-middle attacks, in which communications are stolen or modified without the participants’ knowledge, and phishing attacks.
Encouraging students to use VPNs and avoid unsecured networks can help keep them and the networks they connect to safe from malicious activity.
Encryption is useful when a network has been compromised or a device has been lost or stolen. In the event of such an incident, encryption makes it much more difficult for hackers and cybercriminals to access sensitive data.
Decrypting data that has been encrypted with a strong algorithm requires sophisticated methods and tools so this practice can add a welcome level of protection to all sensitive and valuable data held by an organization.
Furthermore, it’s essential that all online communications and transactions over the web — such as filling in online questionnaires, transmitting evaluation information, or using debit or credit cards to pay for courses or accommodation — be carried out with Transport Layer Security, signified by the HTTPS and a closed padlock icon in the URL field of a browser.
Like encryption, data backups provide security and reassurance during or following a cyber incident. While all organizations prefer to prevent a data breach, they must prepare for cyber incidents.
With a data backup, an educational institution can restore copies of critical files, such as student enrollment information, examination results, and research data. Regular audits are required to maintain a backup and test the backup to ensure it works in circumstances where the educational facility or network is under attack.
Storing backups offsite via a cloud provider means that the data is not vulnerable to geographically-specific disruption, but it does require vendor risk management to measure the risk profile of the vendor.