Cybersecurity threats are pervasive and universal. However, certain industries are more vulnerable than others.
A recent report by Check Point Research stated that schools and research facilities experienced an average of 1,739 cyberattacks per organization each week in July 2021.
In 2020, the University of California, San Francisco was forced to pay $1.14 million after a ransomware attack. Several other leading educational institutions such as Michigan State University, Columbia College, and the University of Hertfordshire have faced major cyberattacks in the last couple of years.
Why Is the Education Sector Prone to Cyberattacks?
Unfortunately, schools and universities offer the ideal conditions to invite attacks from malicious actors.
1. Access to Sensitive Information
Educational institutions have vast volumes of sensitive information such as hiring contracts, student details, medical history, W-4 tax certificates, etc. Such information is often in great demand on the dark web. The rise of cryptocurrency has made such transactions even harder to catch.
Example of personal data for sale on the dark web
According to Emsisoft Research, criminals spend an average of 56 days snooping around compromised networks looking for the most valuable information. In addition to personal information, universities often have confidential research, which makes them a prime target for state-sponsored hackers. UK's National Cyber Security Centre (NCSC) reported that hackers are targeting UK universities to steal coronavirus research.
Due to such high-stakes information, breaches in educational institutions can cause severe reputational damage. This makes them a high-risk target for ransomware attacks.
2. Lack of Preparedness
A 2018 report by Security Scorecard referred to the education sector as the least secure of the 17 industries studied, particularly in patching cadence, application security, and network security. While post-Covid digitization has increased awareness of cybersecurity in the sector, it still lags behind most major industries.
Source: Security Scorecard
A novel cybersecurity challenge in the education sector is the consistent influx and outflow of a large number of students. So, the team structure evolves much more rapidly than a typical organization. This necessitates the need for robust security training and culture. At the same time, universities and schools require centralized policies to restrict access to people that move out of their system each year.
3. Widespread BYOD Culture
Universities witness widespread usage of various kinds of personal devices — smartphones, laptops, and tablets. BYOD (Bring Your Own Device) culture, while convenient and cost-effective, is a hotbed for cybersecurity risks.
For example, a student might download a malware-infected application that could easily pass onto the university network. Similarly, if proper security protocols aren’t followed, a stolen personal device can be used for serious data breaches.
BYOD also increases the risk of Shadow IT, i.e., the use of unauthorized IT systems for work without the knowledge of an organization’s IT department. According to a G2 Crowd report, 67% of teams have introduced their own collaboration tools into an organization, and 80% of workers admit to using SaaS applications at work without getting approval from IT.
4. Higher Attack Surface
A report by Endpoint Research found out that the total number of devices deployed across K-12 environments increased 74% from 2019 to 2020. The same report also stated this growth had led to a 39% increase in time spent online. Still, 47% of antivirus applications studied were ineffective in preventing cyberattacks.
The sudden digitization in the education industry post-Covid has outpaced the general state of cybersecurity in the industry, leading to an exponential increase in its threat surface.
According to The State of Ransomware in Education 2021 by Sophos, the typical educational institution pays an average $112,435 ransom payment to get data back and networks running again. Unless institutions take proactive measures to address cyberattacks, this number will continue to rise.
How Can Educational Institutions Upgrade Their Security Posture?
The above statistics indeed paint a grim picture of the state of cybersecurity in the education industry. However, there is a silver lining — Cybersecurity awareness in the industry is at a record high. Educational institutions all around the world are taking measures to boost their security posture. In the past year, Modus Create has helped several organizations in the education sector, such as Full Measure, Kaplan, K2, and PowerSchool, ramp up their digital presence in a secure way.
Here are a few ways educational institutions can upgrade their security posture:
1. Practice Good Cybersecurity Hygiene
Human error is the number one reason behind cyberattacks. You can have the best structures in place, but it’s impossible to prevent cyberattacks if the users aren’t educated in cybersecurity best practices.
Human error is unavoidable, and IT and information security leaders need to account for this by establishing security controls such as multi factor authentication; and gamifying awareness training by leveraging the internal pedagogical expertise of the institutions they support.
Phishing is one of the biggest threats to cybersecurity in educational institutions. Schools and universities must coach their staff and students to identify and report suspicious behaviors and have a clear mechanism for dealing with such complaints. It also helps to run mock phishing drills regularly to know how well the team is positioned to withstand similar attacks.
2. Beware of Legacy Tech
Today, several educational institutions use internal solutions to manage data or workflows. Therefore, it’s critical to ensure that the technologies used in those solutions are up to date. For example, a tool based on an unsupported version of PHP is prone to security vulnerabilities.
Educational institutions need to adopt a proactive approach to technology modernization. They can’t afford to modernize only when they are compelled. Similarly, it’s also important to shut down redundant tools that no longer serve their purpose. This helps in reducing the overall attack surface.
However, phasing out legacy tech is just one piece of the puzzle. It’s equally important to ensure that the new technologies are correctly implemented. For example, several traditionally cloud-averse industries including the education sector are moving to cloud-based SaaS applications from expensive tools hosted on-premises. Institutions must routinely audit, test, and strategically plan the lifecycle of the technology that they support.
3. Review Data Policy
User data is the primary motivation for most cyberattacks. Therefore, being aware of sensitive data collected is the first step towards improving the state of cybersecurity in the education sector.
IT departments at the university level usually comprise several employees across thousands of servers and applications of various use cases. A single individual does not have visibility into how the collective ecosystem is mapped.
Failure to comply with data privacy regulations such as CCPA and GDPR can lead to massive penalties for the education sector. In May 2018, the University of Greenwich was fined £120,000 for a “serious” data breach under the data protection legislation.
To reduce institutional risk and maintain parity with applicable privacy regulations, IT departments must understand how data is used, collected, processed, and protected. That’s why they need to be proactive in routinely meeting with application owners and departmental leaders to build relationships and understand how they are managing data.
4. Be Prepared for Fallout
With due diligence and proactive measures, the education sector can significantly reduce the risk of devastating cyberattacks. However, it will be naive to assume that any organization can completely eliminate the possibility of cyberattacks.
From student payment cards and building access to online learning access — a modern university’s infrastructure relies heavily on the state of its digital network. That’s why a major ransomware attack can completely cripple it. In September 2021, Howard University became yet another victim of a major ransomware attack and had to cancel its classes.
That’s why it’s equally important for organizations to plan for the repercussions of a cyberattack. Who should take charge in case of a cyberattack? Which authorities should be informed? How should communication be managed in case of a ransomware attack? These are valid questions to ask despite the best precautions. A timely and measured response can mitigate the impact of cyberattacks.
5. Engage with the Community
Modus Create’s Principal Cybersecurity Architect, Willian Reyor advises education institutions to actively get involved in the security community and learn from others. REN-ISAC, NERCOMP, EDUCAUSE, Security BSides, CHERIS, and Infragard are few communities for security professionals in the education sector to participate, volunteer, and share experiences.
Sharing best practices with the wider community accelerates the learning curve and helps understand the existing threat level in the industry.
Future Proof Your Cybersecurity
Cybersecurity is a journey and not a destination. No matter how robust your existing security posture is today, it is bound to weaken with time. That’s why it’s important to not just adopt new technologies but also foster a transformational mindset in your organization.
If you are interested in learning more about preventing cyberattacks, talk to Modus Create. Our security experts have helped some of the world’s leading organizations level up their security posture.
- Cybersecurity Matters More Than Ever in M&As
A robust security posture should be a strategic goal regardless of the size and nature…
- Security Assessment: Introduction, Process, and More
Learn more about our approach and process to a security assessment. Identify risks and get…