Education sector: why cyber security awareness needs to be a priority

During the third quarter of 2022, approximately 15 million data records were exposed worldwide through data breaches. This is a staggering increase of 37% compared to the same quarter in 2021 (Statista).

In the UK, government statistics reveal that 62% of higher education institutions reported experiencing breaches or attacks at least weekly in the previous 12 months.

There is a misconception that hackers and cyber criminals only target large commercial enterprises and multinational organisations that are holding vast swathes of data or commerce. We know this is patently not the case. Cyber criminals will target any institution or individual if they can see some gain in return.

Many institutions in the education sector are slowly but surely catching up to the cyber risks of the modern world and scrambling to protect themselves from cyber attacks such as ransomware, brute-force attacks and phishing aimed at both staff and students. However, many have still fallen victim to cyber attacks with big consequences.

As many educational institutions shifted to remote online learning, we saw a further increase in cyber attacks against them. Personal computers, unsecured networks, and lax security behaviours in the home has greatly increased the threat vector of the education sector.

"87% of higher education institutions experienced at least one successful cyber attack"

Types of cyber attacks the educational sector is vulnerable to

Before we get into the reasons why cyber criminals are targeting the education sector, we should look at the type of attacks we see most often.

• Distributed Denial of Service (DDoS) attack: the most common attack against educational institutions, DDoS attacks interfere with an individual or organisation’s internet connection and network, drastically slowing down online productivity. This can be particularly damaging for universities as they rely on online submissions and portals for much of their day-to-day minutia. Network security provider Netscout has revealed a 102% increase in DDoS attacks targeting universities, colleges, and professional schools.
• Data theft: cyber criminals also target and steal data from educational institutions. Targeted data includes student information like addresses, and personal information of both students and teachers including credit information and government identifiers. In a Sophos report, it is revealed that education is the sector least able to stop data being stolen and encrypted during an attack. Higher education reported the highest rate of data encryption at 74%.
• Ransomware attack: In 2019, more than 1,000 US schools were hit by a ransomware attack, with one school (Rockville Center School) paying more than $88,000 to receive a decryption code for ransomware-encrypted files (Stealth Labs). Often, cyber criminals are looking for monetary gain. The best avenue for them to achieve this is a ransomware attack. In this instance, a hacker will either steal sensitive information and hold the organisation ransom if they want the data returned, or they will block access of the school to a particularly important section of its infrastructure until they pay up. Sophos’ The State of Ransomware in Education 2022 Report reveals a 56% increase in ransomware attacks in lower education and a 63% increase in higher education.
• Phishing: a common attack against all industries, this social engineering attack often preys on the insecurities of students or the lack of security training in staff and teachers. Stealth Labs reveals that 30% of users in the education sector have been the victim of phishing. This is double the rate of the general population.

"41% of higher education cyber security incidents and breaches were caused by social engineering attacks"

Why are cyber criminals targeting the education sector?

There are a few reasons cyber criminals are targeting the education sector. These reasons and motives vary depending on the size of the target and the given value placed on their data, finances, or reputation. As a result, educational institutions must evaluate individual risks rather than protect against a seemingly “common” threat.

We will be running through some of the main reasons for cyber attacks on the education sector to contextualise the cyber risk factor both staff and students face in the education sector.

• Reputation attacks: large, globally respected organisations can be crippled by cyber attacks such as brute-force attacks and ransomware. This has a knock-on effect on the brand reputation this trusted institution has garnered and built up over the years. Reputation attacks can sometimes go together with espionage attacks as a third-party tries to undermine an institution’s authority and trust. As a result, every education provider should provide cyber security awareness training and materials for both students and teachers, as well as needing to install a cyber incident response plan in case a breach appears.
• Limited budgets lead to easy targets: because many school systems and educational circles have yet to catch up to the importance of cyber security and security awareness, they are often left to deal with cyber threats with a very minimal and limited budget. Cyber protection, both technically and behaviourally, requires constantly updating technologies and refreshing advice to reflect emerging threats. If an organisation’s decision makers are not aware of cyber breaches and their consequences, they will leave their institution vulnerable.
• Lack of technical staff: when we talk about the education sector, we are obviously talking about teachers, students, and administrators … but what about tech support? Whilst many educational institutions are now employing tech staff, many have yet to even make this decision. Cyber criminals will target organisations they know is lacking in technical intelligence in the hope they can prey on unaware students and teachers.
• Tech reliance post-COVID-19: As a result of the COVID-19 pandemic, many organisations in the education sector had to go online. With more people now using online platforms for teaching, learning, and submitting, the attack surface and number of potential targets dramatically increased. In fact, Accenture has revealed a 125% increase in cyber incident volume since the beginning of the pandemic. Whilst much of the education sector used to deal with physical classrooms and tests, now we have online seminars and learning from home which makes it far easier for cyber criminals to be successful in their attempt.
• Lack of cyber preparedness: In a Stealth Labs survey on 17 different industries, the education sector ranked in dead last in terms of cyber security preparedness. The survey reveals that the education sector is vulnerable in endpoint security, security awareness levels and software updates. The three vulnerabilities are a hacker’s dream cocktail for a target.
• Stockpiles of data: data theft is common in the education sector as schools sit on a treasure trove of data. Data on teachers, staff, students, and sometimes even parents. Cyber criminals can get their hands on addresses, social security numbers, financial applications, and even banking information. Threat actors can then sell this data on the black market. In March 2018, over 300 universities worldwide suffered a giant cyber attack from nine Iranian hackers. According to the official report, hackers stole and exposed “31 terabytes of valuable intellectual property and data” (Sys Group).

What can the education sector do to protect against cyber attacks?

Like any industry, there is always an answer for cyber threat protection – no matter how limited your budget or resources may be. You need to:

• Provide cyber security awareness training to everyone in your school: make sure students, teachers, and staff all complete security awareness training on the most common cyber threats they may encounter so they know how to spot suspicious activity, how to resolve it, and – worse comes to worse – how to report it if they still fall for a cyber threat.
• Multi-factor authentication or 2FA: At TSC, we believe multi-factor authentication should be standard security practice. Multi-factor authentication positions another level of security on every portal that requires a login. With multi-factor authentication, every individual will be prompted to enter a password first, followed by a second form of identity authentication such as a push-notification on a trusted device or another numeric code. This is such a simple solution but if you can educate staff and students on the importance of multi-factor authentication, you give them a massive head start in their cyber security awareness levels.
• Install protection against ransomware, phishing, and DDoS: whilst good, consistent, and engaging cyber security awareness training will do wonders for protection against ransomware attacks and phishing attempts, it is also helpful to install protection against DDoS and brute-force attacks. A few basic and cheap pieces of security software can keep your networks and systems safe – but keep in mind that the tool is only as effective as the person wielding it, once again highlighting the importance of consistent security awareness training.
• Cyber breach simulations: Having live regular drills using mock cyber attacks can be highly effective in preparing and protecting against a real attack. When we conduct regular fire drills, it is to teach a behaviour and a way of acting in an emergency to a mass group of people. Why can we not apply the same principles to a cyber attack? By running live cyber attack drills, you can check if your security awareness training and technical defences are up to standard and working the way you intend them to. Furthermore, running simulations can highlight gaps in your security culture – which can then inform your cyber security awareness strategy moving forward.

"79% of universities have experienced damage to reputation due to a data breach"

The education sector learns of the harsh reality of cyber attacks

Cyber attacks can happen to anyone and any organisation, no matter how big or small they think they are. Therefore, it is important for the education sector to take into consideration the types of attacks they are vulnerable to and how they can strengthen their security awareness levels with training for staff, teachers, and students.

87% of UK educational institutions have experienced at least 1 cyber attack with one-third of UK universities hit by a cyber attack every hour! (VMware)

The growing rate of cyber attacks on the education sector is mostly down to the explosion and success of ransomware-as-a-service (RaaS). As RaaS attacks do not require much skill from the attacker to deploy an attack, it is common and one that we see most often in the education sector.

And whilst cyber insurance is especially important and will pay the many in most claims, it is getting harder for organisations to get cover as attack rates increase. If an organisation is left with an insurance coverage gap, they are left exposed and vulnerable.

Therefore, educating staff, students, and teachers on emerging threats and safe security behaviours is simply necessary.

After all, education is key.

If you would like more information about how The Security Company can  help your educational institution stay safe and deliver phishing and ransomware security awareness training for your staff, teachers, and students or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.