Cyber security has long been a challenge for the Education sector, but with the recent increase of cyber attacks against academic institutions, awareness and action is urgently needed now more than ever.
Schools and universities can be lucrative targets for cyber criminals, both in terms of data and money. If hackers gain access to a school network, they can acquire all kinds of data including teaching resources, financial records, and staff, student and parent information. What we have then seen in the recent rise of ransomware attacks, is the hacker demanding a sum of money to prevent the data being released to the public or the Dark Web. When schools have an important responsibility to safeguard their students, this can be a particularly worrisome consequence of a cyber attack.
The National Cyber Security Centre released multiple alerts between September 2020 and June 2021 to help bring the ransomware threat to schools’ attention and encourage action.
“This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted.”
– Director of Operations at the NCSC
These attacks often start out with a phishing email to an unsuspecting target active on a school’s network, which may be a student or a member of staff. If the email successfully convinces the recipient, malware can enter the school’s IT systems, encrypting files and data and rendering them inaccessible until the school pays a ransom, usually in the form of cryptocurrency.
The pandemic has exacerbated this threat for the sector, with many schools forced into an online environment with little time to prepare. Cyber criminals were able to attack a school’s network through remote access systems like remote desktop protocol (RDP) or virtual private networks (VPN) and exploit out-of-date software and poor password security.
According to Government figures, in the last 12 months, 36% of primary schools, 58% of secondary schools, and 75% of universities have experienced a cyber attack. These numbers are of course much too high, but maintaining a fully secure environment is no easy feat for education institutions.
Although educational institutions are starting to see the importance of cyber security, most struggle with tight budgets and usually other priorities end up having to take precedence over cyber security. Cybercriminals know that schools are not well funded in this area, making them ‘soft’ targets.
The volume of devices on a school network and students using their own mobile devices further adds to the cyber security challenge for the education sector. BYOD can be a security nightmare for IT departments because students’ devices are unlikely to be secure to an adequate standard, increasing the chance of data leakage and malware infections. Both students and staff lack proper cyber awareness training further weakening the defence against cyber attacks.
Tackling the cyber threat
Educational institutions need to take a holistic view towards cyber security and risk management. The most important first step schools can take is to assess their current security posture and address common points of failure. Since resources already run thin, it is a good idea to highlight the most problematic areas so you know where to focus them.
Vulnerability audits can help to give an entire overview of one’s estate and where the key risks lie. Although a cost, the in-depth analysis and insight gained is crucial to overcoming cyber threats. One of the most common vulnerabilities found, for example, are end-of-life operating systems – ones that are no longer supported and receiving security updates. Without locating these on your network, you wouldn’t even know this was an issue before it was too late.
Schools need to also address where most cyber attacks start – the people. While it can be difficult to deploy full scale cyber training programs for staff and students, greater attempt should be made to educate those using your network about the most common risks and how to respond to them. For example, exploiting passwords is a very commonly used tactic for cybercriminals, so users can make a world of difference by creating strong passwords for accounts and applications. Adding an extra layer of security with multi factor authentication will also help to protect an organisation from breaches. Cyber security awareness should be made a part of school culture, delivered throughout the school year to keep it fresh in staff and students’ minds.
Without specialist knowledge and expertise, managing cyber risk can be daunting for educational institutions, so looking to cyber security standards can be a helpful way ensuring your organisation is covering the core security basics – before doing anything else. The Government’s Cyber Essentials standard is recommended by the Department of Education to all UK schools and universities wanting to lay down these foundations. By aligning with the Cyber Essentials technical controls, schools are able to reduce cyber risk by 80% and ensure better data protection and safeguarding. The certification can even be a prerequisite for certain grants and funding.
With limited resources and funds and an ever changing cyber threat landscape, it will always be challenging for the education sector to manage cyber risk. But understanding the vulnerabilities, getting the basics right and advocating cyber vigilance within schools, can offer institutions the best chance of protecting themselves and their students against cyber attacks.