No matter if you’re at the helm of the network of an Ivy League college or a K-12 school district, cybersecurity is incredibly important. While school safety has always been a number one priority, the issue with cybersecurity is rather new. With education institutions amassing millions of dollars in their budget every year, but only maintaining small IT teams, cybersecurity threats have become amplified in both quantity and complexity.
Of course, cybersecurity threats have been a part of the conversation on school safety for a while. However, there is a lot of misunderstanding and disinformation that still prevail in the discussion regarding cybersecurity threats in education institutions. Let’s look into these common security threats and what these institutions can do to steer clear of a breach.
Importance of Cybersecurity within Education
Damage related to cybercrime is projected to hit $6 trillion by 2021 (annually). These damages do not exclude educational institutions. Since schools collect and digitize a plethora of sensitive information on every one of their students to make it easier for educators, it also opens the door for bad actors to take a peek too.
It doesn’t matter if it’s health data, academic and financial records, or something much more generic, a breached student record can provide malicious actors with all the data they need on a student to carry out whatever plans they have. Although hackers are becoming more adept at accessing student and school data, the education industry has failed to keep pace with data protection.
Overall, these hacks can be attributed to weaknesses in educational institution application security, endpoint security, patching cadence, and network security. Given the complexity of today’s educational institution networks and the threats to their security compared to only a decade ago, it’s apparent that traditional antivirus solutions are just not going to cut it anymore.
Why are Educational Institutions Targets for Cyber-Attacks?
Firstly, the most expensive component of a cyber-attack is information loss, which represents 43 percent of costs. With budgeting being a primary struggle for public education institutions, the threat of cyber-attacks lurking just around the corner is a very real scenario. This is because these public schools primarily focus on using the majority of their budget to their core curriculum, leaving cybersecurity to be more of an afterthought.
Due to the budgetary restraints that educational institutions put on their cybersecurity budgets, this typically means that their IT infrastructure is consistently outdated and easily penetrable by cybercriminals. These legacy systems are nearly impossible to update since they are no longer supported by patches.
The teams that monitor these legacy systems are also ill-equipped to do so since they have not been given adequate cybersecurity training. Due to this, networks to operate using default passwords that don’t operate under multi-factor authentication (MFA) protocols which leave them open to cyber threats from many attack vectors. With a rotating roster of new students and sometimes personnel each year, there’s a larger and more open attack surface for criminals to infiltrate.
Educational institutions also allow students and staff the ability to connect to the school network from their personal devices on-premises and at home. We know that this type of ipso facto Bring Your Own Device (BYOD) policy doesn’t bode well with organizations that maintain a team of dozens of IT professionals. That means that it definitely doesn’t work with educational institutions that maintain minimal staff and budgeting to combat this very measure.
What are Educational Cybercriminals After?
In one word: data. Schools collect and store valuable, sensitive data on their children and staff members, from allergies and learning disorders to grades and social security numbers. With data now being the most valuable asset in the world (passing oil in 2017), hackers are targeting schools and holding them ransom for their data or selling it for high-profit margins on the black market.
According to a recent survey, 43 percent of all educational institution detections were adware-based, while 25 percent were Trojans. What’s more is that in 2018, education was the top sector for Adware compromises with Emotet, TrickBot, and Trace trojans being particularly active in education in early 2019.
These sneaky network pollutants are typically disguised as, or embedded in, non-malicious software, whereupon clicking or downloading the deceptive link or software can infect the electronic device. Typically, adware uses an underhanded method to either disguise itself as legitimate, or piggyback on another program to trick the user into installing it on their PC, tablet, or mobile device.
Although trojans represented a smaller percent of ransomware compromises in education in 2018, the trends show that these cyber-attacks are on the rise since the year prior. In fact, it was found that more than one in three compromises were detected on devices plugging in as a guest on the network with trojans increasing in prevalence by 132 percent from the previous year.
Phishing is a technique when a person receives what looks to be a legitimate email asking to click on a link to either learn more about a specific topic of interest. These emails might call for a verification of personal accounts, permission to use personal details, or their user password. As hackers have become more crafty in their social engineering attacks in recent years, these phishing attacks have been more difficult to spot and circumvent.
These sophisticated attacks are starting to use machine learning (ML) and artificial intelligence (AI) to quickly craft and distribute convincing phony emails. These bad actors implement these types of programs in hopes that their efforts may be able to compromise an educational institution’s networks and systems.
The most common form that phishing attacks take in education are emails that are made to look like they have come from deans, principals or other administrators, asking for contributions, donations, or the user to reset their password. Even though these emails look very official, the nature of the email usually raises eyebrows for most users, leading them to double-check the source and eventually mark the email as spam. Those who are not as skeptical about the source of these phishing emails will be the most likely to click through, divulge sensitive information, and compromise personal or financial information for themselves and their educational institution on a massive scale.
Educational institutions can sidestep these types of malicious attacks by implementing a spam filter that recognizes all the spamming and phishing automatically. Keeping email accounts and passwords on lockdown that also take into account filters that help to get rid of these spam messages is a good second step.
The best way to deter phishing emails though is to stay alert when opening emails in your inbox. Steer clear from passively clicking links in emails that you don’t know the sender or responding to strange emails marked URGENT from an administrator or high ranking official who you know for a fact never sends emails like that, goes far in helping your organization stay out of harm’s way.
Although many phishing attacks can be diverted with the help of some common sense and intuition, human factors still are the root cause of many cybersecurity disasters in education. Since, unlike machines, people are not perfect and have many factors that contribute to their decision making processes. The human factor plays heavily into these disasters as many of those responsible for sizable educational institution data breaches have a rather poor understanding of the cybersecurity as a process.
Since many of the staff for educational institutions on the front line are teachers due to budgetary accommodations, that means that they must wear a variety of hats. No longer can educators get by with just knowing how to teach their subject(s). Most teachers in modern schools need to be well aware of the effects of online bullying, constant texting during classes, and other new policy developments.
Due to budgetary restrictions on cybersecurity budgets, many of the teachers and front line staff members lack the necessary cybersecurity training. This training is important as it helps them practice good cyber hygiene to ensure they do not accidentally compromise their network via a cyber-attack.
The key solution to deter this type of human factor cyber ignorance is to keep education staff members educated about the danger of such security breaches and the ways that they can prevent them. Keeping access to important data restricted access restricted and blacklisting compromising websites that are unnecessary for the education process are good first steps towards keeping human factor-based cyber-attacks from happening.
We’ve all heard about the destructive ways of malware at some point in our past. Either it’s been from an article online or from a friend or coworker who personally experienced a malware-based cyber-attack. Unlike phishing, malware is much harder to spot right away as it can take multiple forms and be spread through various methods quickly.
Most times, victims notice the malware as a type of virus that takes control of their device and changes their system in many ways. In the case of an educational institution though, malware typically attacks the entire system after gaining access through a single individual’s device that is linked to the network.
Malware isn’t something that should be taken lightly since the average cost of a malware attack is a staggering $2.4 million. Thankfully, taking a proactive approach to school cybersecurity by deploying anti-malware and anti-phishing technology, ensuring IT systems are backed up, implementing multi-factor authentication, and offering user training can make a big difference.
Top Tips for Securing your Education IT Network
Education is challenged by the fact that cybersecurity systems need to be maintained indefinitely and that what it takes to maintain security has continued to evolve over the years. With the challenges of poor funding and a lack of resources, the education sector should focus their efforts on minimizing the risk of a cyber-attack, rather than a reactive attitude after one has happened. That is why it is best to create an organization based on a secure cyber posture built on the back of cybersecurity training and multi-factor authentication (MFA) infrastructure to succeed.
Instead of constantly playing “whack-a-mole” with network vulnerabilities, take a proactive approach with your educational institution by providing basic training for all users on your network. Getting your organization up to speed on cybersecurity training will help them learn best practices for spotting the self-mitigating terrible cyber-attacks on the spot.
Cybersecurity training doesn’t necessarily have to be something that is an extensive team-building exercise (although if you have the budget for that level of training, that would be great). It really can be as simple as sharing a handbook with staff and students, including information about what to look out for, and tips for practicing good cybersecurity hygiene. You could even follow this up with including a cybersecurity tip in the monthly or quarterly newsletter that is sent out to students or faculty.
Multi-Factor Authentication (MFA)
Although academic institutions have policies and procedures about not sharing passwords, they typically are not strictly enforced. This leads to a growing culture where password sharing amongst students is commonplace. Since these policies are not adequately enforced, students do not know how their actions could possibly lead to a major security breach with sensitive and confidential information falling into the wrong hands.
That’s why one of the most effective ways to stop users from sharing passwords is to clamp down on concurrent user logins. This way, students can’t get access to the system until they, themselves, are logged out. If you add Multi factor Authentication on top of that as an added security measure, this will add another hurdle that most students will internally reference and choose not to share their passwords with others.
Combatting Cybersecurity Threats Takes a Team Effort
With the increasing frequency and potential severity cyberattacks pose to the education sector, it’s crucial that IT professionals work together to find a solution to these common cybersecurity challenges. Even though funding issues are rampant and cybersecurity budgets in education are slim, the act of including an extra security step for users who are logging onto the network just might be enough to help prevent unauthorized access.