Let's discuss cyber security for the education sector

The Education sector is now one of the biggest targets for cyber attacks, particularly since the start of the COVID pandemic in 2020.

In a survey conducted by the UK Department for Digital, Media and Sport, the Education sector experienced one of the greatest number of cyber attacks compared with other industry sectors with over 80% of further education institutions identifying cyber attacks or data breaches over the last 12 months. 

The recent spate of cyber attacks and data breaches have seen schools and universities grind to a halt, taking major systems offline and impacting classroom learning.

In March 2021, 15 secondary schools based in Nottingham were unable to access emails or their websites after a central trust that manages their systems was hit by a cyber attack. In another major incident, the DoppelPaymer crime gang claimed responsibility for a security incident that affected Newcastle University’s network and systems. Newcastle University reported "it will take several weeks" to address the issues.

Meanwhile, UK’s National Cyber Security Centre has highlighted its concern by releasing a security alert and universities, warning that cyber criminals are targeting the education sector and that schools should remain vigilant. Given their relative vulnerability, more ransomware attacks targeting the UK education sector are expected to ramp up.

The impact of a cyber attack on educational institutions goes beyond basic data theft and into major operational disruption and damage to brand and reputation. Therefore, now more than ever, it is vital that schools and university leaders understand the cyber risks they face and are adequately prepared to deal with a cyber incident.

What Makes the Education Sector Vulnerable to a Cyber Attack?

A data treasure chest for hackers and cyber criminals

Education institutions store and process huge volumes of sensitive student and staff data, scientific and research information, payment details, intellectual property, strategic partnerships, information on third parties ... the list goes on.

Many institutions are involved in valuable research or support highly sensitive government research contracts. In a world where knowledge exchange and academic freedom are core foundations, this huge 'data treasure chest' is a massive target for cyber criminals who plan to sell the information to a third party or use it as a bargaining tool and extort money.

Doing more with less

Many schools are struggling with a lack of budget and resources and are often forced to do more with less. Some of the security tools used in schools (and universities) are fairly dated and often not kept up to date. Cyber security doesn’t require investments in the best and most expensive tools. However, a lack of budget or a lower priority for security protection investments can lead to major vulnerabilities and impact a school’s ability to defend against cyber attacks and data breaches.

Melting point of devices and 'always on' connectivity

The sheer number of new students joining schools, colleges and universities, coupled with a melting pot of data assets and a relatively 'open' technology environment, introduces a plethora of cyber risks. The network is already seen as difficult for administrators to effectively secure due to ever-increasing numbers. Everything from printers to laboratory equipment is also becoming increasingly connected with the need to exchange data 24/7, 365 days. This leads to an increasing ‘attack surface’. Think of a house with a huge number of windows presenting opportunities for a burglar to break in.

Lack of cyber awareness culture

Unfortunately, cyber security is still largely seen as a technical IT issue in the Education sector, as opposed to an enterprise-level risk. Human error is the number one cause of data breaches from cyberattacks, with 52% of incidents directly attributable to this.

This is no longer the sole responsibility of the IT Department. Everybody in an academic environment has a role to play in protecting data and information, whether they are a vice-chancellor or a student. Human error and culture play a massive role in cyber resilience, and at a time where staff feel they are not sufficiently trained to practice good cyber hygiene, the importance of a strong awareness culture in the Education sector cannot be underestimated. The same cultural awareness must extend to student environments.

Threats and Motives

The Education sector faces an evolving myriad of cyber threats ranging from simple Phishing attacks to DDOS attacks and malware. Phishing scams have also been prevalent in universities for a number of years. These take the form of an email or instant message designed to lure the user into clicking on a link or downloading an attachment in order to release personal credentials or sensitive research data.

During the start of the pandemic and subsequent shift to remote teaching, there was a huge uptake in Zoom. Cyber criminals took advantage of this by directing users to fake versions of the Zoom website, or sending them malicious executable files which appeared to be Zoom software. 

Motives for recent cyber attacks in the Education sector range from basic data theft to financial gain and espionage. APT (advanced persistent threat) groups have also been known to target sensitive intellectual property for economic political espionage, while 'hacktivists' have defaced and disrupted websites as a method of protest or to call attention to a certain cause.

How Should the Education Sector Move Forward?

At a time where the global pandemic has already stretched academia resources beyond limits, university and school leaders must focus relentlessly on cyber security, especially as schools and universities start to move back to classroom environments.

The UK Department for Education (DfE) recently announced that it is working on a cyber security tool for schools. This self-assessment tool for schools will help identify areas of potential weakness and what steps can be taken to mitigate cyber risks. DfE is aiming to make it available for the next academic year.

Apart from implementing basic technical measures such as end-point protection, patching and application security, school and university leaders need to play an active role in cyber security programmes and must be able to ask the right questions, such as: 

1. Do we have a named individual or group accountable for cyber security for our school/university?
2. Do we have cyber security included as a major risk on our latest risk register?
3. If we had a cyber attack, how soon would we know? Do we have effective monitoring systems in place to know when a breach has occurred?
4. How are we raising awareness of cyber threats amongst our staff and students? How are we measuring the effectiveness of this training?
5. Have we identified the high-value critical assets within our digital estate and how confident are we that they are secured appropriately?
6. Do we know who to contact if we become a victim of a cyber attack (e.g. ransomware)?
7. Do senior staff have a good understanding of the cyber security threats and their potential impact (e.g. social engineering, phishing etc).
8. How effective is our cyber incident response process and when was it last tested?
9. Do we have a disaster recovery and business continuity process and if so, when was it last tested?
   
10. Do we have cyber security insurance?

It is crucial that education institutions take the time to review their current cyber security posture and develop a holistic cyber strategy that spans people, process and technology.

Not sure how to get started? Book a demo of our software at a time that suits you.