- Security TWENTY
- Women in Security
Education institutions need to make cybersecurity a priority, writes Adrian Jones, CEO of two-factor authentication product company Swivel Secure, pictured.
Despite the sector facing major challenges such as a lack of staffing and a lack of funding and resources, cyberattacks are no less frequent or less severe in education. In fact, they seem to be gaining ground in prevalence year-on-year as instances of breaches in schools and higher education are widely reported.
In recent years we’ve seen news of ransom attacks causing financial damage – like that on the University of Calgary where the institution allegedly handed over $20k to cyber criminals, and malware attacks causing mass disruption – similar to the disruption which, apparently, caused the Minnesota School District to shut down for a day while IT professionals rebuilt the system. The more worrying breaches are where student safety is compromised. Educational institutions are entrusted to safeguard their students, many of whom are minors, but a weak cybersecurity infrastructure can put them at risk.
This was made all too clear when the CCTV in several schools in Blackpool was allegedly breached, and the footage reportedly livestreamed on the internet. It’s an unfortunate fact that, while cybersecurity in Education is necessary to protect against financial loss and prevent disruption, it’s also crucial to protect students from harm.
Which is why the sector needs to do everything it can to ensure their applications and systems are protected, and work to overcome any challenges.
In this article, we’ll look at the state of cybersecurity in education. We’ll discuss the most common reasons for attack, the highest threats and the main challenges facing the sector to help you understand why cybersecurity needs to be a priority, and how you can make it a priority for your educational institute.
Why a target
There are four key reasons why Education is a target for cybercriminals. With education venues varying in size, purpose, and stature, the motives for attack can vary too. For example, what might be a common threat for world-renowned Universities/Colleges might not be an issue for schools or school districts. So, institutions need to evaluate the risk and understand what data is vulnerable to unauthorised access.
DDoS attacks – Distributed Denial of Service, or DDoS attacks are a common type of attack on all levels of Education venue. This is where the attacker’s motive is to cause widespread disruption to the institute’s network, having a negative effect on productivity.
This can be a relatively easy attack for amateur cybercriminals to carry out, especially if the target network is poorly protected. There have been instances of students or teachers successfully carrying out a DDoS attack, with motives ranging from simply wanting a day off, to protesting the way a complaint was handled.
Data theft – This is another attack affecting all levels of education because all institutions hold student and staff data, including sensitive details like names and addresses. This type of information can be valuable to cyber criminals for several reasons, whether they plan to sell the information to a third party or use it as a bargaining tool and extort money. The concerning aspect of this type of attack is that hackers can go unnoticed for long periods of time. As was the case at Berkeley, where at least 160,000 medical records were allegedly stolen from University computers over a number of months.
Financial gain – Another motive for hackers carrying out an attack on an education institution is for financial gain. This might not be as high a risk for public schools, but with private institutions and Universities/Colleges handling a large number of student fees, they’re a prime target for cybercriminals.
Today, it’s usual for students or parents to pay fees via an online portal, often transferring large sums of money to cover a whole term or year of tuition. Without proper protection or preparation on the part of education institutions, this presents a weak spot for cybercriminals to intercept.
Espionage – The fourth reason why education is a target for cybercrime is espionage. In the case of higher education institutes like Universities/Colleges, they’re often centres for research and hold valuable intellectual property.
Universities/Colleges need to be suitably protected, as it’s thought that scientific, engineering and medical research by UK universities has been previously compromised by hackers, and with plenty of time and money to fund them professionals are often at the helm of these attacks. With these four motives in mind, the way in which hackers carry out an attack on Education networks can further help us understand how to protect them.
JISC’s 2018 Cybersecurity Posture Survey questioned IT professionals within further and higher education. They were asked to name the top cyber threats facing their institutions, and the top three answers give us insight into the most common ways Education networks are breached.
Phishing – Phishing scams often take the form of an email or instant message and are designed to trick the user into trusting the source in a fraudulent attempt to access their credentials – whether that’s sensitive student data or confidential research. This type of attack is highlighted as the top threat facing higher education venues, suggesting hackers regularly target the sector using the method. Ransomware/Malware – Also in the top three cyber threats highlighted by the report, ransomware and malware attacks prevent users from accessing the network or files and cause disruption. More advanced forms of this threat can see attackers hold files to ransom.
Ransomware or malware typically infects devices using a trojan, a file or attachment disguised to look legitimate. However, some ransomware (like the WannaCry attack) have been shown to travel between devices without user interaction. Lack of awareness – The third threat listed by professionals in both further and higher education is a lack of awareness or accidents. This could be on the part of staff or students who aren’t sufficiently trained to practice good cyber hygiene or accidentally compromise the network.
Despite taking on different appearances, human error plays a key part in each of these three Education sector cybersecurity threats. However, with better overall cybersecurity training, and awareness on the motives and method of attackers, education venues could better protect themselves against cyberattacks. However, the sector is also facing challenges which hinder progress.
The JISC report also investigated the challenges facing IT professionals when it comes to protecting Education networks. When asked to rate how well their institution is protected on a scale from 1 (not at all) to 10 (very well), further education scored lower overall than higher education. The mean score for further education institutions was 5.9, while higher education scored 7.1. The rationale behind lower scores included:
● A lack of resources and budget – potentially pointing to the lack of finances to invest in cybersecurity, be it software or staff.
● Cultural issues – a ‘Bring Your Own Device’ culture is common in educational institutions and can present difficulties in securing the wider network, particularly with IT staff already facing stretched resources.
● An absence of policy – setting out policies for using the network and making sure they’re adhered to can be difficult in large institutions with a dynamic user population.
Despite these challenges, the education sector is still expected to secure their networks against unauthorised access and cyber threats. Especially when the repercussions can be as severe as the examples we discussed earlier. But there are some critical steps every institution should undertake to lay the foundations for a secure IT network.
With the challenges of poor funding and a lack of resources, the education sector should focus their efforts on minimising the risk of a cyberattack, rather than a reactive attitude after one has happened.
Providing basic training for all users of your network is one way to mitigate the effects of a lack of funding and resource. This can be something as simple as sharing a handbook with staff and students including information about what to look out for, and tips for practicing good cybersecurity hygiene. Giving people the necessary information to protect the network at all access points, could reduce the number of incidents caused by human error.
Another cost-effective way to protect the safety of your institution and its students is to implement a user-friendly multi-factor authentication (MFA) tool. Including that extra security step for users who are logging onto the network will help prevent unauthorised access. An easy-to-use platform should be high on your list of things to look for in an MFA provider.
If users can use a platform self-sufficiently, there’s less likely to be a need for administrative support, so education facilities can save on overheads without compromising network security. These are just some of the cost-effective ways to protect your school, university or college from any form of unauthorised access. With the increasing frequency and potential severity cyberattacks pose to the education sector, it’s crucial that IT professionals can work to find a solution to challenges like a lack of funding.