In many ways, the cyber risks facing the education sector are no different to any other sector. That said, limited budget and resource can add additional strain. Achi Lewis offers advice to schools and universities looking to batten down the cyber hatches
While cybersecurity is a top concern for education institutions, many face resource limitations when it comes to constructing proper cyber defence strategies due to a lack of budget, staff, and technology.
Yet, with vast data stored by schools and universities, the industry is consequently a major target for cyber criminals. In 2023 to date, 14 UK schools have been targeted by a ransomware attack in which student passports, headteacher pay, and staff contracts were leaked.
With the volume and sophistication of threats ever-increasing, universities and schools should evaluate their IT systems and cyber policies to create a resilient security posture capable of mitigating inbound threats, as well as effectively responding to them when they do occur.
Different sector, same threats
Many education institutions struggle to maintain visibility over their IT systems and endpoint devices, leaving them susceptible to cyber criminals breaching devices and applications and moving laterally across the network to spread the breach.
Threat types against the education sector do not differ significantly from other vertical industries, with the majority of cyber attacks taking the form of data harvesting through social engineering, phishing campaigns and malware attacks. Therefore, the security measures taken to defend against cyber threats should model other industries and focus on protecting the device, the network, and the data traveling in between.
The first step is to ensure that basic technology solutions are not only deployed but working as effectively as they should be. Universities and schools should ensure operating systems, software and firmware are patched as soon as manufacturer updates are released. Research shows that patching delays in the education sector are rife, with most patches taking 188 days. This makes the education sector the worst offender after the government.
Education facilities should also ensure that anti-virus and anti-malware systems remain up to date with the latest signatures and perform regular scans, and that application and remote access controls are in place to only allow systems to execute programmes known and permitted by the established security policy.
Using out-of-date, ineffective security software is one of the most detrimental ways to welcome unwanted threat actors into a network, leaving devices and data susceptible to malicious activity.
As easy as Zero, 1, 2, 3
With the nature of the education sector meaning that devices are spread out, coupled with the increase in remote learning and working catalysed by the pandemic, maintaining visibility over the expanded attack surface is more important than ever.
Devices are logging on from a greater number of locations than before, according to research, increasing cyber risk for education institutions.
As a result, universities and schools should look to implement a resilient zero trust architecture that can provide centralised IT teams with the visibility they need to track devices and detect suspicious activity, such as devices logging in from an unfamiliar location or insecure networks. Add to this the capability to remotely freeze, or even shut off, compromised devices, and education providers can prevent a portion of inbound threats as well as limit the spread of breaches should they occur.
Best practice and best policies
Technology is a large piece of the puzzle but must also be supported with best practices and resilient cyber policies.
At a human level, education institutions must ensure staff and students are sufficiently trained to mitigate risk. Implementing cyber awareness training to recognise certain threat types, such as spear-phishing attacks for example, can immediately reduce the threat level the organisation faces. Equally, situations such as immediately reporting stolen devices can go a long way in preventing threats, giving IT teams the opportunity to remotely cut off the device from a network. Ensuring training takes place is one of the simplest ways to improve cyber posture.
Setting out clear cyber policies should form part of this training, as well as outlining regular security monitoring, testing and risk assessments to ensure system and human responses are working as they should be.
Adhering to cyber policies and setting a strong security culture can help the organisation follow best practices and mitigate risk, such as removing student data six years after a student has left the institution, following Jisc guidelines (Jisc, formerly known as the Joint Information Systems Committee, is a UK-based organisation that provides digital solutions, advice, and guidance to the education and research sectors.)
An effective cyber strategy for the education sector revolves around a multi-pronged approach including technology, humans, and policies, all coming together to form a resilient cyber posture. This, frankly, applies to all sectors. Following the recent spate of high-profile attacks on the education sector, it is vital that organisations ensure they have these provisions in place for when the next attack occurs.
Achi Lewis is currently serving in the capacity of area vice president (AVP) – EMEA for Absolute Software, business & team builder, GTM expert.
Achi previously served as the regional director at MobileIron.