Lessons in Cybersecurity for the Education Sector

A lack of basic cybersecurity combined with a trove of valuable data makes education a prime target for attack. Kate O’Flaherty asks what can be done to protect the sector

Cyber attacks are heavily targeting the education sector. In February, Cambridge University was among UK institutions hit by a distributed denial of service (DDoS) attack, which prevented multiple schools from getting online.

Last year, the University of Michigan was the victim of a breach, with hackers seizing data belonging to students, donors, employees, and contractors. Also in 2023, a ransomware attack hit Stanford University, with adversaries threatening to leak a trove of sensitive data stolen from its public safety department.

Cyber attacks can be devastating to already cash-strapped educational institutions. Take, for example, Lincoln College in the US, which was forced to close permanently after it failed to recover from a fatal blow from Covid-19 and a ransomware attack.

According to recent research from Check Point, education was the most attacked sector in the UK in the last six months. So, why is the sector being increasingly targeted, and what can be done to protect it?

A lucrative target

A lack of basic cybersecurity measures combined with a treasure trove of valuable data make education a prime target for attack. Part of the appeal is the sheer number of personal details available, says Deryck Mitchelson, who is field CISO at Check Point.

“In most companies, you tend only to have employees, whereas in academic institutions, there are administrators and lecturers, as well as students. With so many more people, this makes networks in the sector much bigger, more open and difficult to protect.”

“Educational institutions run outdated, vulnerable software that can become a gateway into infrastructure” Bogdan Botezatu

The data held by the education sector tends to be valuable, such as student records, financial information and research data. At the same time, the sector suffers from a lack of cybersecurity awareness and often uses outdated IT infrastructure, says Jess Parnell, CISO at Centripetal. “Attackers know that schools and universities may be more vulnerable and less likely to have robust cybersecurity measures in place.”

The education sector has generally been slow to adopt basic measures such as multi-factor authentication (MFA), says Raluca Saceanu, CEO of Smarttech247. This leaves security gaps that can lead to adversaries exploiting a vulnerability before security staff even know an issue exists.

Vulnerabilities in internet-facing infrastructure are one of the biggest causes of compromise, says Bogdan Botezatu, director of threat research and reporting at Bitdefender. “Often, educational institutions run outdated, vulnerable software that can become a gateway into infrastructure,” he warns.

Insider threats are also common because students might bypass security to evade firewalls or gain illegal access to the grading systems or exam platforms, says Botezatu. Insecure network design, lack of access controls, and teachers’ limited IT security expertise add to the issue.

There’s no doubt that schools face resourcing issues and limited budgets for cybersecurity. This often leaves them exposed as the low-hanging fruit for attackers, exploiting vulnerabilities and using social engineering techniques to trick students or staff into installing malware or divulging credentials, says Matt Aldridge, principal solutions officer, OpenText Cybersecurity. “This results in a serious ransomware problem in primary and secondary education settings.”

Microsoft and Google platforms are commonly used in school environments today. However, configuring cloud environments can be complex, and understanding this is a challenge for most schools, says Matt Lorenzen, principal consultant at Cyberis. “This can lead attackers to find common configuration issues, allowing them to access systems.”

Adding to this, the targeting of the education sector has worsened in recent years, says Parnell. “This is partly due to the increased digitisation of educational resources and the shift to online learning, which has expanded the surface for attack.”

Additionally, says Parnell, the pandemic forced many educational institutions to rapidly adopt remote learning technologies, often without adequate security measures. “This makes them even more attractive targets.”

Who attacks education?

It’s clear that adversaries are setting their sights on education for a reason, but who exactly targets the sector, and why? Education attracts a range of adversaries, including opportunistic cybercriminals and nation-state attackers, says Javvad Malik, lead security awareness advocate at KnowBe4. For example, nation-state adversaries may specifically target research data, he says.

“Students are being targeted for their personal information to be used at a future time” Javvad Malik 

Saceanu points out that ransomware groups such as BlackCat have been particularly active in education. The group has been linked to the 2023 attack on Munster Technological University, which cost approximately $3.5 million to recover from.

Phishing attacks are among the most common threats targeting the sector, followed by online impersonation, viruses, spyware or malware. “We’ve seen that increasingly, students are being targeted for their personal information to be used at a future time,” says Malik. “Once these students graduate and obtain high profile or high position jobs, their information becomes even more valuable.”

Danny Jenkins, ThreatLocker CEO, who used to be an ethical hacker, tells Assured Intelligence how he helped a school improve its cybersecurity. To test the school’s systems’ security, Jenkins created a new email address –  Danny45678 – and asked all the teachers to send their passwords to it for an “urgent systems update”.

Needless to say, it didn’t go well – for the teachers at least. “Within an hour, half the teachers in the school had responded with their details,” he says. “It just goes to show how important it is to educate staff on cybersecurity.”

There’s no doubt cybersecurity awareness is important, but the industry needs an overall cultural shift that prioritises a “security-first mindset,” says Malik.

At the same time, it’s a good idea to concentrate on resilience and build an ability to recover from an attack, says Saceanu. “Regular security audits and penetration testing are crucial for identifying and patching vulnerabilities before they’re exploited.”

Meanwhile, Saceanu adds that incident response plans should be developed and regularly updated to ensure swift and effective responses to cyber threats. Collaboration with relevant stakeholders allows the sector to share intelligence and best practices, helping institutions stay ahead of evolving threats.”

Limited budgets make security tough for the education sector, so it’s important to learn to do more with less. Policies, training, and basic security, such as MFA, will help protect institutions from increasingly sophisticated attacks.